Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

ssl Apache NiFi cluster on different VMs

ssl Apache NiFi cluster on different VMs

New Contributor

I need help in cluster configuration.I configured standalone NIFI with SSL and LDAP, so I have some experience.

 

I suppose that my current issue is about LDAP authorization, but I spent a lot of time and still cannot handle it.

 

error in ./logs/nifi-user.log

 

Spoiler
2020-03-13 17:22:47,365 WARN [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=confluent, OU=NIFI

 

error in web UI:

 

Spoiler

Insufficient Permissions

Untrusted proxy CN=confluent, OU=NIFI

I guess I have to make some changes in authorizers.xml file, but I do not understand what exactly and does my data in certificates or in DNS affect it.

 

 

Here is my authorizers.xml:

 

Spoiler
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>

<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">ANONYMOUS</property>

<property name="Manager DN"></property>
<property name="Manager Password"></property>

<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>

<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>

<property name="Url">ldap://myldap.org:389</property>
<property name="Page Size"></property>
<property name="Sync Interval">30 mins</property>

<property name="User Search Base">ou=People,dc=mydomain,dc=org</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute">uid</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>

<property name="Group Search Base">ou=Group,dc=mydomain,dc=org</property>

<property name="Group Object Class">posixGroup</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter"></property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">memberUid</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">ldap-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">guoloi</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>


<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>

Any help will be very appreciated.

 

 

UPD1: I just do not understand from where shood I take this values for authorizers.xm file:

in <userGroupProvider> block(and shood it be at all, cause my standalone nifi works without this block):

 

<property name="Initial User Identity 1">CN=???user???, OU=????</property>

<property name="Initial User Identity 2">CN=???host???, OU=????</property>

 

in <accessPolicyProvider> block:

<property name="Node Identity 1">CN=????, OU=????</property>

 

 

1 REPLY 1
Highlighted

Re: ssl Apache NiFi cluster on different VMs

Master Guru

@guoloi 

 

So your current authorizers.xml file uses these elements:

managed-authorizer ---(references)--> file-access-provider (builds authorizations.xml file). ---(references)---> ldap-user-group-provider (syncs users and groups from ldap).


The problem you have here is your NiFi nodes are not being synced from your ldap.  So the authorizer knows nothing about these clients/users.  In a NiFi cluster, the NiFi nodes also must be authorized for a variety of policies.

 

This means that you need to change the configuration of your authorizers.xml so that is supports multiple user-group-providers.

managed-authorizer --- (references) --> file-access-provider (builds authorizations.xml file). --- (references) ---> composite-user-group-provider (allows user to reference multiple user-group-providers) ---(references both)---> ldap-user-group-provider (syncs users and groups from ldap) ---(and)--- file-user-group-provider (supports locally added users and groups).

 

The composite-user-group-provider looks like this:

    <userGroupProvider>
        <identifier>composite-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1">ldap-user-group-provider</property>
    </userGroupProvider>

 and your file-user-group-provider looks like this:

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">CN=confluent, OU=NIFI</property>
    </userGroupProvider>

 

The file-user-group-provider will build the users.xml file which will hold all your "local" users and groups not being synced from your ldap.  The provider will add the local user/client "CN=confluent, OU=NIFI" when it builds the users.xml for the first time.

The next issue that you will run in to is that the user "CN=confluent, OU=NIFI" is not authorized for the /proxy policy in the authorizations.xml file which you already have in place.  Normally you would have configured the file-access-policy-provider which builds the authorizations.xml file with this user also, but setting this now will not update the authorizations.xml file with any new entries (only created from config file if it does not exist already).  

Its configuration would have looked like this:

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">ldap-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">guoloi</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=confluent, OU=NIFI</property>
<property name="Node Group"></property>
</accessPolicyProvider>

 

So two multiple options here:
1. Remove the authorizations.xml file from every NiFi node so it is recreated on startup.  Downside is new authorizations.xml file will only have policies set for the users "guoloi" and "CN=confluent, OU=NIFI".  any other policies you setup later yourself via the NiFi UI will need to be setup again.
2. Manually edit the authorizations.xml file ( you will need to start NiFi once first so users.xml file is created.  Then you can get the UUID assigned to the user "CN=confluent, OU=NIFI" from that file.  The UUID is what the /proxy policy would be assigned to.  Adding lines like this:

        <policy identifier="d59a54f7-6dd6-34ad-a279-a26ffdb9eef8" resource="/proxy" action="R">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>

        <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>

        <policy identifier="6dbdbffd-8a7d-32e1-ba3e-f600e6c69791" resource="/proxy" action="D">
            <user identifier="38e35829-435d-3be4-83b6-784cb560e855"/>
        </policy>

note: substitute your UUID from users.xml in place of "38e35829-435d-3be4-83b6-784cb560e855" in above.
3. Startup only one NiFi node and access the UI.  Go to global menu in upper right corner and select "Users" to verify user "CN=confluent, OU=NIFI" exists.  Then go to global menu and select policies.  Form list of policies locate "proxy user requests" and add "CN=confluent, OU=NIFI" to that policy.   Then copy the authorizations.xml file from this NiFi node to your other NiFi nodes and start them.

 

Hope this helps,
Matt

 

Don't have an account?
Coming from Hortonworks? Activate your account here