Member since
09-27-2024
2
Posts
2
Kudos Received
0
Solutions
09-27-2024
07:15 AM
1 Kudo
Hey @MattWho Thank you very much for your response. I am new to setting up the Nifi registry and have been trying out most of the implementation from the official documentation . Yes , I would like to use ldap and have been looking into these steps - https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#ldap_identity_provider However , as per your answer , I understood that the TLS keystore and truststore properties are not required for this - Did I understand it correct ?
... View more
09-27-2024
02:44 AM
1 Kudo
Hello , I am trying to setup LDAP on my Nifi Registry and I am getting the below errror : nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut Caused by: java.lang.Exception: Unable to load the login identity provider configuration file at: /opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory.loadLoginIdentityProvidersConfiguration(IdentityProviderFactory.java:160)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory.getIdentityProvider(IdentityProviderFactory.java:110)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5.CGLIB$getIdentityProvider$0(<generated>)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5$$FastClassBySpringCGLIB$$53c655ec.invoke(<generated>)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.apache.nifi.registry.security.authentication.IdentityProviderFactory$$EnhancerBySpringCGLIB$$adc959c5.getIdentityProvider(<generated>)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at java.lang.reflect.Method.invoke(Method.java:498)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut ... 58 common frames omitted
nifi-registry 2024-09-27 09:25:06,919 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,919 INFO [Thread-1] org.apache.nifi.registry.NiFiRegistry Initiating shutdown of Jetty web server...
nifi-registry 2024-09-27 09:25:06,922 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,922 INFO [Thread-1] o.eclipse.jetty.server.AbstractConnector Stopped ServerConnector@7a1ebcd8{HTTP/1.1,[http/1.1]}{0.0.0.0:18080}
nifi-registry 2024-09-27 09:25:06,922 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut 2024-09-27 09:25:06,922 INFO [Thread-1] org.eclipse.jetty.server.session node0 Stopped scavenging
nifi-registry 2024-09-27 09:25:07,787 INFO [main] o.a.n.registry.bootstrap.RunNiFiRegistry NiFi Registry never started. Will not restart NiFi Registry I am using helm chart to deploy this and the above pasted logs are my pod logs .. While debugging I do see that the file is present inside the pod : nifi@nifi-registry-custom-0:/opt/nifi-registry/nifi-registry-current/conf$ ls -lrth
total 112K
-rw-r--r-- 1 nifi nifi 1020 Dec 19 2019 registry-aliases.xml
-rw-r--r-- 1 nifi nifi 6.0K Dec 19 2019 identity-providers.xml
-rw-r--r-- 1 nifi nifi 2.1K Dec 19 2019 bootstrap.conf
-rw-r--r-- 1 nifi nifi 5.0K Aug 19 2020 providers.xml
-rw-r--r-- 1 root root 5.3K Sep 27 09:14 nifi-registry.temp
-rw-r--r-- 1 root root 6.7K Sep 27 09:14 login-identity-providers-ldap.xml
-rw-r--r-- 1 root root 21K Sep 27 09:14 authorizers.temp
-rw-r--r-- 1 nifi nifi 4.9K Sep 27 09:14 nifi-registry.properties
-rw-r--r-- 1 nifi nifi 6.7K Sep 27 09:14 login-identity-providers.xml and my login-indentity-providers.xml file contents are as below : <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one or more
~ contributor license agreements. See the NOTICE file distributed with
~ this work for additional information regarding copyright ownership.
~ The ASF licenses this file to You under the Apache License, Version 2.0
~ (the "License"); you may not use this file except in compliance with
~ the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<!--
This file lists the identity providers to use when running securely. In order
to use a specific provider it must be configured here and its identifier
must be specified in the nifi-registry.properties file.
-->
<identityProviders>
<!--
Identity Provider for users logging in with username/password against an LDAP server.
'Authentication Strategy' - How the connection to the LDAP server is authenticated. Possible
values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
'Manager DN' - The DN of the manager that is used to bind to the LDAP server to search for users.
'Manager Password' - The password of the manager that is used to bind to the LDAP server to
search for users.
'TLS - Keystore' - Path to the Keystore that is used when connecting to LDAP using LDAPS or START_TLS.
'TLS - Keystore Password' - Password for the Keystore that is used when connecting to LDAP
using LDAPS or START_TLS.
'TLS - Keystore Type' - Type of the Keystore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Truststore' - Path to the Truststore that is used when connecting to LDAP using LDAPS or START_TLS.
'TLS - Truststore Password' - Password for the Truststore that is used when connecting to
LDAP using LDAPS or START_TLS.
'TLS - Truststore Type' - Type of the Truststore that is used when connecting to LDAP using
LDAPS or START_TLS (i.e. JKS or PKCS12).
'TLS - Client Auth' - Client authentication policy when connecting to LDAP using LDAPS or START_TLS.
Possible values are REQUIRED, WANT, NONE.
'TLS - Protocol' - Protocol to use when connecting to LDAP using LDAPS or START_TLS. (i.e. TLS,
TLSv1.1, TLSv1.2, etc).
'TLS - Shutdown Gracefully' - Specifies whether the TLS should be shut down gracefully
before the target context is closed. Defaults to false.
'Referral Strategy' - Strategy for handling referrals. Possible values are FOLLOW, IGNORE, THROW.
'Connect Timeout' - Duration of connect timeout. (i.e. 10 secs).
'Read Timeout' - Duration of read timeout. (i.e. 10 secs).
'Url' - Space-separated list of URLs of the LDAP servers (i.e. ldap://<hostname>:<port>).
'User Search Base' - Base DN for searching for users (i.e. CN=Users,DC=example,DC=com).
'User Search Filter' - Filter for searching for users against the 'User Search Base'.
(i.e. sAMAccountName={0}). The user specified name is inserted into '{0}'.
'Identity Strategy' - Strategy to identify users. Possible values are USE_DN and USE_USERNAME.
The default functionality if this property is missing is USE_DN in order to retain
backward compatibility. USE_DN will use the full DN of the user entry if possible.
USE_USERNAME will use the username the user logged in with.
'Authentication Expiration' - The duration of how long the user authentication is valid
for. If the user never logs out, they will be required to log back in following
this duration.
-->
<provider>
<identifier>ldap-identity-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN"></property>
<property name="Manager Password"></property>
<property name="TLS - Keystore">/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.local.svc.cluster.local/keystore.jks</property>
<property name="TLS - Keystore Password">xxx</property>
<property name="TLS - Keystore Type">jks</property>
<property name="TLS - Truststore">/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.local.svc.cluster.local/truststore.jks</property>
<property name="TLS - Truststore Password">xxx</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">NONE</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">false</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url"></property>
<property name="User Search Base"></property>
<property name="User Search Filter">(cn={0})</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
<!--
Identity Provider for users logging in with username/password against a Kerberos KDC server.
'Default Realm' - Default realm to provide when user enters incomplete user principal (i.e. NIFI.APACHE.ORG).
'Authentication Expiration' - The duration of how long the user authentication is valid for. If the user never logs out, they will be required to log back in following this duration.
-->
<!-- To enable the kerberos-identity-provider remove 2 lines. This is 1 of 2.
<provider>
<identifier>kerberos-identity-provider</identifier>
<class>org.apache.nifi.registry.web.security.authentication.kerberos.KerberosIdentityProvider</class>
<property name="Default Realm">NIFI.APACHE.ORG</property>
<property name="Authentication Expiration">12 hours</property>
<property name="Enable Debug">false</property>
</provider>
To enable the kerberos-provider remove 2 lines. This is 2 of 2. -->
</identityProviders> My properties file contents are : # security properties #
nifi.registry.security.keystore=/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.default.svc.cluster.local/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=xxx
nifi.registry.security.keyPasswd=xxx
nifi.registry.security.truststore=/opt/nifi-registry/nifi-registry-current/conf/nifi-registry-custom-nifi-registry-0.nifi-registry-custom-nifi-registry-headless.default.svc.cluster.local/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=changeMe
nifi.registry.security.needClientAuth=
nifi.registry.security.authorizers.configuration.file=/opt/nifi-registry/nifi-registry-current/conf/authorizers.xml
nifi.registry.security.authorizer=file-provider
nifi.registry.security.identity.providers.configuration.file=/opt/nifi-registry/nifi-registry-current/conf/login-identity-providers.xml
nifi.registry.security.identity.provider=ldap-identity-provider However , I am not sure what the issue is . Could someone please help ?
... View more
Labels:
- Labels:
-
Apache NiFi
-
NiFi Registry