Member since
02-07-2019
8
Posts
0
Kudos Received
0
Solutions
06-26-2017
04:49 PM
Thank you @Wynner . I already can execute NIFI with authentication user with ldap-provider
... View more
06-21-2017
06:59 PM
It is LDAP.
one question, the configuration of the property in login-identity-providers.xml must be:
<property name="Authentication Strategy">START_TLS</property> or
<property name="Authentication Strategy">SIMPLE</property> because in SIMPLE presente other error: Aditionalitty my configuration:
<provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN">cn=OTECEL\user,dc=otecel,dc=com,dc=ec</property> <property name="Manager Password">clave</property> <property name="TLS - Keystore">/root/scripts/cert.p12</property> <property name="TLS - Keystore Password">hadoop</property> <property name="TLS - Keystore Type">PKCS12</property> <property name="TLS - Truststore">/root/scripts/cacert.jks</property> <property name="TLS - Truststore Password">hadoop</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol">TLS</property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://direccion:389</property> <property name="User Search Base">dc=otecel,dc=com,dc=ec</property> <property name="User Search Filter">cn=*</property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Expiration">12 hours</property> </provider> Other question: Should the security certificate be signed? because running the following command: curl -v https://10.112.152.181:8443/nifi/login present the following: * About to connect() to 10.112.152.181 port 8443 (#0)
* Trying 10.112.152.181...
* Connected to 10.112.152.181 (10.112.152.181) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: L=Quito,C=EC,CN=otecelbdatayhdp
* start date: Jun 20 23:07:15 2017 GMT
* expire date: Jun 20 23:07:15 2018 GMT
* common name: otecelbdatayhdp
* issuer: L=Quito,C=EC,CN=otecelbdatayhdp
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
... View more
06-21-2017
06:59 PM
Error nifi-user.log 2017-06-21 11:49:36,725 INFO [NiFi Web Server-58] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2017-06-21 11:49:36,780 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper anonymous does not have permission to access the requested resource. Not authorized for the requested resource. Returning Unauthorized response.
2017-06-21 11:52:42,757 INFO [NiFi Web Server-55] o.a.n.w.a.c.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The supplied username and password are not valid.. Returning Bad Request response.
2017-06-21 11:55:46,030 INFO [main] o.a.nifi.authorization.FileAuthorizer Creating new users file at /RGenerator/nifi2/nifi-1.2.0.3.0.0.0-453/./conf/users.xml
2017-06-21 11:55:46,046 INFO [main] o.a.nifi.authorization.FileAuthorizer Creating new authorizations file at /RGenerator/nifi2/nifi-1.2.0.3.0.0.0-453/./conf/authorizations.xml
2017-06-21 11:55:46,070 INFO [main] o.a.nifi.authorization.FileAuthorizer Authorizations file loaded at Wed Jun 21 11:55:46 ECT 2017
... View more
06-21-2017
06:59 PM
Hi , I am configuration the user authorization in nifi and have the following error: ... 66 common frames omitted
Caused by: javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3201)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3261)
at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:184)
at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:132)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:143) the configuration of the property Authentication Strategy in login-identity-providers.xml must be: <property name="Authentication Strategy">START_TLS</property> or <property name="Authentication Strategy">SIMPLE</property> because Authentication Strategy= SIMPLE presente other error: [NiFi Web Server-31] o.a.n.w.a.c.IllegalArgumentExceptionMapper java.lang.IllegalArgumentException: The supplied username and password are not valid.. Returning Bad Request response. My configuration: <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN">cn=OTECEL\user,dc=otecel,dc=com,dc=ec</property> <property name="Manager Password">clave</property> <property name="TLS - Keystore">/root/scripts/cert.p12</property> <property name="TLS - Keystore Password">hadoop</property> <property name="TLS - Keystore Type">PKCS12</property> <property name="TLS - Truststore">/root/scripts/cacert.jks</property> <property name="TLS - Truststore Password">hadoop</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth"></property> <property name="TLS - Protocol">TLS</property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://direccion:389</property> <property name="User Search Base">dc=otecel,dc=com,dc=ec</property> <property name="User Search Filter">cn=*</property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Expiration">12 hours</property> </provider> Other question: Should the security certificate be signed? because running the following command: curl -v https://10.112.152.181:8443/nifi/login present the following: * About to connect() to 10.112.152.181 port 8443 (#0) * Trying 10.112.152.181... * Connected to 10.112.152.181 (10.112.152.181) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: L=Quito,C=EC,CN=otecelbdatayhdp * start date: Jun 20 23:07:15 2017 GMT * expire date: Jun 20 23:07:15 2018 GMT * common name: otecelbdatayhdp * issuer: L=Quito,C=EC,CN=otecelbdatayhdp * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
... View more
Labels:
- Labels:
-
Apache NiFi
06-21-2017
06:24 PM
It is LDAP. one question, the configuration of the property in login-identity-providers.xml must be : <property name="Authentication Strategy">START_TLS</property> or <property name="Authentication Strategy">SIMPLE</property> Aditionalitty my configuration: <provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">cn=OTECEL\user,dc=otecel,dc=com,dc=ec</property>
<property name="Manager Password">clave</property>
<property name="TLS - Keystore">/root/scripts/cert.p12</property>
<property name="TLS - Keystore Password">hadoop</property>
<property name="TLS - Keystore Type">PKCS12</property>
<property name="TLS - Truststore">/root/scripts/cacert.jks</property>
<property name="TLS - Truststore Password">hadoop</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://direccion:389</property>
<property name="User Search Base">dc=otecel,dc=com,dc=ec</property>
<property name="User Search Filter">cn=*</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
</provider> Thanks.
... View more
06-20-2017
07:17 PM
Thanks so much Pierre Villard you are great! I had commented on a line. Now Already got nifi on https, but I can't connect. Present the following errror in nifi-user.log: Caused by: org.springframework.ldap.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580]; nested exception is javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580]; remaining name '' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:223) at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:148) at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159) at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:802) at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:316) at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126) at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:94) at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:189) ... 66 common frames omitted Caused by: javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3201) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3261) at javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:184) at org.springframework.ldap.core.support.AbstractTlsDirContextAuthenticationStrategy.processContextAfterCreation(AbstractTlsDirContextAuthenticationStrategy.java:132) at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:143) ... 72 common frames omitted The conection with ldap from SO was correct. Do you know what the problem might be? Please help me.
... View more
06-19-2017
08:10 PM
Hi @Matt Clarke I am configured Nifi User Authenticationwith with ldap and I am seeing the following in my logs: Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'loginIdentityProvider': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified login identity provider 'ldap-provider' could not be found. Please, can you help me?
... View more
Labels:
- Labels:
-
Apache NiFi
06-17-2017
02:40 AM
Hi Matt, I am configuration User Authentication with LDAP and present the following error: Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'loginIdentityProvider': FactoryBean threw exception on object creation; nested exception is java.lang.Exception: The specified login identity provider 'ldap-provider' could not be found.
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060) ~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:90) ~[na:na]
... 28 common frames omitted
Caused by: java.lang.Exception: The specified login identity provider 'ldap-provider' could not be found.
at org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean.getObject(LoginIdentityProviderFactoryBean.java:121) ~[nifi-web-security-1.1.0.2.1.2.0-10.jar:1.1.0.2.1.2.0-10]
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
Please help me. Regards, Julio
... View more