About davehkd

davehkd · ‎04-11-2023

An update: So, after starting NiFi, i reviewed the logs in the nifi-user.log file. This is what was output: ...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/kerberos ...NiFi AuthenticationFilter Authentication Success [CN=ec2-user] xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/kerberos ...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/access/oidc/exchange ...NiFi AuthenticationFilter Authentication Success [CN=ec2-user] xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/access/oidc/exchange ...NiFi AuthenticationFilter Authentication Started 10.xx.xxx.39 [CN=ec2-user] POST https://nifi1:9443/nifi-api/token/expiration ...NiFi AuthenticationFilter Authentication Success [CN=ec2-user] xx.xx.xxx.39 POST https://nifi1:9443/nifi-api/token/expiration WARN [NiFi Web Server-37] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Access token not found. Returning Conflict responmse...

davehkd · ‎04-11-2023

Hello Bakho, did Matt's recommendation/suggestion solve your problem? I am having the same issue using certificates created by the NiFi Toolkit.

davehkd · ‎04-11-2023

Matt, I found this ticket: NIFI 1.14: User policy is not showing on the GUI. This is exactly the issue I am having. I see that you recommended that he: verify the configuration in the authorizers.xml file, remove the existing users.xml and authorizations.xml file and restart NiFi. I took these steps several times and still the "Users" option does not appear in the menu.

davehkd · ‎04-11-2023

To add: At step 13, per the walkthrough i.e., NiFi Cluster Using NiFi CA, as described, I stopped each of the nifi instances, i then deleted the authorizations.xml and users.xml file from each node in the nifi/conf directory, and then restarted each node. And, then I logged onto the NiFi GUI, and still I do not see the users option in the menu... i.e., I apparently do not have a a running cluster with permisisons.... Please help

davehkd · ‎04-11-2023

Thanks for the reply Matt. I followed the instructions per: https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html#securing-nifi-with-provided-certificates, s Specifically, I followed the instructions for: Creating and Securing a NiFi Cluster with the TLS Toolkit. Per Step 1, I ran the optional command to execute all steps together using the the toolkit pattern syntax: ./bin/tls-toolkit.sh standalone - n 'node[1-3].nifi' -C 'CN=ec2-user' -c 'ca.nifi' Per step 9, I updated the authorizers.xml file, in the <userGroupProvider> section, I added the line <property name="Initial User Identity 1">CN=ec2-user</property> In the <accessPolicyProvider> section, I updated the file as described. Regarding the Initial Admin Identity, I updated the file as follows: <property name="Initial Admin Identity">CN=ec2-user</property> I copied the authorizers.xml file to all 3 nodes. After starting nifi on all 3 nodes, I then access the GUI and select the imported certificate i.e., CN=ec2-user.p12 which I successfully imported, and I can successfully access the GUI. I see that on the upper right of the GUI screen, the the user is indicated as CN=ec2-user. But, when I access the menu on the upper right of the screen, I do not receive the users option. Can you help me determine why this option isn't available? I am unclear, having followed the instructions per the walkthrough, why this

davehkd · ‎04-08-2023

Hello, I have a 3 node NiFi Cluster up and running. The Initial Admin User is able now to successfully log into the NiFi cluster. I would now like to add new users to the NiFi cluster and SSL i.e., signed PKI certs for each user as the basis for these users to gain access to NiFi. I do not want to use LDAP, I am in an environment that will require use of PKI certs for access to NiFi. Can someone provide a prescriptive set of steps I can follow to successfully use PKI certs/SSL as a means of providing access to new NiFi cluster users and specifically, how do I add new users? I would think the process of creating new users and using SSL would be explained explicitly. Can someone help me with this? VR, Dave

davehkd · ‎04-06-2023

Thanks again Matt for the excellent guidance and help!

davehkd · ‎04-05-2023

Hello Matt, thanks for the response. I checked the nifi-registry.properties file, and the properties you suggested I check i.e., nifi.registry.security.identity.mapping.pattern.<some string>=<some regex pattern with 1 or more capture groups> nifi.registry.security.identity.mapping.value.<some string>=$1 nifi.registry.security.identity.mapping.transform.<some string>=NONE are all commented out. I first stopped the nifi-registry service by issuing the ./nifi-registry.sh stop command. I then tried what you had recommended next i.e., I changed the initial admin to just "CN=ec2-user" in the authorizers.xml file. I then deleted the users.xml and authorizations.xml files. I then restarted the nifi-registry service. And, lo and behold, when I launched the GUI i.e., https://nifi1:18443/nifi-registry, the wrench appeared in the upper right corner! A final question. If I want to successfully add additional NiFi users for the NiFi cluster I have stood up, do I need to set up an LDAP? Is there a good url/reference you could point me to on how to do this? Thank you Matt

davehkd · ‎04-04-2023

I have a 3 node NiFi cluster set up and running in our environment. I used a user called "ec2-user" to perform the NiFi install. For this initial install (in a development environment) I used the NiFi Toolkit to create the certificates for the 3 nodes as well as for the ec2-user I would now like to use the NiFi registry tool to create additional NiFi users. I have been following this post by alim: Setting Up a Secure Apache NiFi Registry - Cloudera Community - 247753. I started with "Registry Configuration" in this post since I had already used the Toolkit to generate the keystore, truststore and a client certificate for the ec2-user. I copied the keystore and truststore to the conf directory of the Registry install. I then copied the values rom the keystore and truststore properties from the nifi.properties file into the corresponding values in the nifi-registry.properties file. I also modified the HTTP and HTTPS web properties as indicated in the post. I then modified the authorizers.xml file. First in the userGroupProvider section, adding the "ec2-user" DN to the initial Admin Identity 1" property. And, then in the accessPolicyProvider section, adding the "ec2-user" DN to the "Initial Admin Identity" property. I then copied the certificate associated with the ec2-user to the nifi1 host browser. I then started the Registry ./bin/nifi-registry.sh start I then accessed the url: (I changed the host to nifi1 instead of localhost): https://nifi1:18443/nifi-registry . I was prompted for the ec2-user certificate which i provided. Then I was able to access the nifi-registry GUI but i do not see the wrench on the far upper right of the page. Also, when I look at the nifi-registry log, I see that the Kerberos service ticket not supported by the NiFi Registry. Also receive an AccessDeniedExceptionMapper: identity CN=ec2-user does not have permission to access the requested resource. Can you provide guidance on how I can create a user with administrator access in the NiFi Registry tool? Are there any previous tickets that describe how to to do this? Thank you for any guidance, recommendations....

davehkd · ‎03-29-2023

Thanks so much Matt! Is this answer that you provided also correct in regards to version 1.20? Thank you again!

Online	Offline
Last Visited	‎09-20-2023 05:57 AM

Member Since	‎01-02-2023 08:17 AM
Last Visited	‎09-20-2023 05:57 AM
Posts	55
Kudos received	1

Cloudera Community

Re: Possible to Use AWS Load Balancers in Front of...

Re: 3 Node Cluster, Nodes Disconnect

Re: Creating a Secure NiFi Cluster with 3rd Party ...

Re: Want to Use SSL i.e., Organization Provided Ce...

Re: NIFI 1.14: User policy is not showing on the G...

Re: Want to Use SSL i.e., Organization Provided Ce...

Re: Want to Use SSL i.e., Organization Provided Ce...

Re: Want to Use SSL i.e., Organization Provided Ce...

Want to Use SSL i.e., Organization Provided Certs ...

Re: Setting Up a Secure NiFi Registry Instance

Re: Setting Up a Secure NiFi Registry Instance

Setting Up a Secure NiFi Registry Instance

Re: Does Apache NiFi 1.19.1 or 1.20.0 Have Kotlin ...