Cloudera Community
axelfulop
user rank
Explorer

Re: Unknown user with identity OIDC Azure AD

by Explorer in Support Questions
‎04-07-2023 06:52 PM
‎04-07-2023 06:52 PM
I updated the Nifi version to the latest and worked! ... View more

Re: Unknown user with identity OIDC Azure AD

by Explorer in Support Questions
‎04-07-2023 01:49 PM
‎04-07-2023 01:49 PM
@MattWho  i'm tried with the authorizers of https://github.com/benkelly/NiFi-Authentication-with-Azure-Active-Directory-Setup-Guide to enabled groups i had created in Azure AD but i'm getting this error:   Error creating bean with name 'org.apache.nifi.web.security.configuration.AuthenticationSecurityConfiguration': Unsatisfied dependency expressed through constructor parameter 2; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is java.lang.NullPointerException at org.apache.nifi.NiFi.main(NiFi.java:330) 2023-04-07 20:32:52,156 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Fri Apr 07 20:32:52 UTC 2023 2023-04-07 20:32:54,832 ERROR [main] o.a.n.a.AuthorizerFactoryBean User Group Provider [composite-configurable-user-group-provider] destruction failed java.lang.NullPointerException: null   Any idea of what it's going wrong? ... View more

Re: Unknown user with identity OIDC Azure AD

by Explorer in Support Questions
‎04-07-2023 12:30 PM
‎04-07-2023 12:30 PM
Hello Matt, it was that! omg, 2 weeks stucked  with this and was just case sensitive! Thanks! ... View more

Unknown user with identity OIDC Azure AD

by Explorer in Support Questions
‎04-06-2023 05:59 PM
‎04-06-2023 05:59 PM
Hello, i'm using the cetic helm chart to deploy nifi to GCP gke cluster. I have configured SSL and OIDC with azure AD, i was able to see the AD page and log in, after that i'm seeing this error    Values:       replicaCount: 1 image: repository: apache/nifi tag: "1.16.3" pullPolicy: "IfNotPresent" securityContext: runAsUser: 1000 fsGroup: 1000 sts: podManagementPolicy: Parallel AntiAffinity: soft useHostNetwork: null hostPort: null pod: annotations: security.alpha.kubernetes.io/sysctls: net.ipv4.ip_local_port_range=10000 65000 #prometheus.io/scrape: "true" serviceAccount: create: false #name: nifi annotations: {} hostAliases: [] startupProbe: enabled: false failureThreshold: 60 periodSeconds: 10 properties: sensitiveKey: changeMechangeMe externalSecure: true isNode: false httpsPort: 8443 httpPort: 8080 webProxyHost: nifi-test.qa.cloud.paycomplete.com clusterPort: 6007 provenanceStorage: "8 GB" siteToSite: port: 10000 configuration safetyValve: nifi.web.http.network.interface.default: eth0 # Nifi User Authentication auth: # If set while LDAP is enabled, this value will be used for the initial admin and not the ldap bind dn / admin admin: CN=axel.fulop@paycomplete.com SSL: keystorePasswd: changemechangemenifiqa truststorePasswd: changemechangemenifiqa oidc: enabled: true discoveryUrl: https://login.microsoftonline.com/DIRECTORYID/v2.0/.well-known/openid-configuration clientId: MYCLIENT clientSecret: MYSECRET claimIdentifyingUser: upn admin: axel.fulop@paycomplete.com additionalScopes: profile, email, openid # headless service headless: type: ClusterIP annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" # ui service service: type: ClusterIP httpsPort: 8443 httpPort: 8080 #nodePort: 30236 annotations: # external-dns.alpha.kubernetes.io/hostname: nifi-test.qa.cloud.paycomplete.com # loadBalancerIP: ## Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## # loadBalancerSourceRanges: # - 10.10.10.0/24 ## OIDC authentication requires "sticky" session on the LoadBalancer for JWT to work properly...but AWS doesn't like it on creation # sessionAffinity: ClientIP # sessionAffinityConfig: # clientIP: # timeoutSeconds: 10800 # Enables additional port/ports to nifi service for internal processors processors: enabled: false ports: - name: processor01 port: 7001 targetPort: 7001 #nodePort: 30701 - name: processor02 port: 7002 targetPort: 7002 #nodePort: 30702 ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: enabled: true annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-redirect-from: "https://localhost:8443" nginx.ingress.kubernetes.io/proxy-redirect-to: "https://nifi-test.qa.cloud.paycomplete.com" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/upstream-vhost: localhost:8443 nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/affinity-mode: persistent nginx.ingress.kubernetes.io/ssl-passthrough: "true" cert-manager.io/issuer: letsencrypt-production tls: - hosts: - nifi-test.qa.cloud.paycomplete.com secretName: nifi-tls-secret hosts: - nifi-test.qa.cloud.paycomplete.com path: / # If you want to change the default path, see this issue https://github.com/cetic/helm-nifi/issues/22         nifi.properties:       # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Core Properties # nifi.flow.configuration.file=../data/flow.xml.gz nifi.flow.configuration.archive.enabled=true nifi.flow.configuration.archive.dir=../data/archive/ nifi.flow.configuration.archive.max.time=30 days nifi.flow.configuration.archive.max.storage=500 MB nifi.flow.configuration.archive.max.count= nifi.flowcontroller.autoResumeState=true nifi.flowcontroller.graceful.shutdown.period=10 sec nifi.flowservice.writedelay.interval=500 ms nifi.administrative.yield.duration=30 sec # If a component has no work to do (is "bored"), how long should we wait before checking again for work? nifi.bored.yield.duration=10 millis nifi.authorizer.configuration.file=./conf/authorizers.xml nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml nifi.templates.directory=../data/templates nifi.ui.banner.text= nifi.ui.autorefresh.interval=30 sec nifi.nar.library.directory=./lib nifi.nar.library.directory.custom= nifi.nar.library.autoload.directory=./extensions nifi.nar.working.directory=./work/nar/ nifi.documentation.working.directory=./work/docs/components #################### # State Management # #################### nifi.state.management.configuration.file=./conf/state-management.xml # The ID of the local state provider nifi.state.management.provider.local=local-provider # The ID of the cluster-wide state provider. This will be ignored if NiFi is not clustered but must be populated if running in a cluster. nifi.state.management.provider.cluster=zk-provider # Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server nifi.state.management.embedded.zookeeper.start=false # Properties file that provides the ZooKeeper properties to use if <nifi.state.management.embedded.zookeeper.start> is set to true nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties # H2 Settings nifi.database.directory=../data/database_repository nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE # FlowFile Repository nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository nifi.flowfile.repository.directory=../flowfile_repository nifi.flowfile.repository.partitions=256 nifi.flowfile.repository.checkpoint.interval=2 mins nifi.flowfile.repository.always.sync=false nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager nifi.queue.swap.threshold=20000 nifi.swap.in.period=5 sec nifi.swap.in.threads=1 nifi.swap.out.period=5 sec nifi.swap.out.threads=4 # Content Repository nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository nifi.content.claim.max.appendable.size=1 MB nifi.content.claim.max.flow.files=100 nifi.content.repository.directory.default=../content_repository nifi.content.repository.archive.max.retention.period=3 days nifi.content.repository.archive.max.usage.percentage=85% nifi.content.repository.archive.enabled=true nifi.content.repository.always.sync=false nifi.content.viewer.url=/nifi-content-viewer/ # Provenance Repository Properties nifi.provenance.repository.implementation=org.apache.nifi.provenance.WriteAheadProvenanceRepository nifi.provenance.repository.debug.frequency=1_000_000 nifi.provenance.repository.encryption.key.provider.implementation= nifi.provenance.repository.encryption.key.provider.location= nifi.provenance.repository.encryption.key.id= nifi.provenance.repository.encryption.key= # Persistent Provenance Repository Properties nifi.provenance.repository.directory.default=../provenance_repository nifi.provenance.repository.max.storage.time=10 days nifi.provenance.repository.max.storage.size=8 GB nifi.provenance.repository.rollover.time=30 secs nifi.provenance.repository.rollover.size=100 MB nifi.provenance.repository.query.threads=2 nifi.provenance.repository.index.threads=2 nifi.provenance.repository.compress.on.rollover=true nifi.provenance.repository.always.sync=false nifi.provenance.repository.journal.count=16 # Comma-separated list of fields. Fields that are not indexed will not be searchable. Valid fields are: # EventType, FlowFileUUID, Filename, TransitURI, ProcessorID, AlternateIdentifierURI, Relationship, Details nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, Filename, ProcessorID, Relationship # FlowFile Attributes that should be indexed and made searchable. Some examples to consider are filename, uuid, mime.type nifi.provenance.repository.indexed.attributes= # Large values for the shard size will result in more Java heap usage when searching the Provenance Repository # but should provide better performance nifi.provenance.repository.index.shard.size=500 MB # Indicates the maximum length that a FlowFile attribute can be when retrieving a Provenance Event from # the repository. If the length of any attribute exceeds this value, it will be truncated when the event is retrieved. nifi.provenance.repository.max.attribute.length=65536 # Volatile Provenance Respository Properties nifi.provenance.repository.buffer.size=100000 # Component Status Repository nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentStatusRepository nifi.components.status.repository.buffer.size=1440 nifi.components.status.snapshot.frequency=1 min # Site to Site properties nifi.remote.input.host=nifi-0.nifi-headless.apache-nifi.svc.cluster.local nifi.remote.input.secure=true nifi.remote.input.socket.port=10000 nifi.remote.input.http.enabled=true nifi.remote.input.http.transaction.ttl=30 sec nifi.remote.contents.cache.expiration=30 secs # web properties # nifi.web.war.directory=./lib nifi.web.proxy.host=nifi-test.qa.cloud.paycomplete.com nifi.web.https.port=8443 nifi.web.http.host=nifi-0.nifi-headless.apache-nifi.svc.cluster.local nifi.web.http.network.interface.default=eth0 nifi.web.https.host= nifi.web.https.network.interface.default= nifi.web.jetty.working.directory=./work/jetty nifi.web.jetty.threads=200 # nifi.web.proxy.context.path= # security properties # nifi.sensitive.props.key=changeMechangeMe nifi.sensitive.props.key.protected= nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= nifi.security.keystore=/opt/nifi/nifi-current/conf/keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd=64d3945a969994427c9c47272e104ec1 nifi.security.keyPasswd=64d3945a969994427c9c47272e104ec1 nifi.security.truststore=/opt/nifi/nifi-current/conf/truststore.p12 nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd=b58f12d3ce529ca05c36706ea6ed9475 nifi.security.user.authorizer=managed-authorizer nifi.security.needClientAuth= # OpenId Connect SSO Properties # nifi.initial.admin.identity = axel.fulop@paycomplete.com nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/7bc71559-46eb-47fc-a0a7-327d1337592c/v2.0/.well-known/openid-configuration nifi.security.user.oidc.connect.timeout=5 secs nifi.security.user.oidc.read.timeout=5 secs nifi.security.user.oidc.client.id=id nifi.security.user.oidc.client.secret=secret nifi.security.user.oidc.preferred.jwsalgorithm= nifi.security.user.oidc.claim.identifying.user=upn nifi.security.user.oidc.additional.scopes=profile, email, openid # Apache Knox SSO Properties # nifi.security.user.knox.url= nifi.security.user.knox.publicKey= nifi.security.user.knox.cookieName=hadoop-jwt nifi.security.user.knox.audiences= # Identity Mapping Properties # # These properties allow normalizing user identities such that identities coming from different identity providers # (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing # DNs from certificates and principals from Kerberos into a common identity string: # # nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ # nifi.security.identity.mapping.value.dn=$1@$2 # nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ # nifi.security.identity.mapping.value.kerb=$1@$2 # cluster common properties (all nodes must have same values) # nifi.cluster.protocol.heartbeat.interval=5 sec nifi.cluster.protocol.is.secure=true # cluster node properties (only configure for cluster nodes) # nifi.cluster.is.node=false nifi.cluster.node.address=nifi-0.nifi-headless.apache-nifi.svc.cluster.local nifi.cluster.node.protocol.port=6007 nifi.cluster.node.protocol.threads=10 nifi.cluster.node.protocol.max.threads=50 nifi.cluster.node.event.history.size=25 nifi.cluster.node.connection.timeout=5 sec nifi.cluster.node.read.timeout=5 sec nifi.cluster.node.max.concurrent.requests=100 nifi.cluster.firewall.file= nifi.cluster.flow.election.max.wait.time=1 mins nifi.cluster.flow.election.max.candidates= # zookeeper properties, used for cluster management # nifi.zookeeper.connect.string=nifi-zookeeper:2181 nifi.zookeeper.connect.timeout=3 secs nifi.zookeeper.session.timeout=3 secs nifi.zookeeper.root.node=/nifi # Zookeeper properties for the authentication scheme used when creating acls on znodes used for cluster management # Values supported for nifi.zookeeper.auth.type are "default", which will apply world/anyone rights on znodes # and "sasl" which will give rights to the sasl/kerberos identity used to authenticate the nifi node # The identity is determined using the value in nifi.kerberos.service.principal and the removeHostFromPrincipal # and removeRealmFromPrincipal values (which should align with the kerberos.removeHostFromPrincipal and kerberos.removeRealmFromPrincipal # values configured on the zookeeper server). nifi.zookeeper.auth.type= nifi.zookeeper.kerberos.removeHostFromPrincipal= nifi.zookeeper.kerberos.removeRealmFromPrincipal= # kerberos # nifi.kerberos.krb5.file= # kerberos service principal # nifi.kerberos.service.principal= nifi.kerberos.service.keytab.location= # kerberos spnego principal # nifi.kerberos.spnego.principal= nifi.kerberos.spnego.keytab.location= nifi.kerberos.spnego.authentication.expiration=12 hours # external properties files for variable registry # supports a comma delimited list of file locations nifi.variable.registry.properties= nifi.security.user.login.identity.provider= nifi.web.http.network.interface.lo=lo         Authorizers:         <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./auth-conf/users.xml</property> <property name="Legacy Authorized Users File"/> <property name="Initial User Identity 1">axel.fulop@paycomplete.com</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./auth-conf/authorizations.xml</property> <property name="Initial Admin Identity">axel.fulop@paycomplete.com</property> <property name="Legacy Authorized Users File"/> <property name="Node Identity 1"/> <property name="Node Group"/> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>         users:       <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b" identity="axel.fulop@paycomplete.com"/> </users> </tenants>         authorizations:       <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="9a110a21-cbce-30b3-8b9e-110bbf96a04d" resource="/data/process-groups/9913cc63-f5a1-39a0-ab12-1551d6d72a86" action="R"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="957ed60d-9c11-32e0-8efb-28e669b5955a" resource="/data/process-groups/9913cc63-f5a1-39a0-ab12-1551d6d72a86" action="W"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="dd2022f3-1adb-31e7-bee1-688a27f455dc" resource="/process-groups/9913cc63-f5a1-39a0-ab12-1551d6d72a86" action="R"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="25449c36-7fc2-34b0-bf6a-e094480853c0" resource="/process-groups/9913cc63-f5a1-39a0-ab12-1551d6d72a86" action="W"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"> <user identifier="6b53d661-deec-3bdc-bd00-6c07e763a48b"/> </policy> </policies> </authorizations>         I followed this tutorial to create the Azure AD app : https://github.com/benkelly/NiFi-Authentication-with-Azure-Active-Directory-Setup-Guide   Any idea of what i'm missing? Thanks ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎05-16-2023 03:36 PM
Community Statistics
Member Since ‎04-06-2023 05:22 PM
Last Visited ‎05-16-2023 03:36 PM
Posts 4