Cloudera Community
dnguyen
user rank
Explorer

Re: Nifi-UI - Insufficient Permissions: Untrusted ...

by Explorer in Support Questions
‎02-21-2019 10:39 PM
‎02-21-2019 10:39 PM
@Matt Clarke: Thank you for your detailed explanation! ... View more

Re: Nifi-UI - Insufficient Permissions: Untrusted ...

by Explorer in Support Questions
‎02-21-2019 09:47 PM
‎02-21-2019 09:47 PM
@Matt Clarke: Thank you for pointing out that! I changed and it did solve my problem. I'm able to view my dataflow right now. There is a warning in my browser saying the connection is not secured: What would I do next to make sure the connection is secured? ... View more

Nifi-UI - Insufficient Permissions: Untrusted Prox...

by Explorer in Support Questions
‎02-21-2019 08:53 PM
‎02-21-2019 08:53 PM
I'd like to turn on SSL mode for Nifi UI. I'm having a single Nifi node which is running: - HDF 3.1.2 - Nifi 1.5 This is what I have done: - I used TLS Toolkit (standalone mode) to generate keystore/truststore and P12 file as instructed in here: https://community.hortonworks.com/articles/58233/using-the-tls-toolkit-to-simplify-security.html - I imported above P12 to my browser in my laptop (note that my Nifi is running in a cloud server - not my laptop). - I'm able to access Nifi UI in secured port but it shows "Insufficient Permissions" error from the UI: - I have tried deleting "authorizations.xml" and "users.xml" under "/var/lib/nifi/conf" before restating Nifi but that doesn't help to resolve it. Can anyone please help me figure out what I would miss? - I have attached content of my "users.xml" and "authorizations.xml". - This is content of my authorizers.xml: <authorizers> <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property> <property name="Users File">/var/lib/nifi/conf/users.xml</property> <property name="Initial Admin Identity">CN=scarroll, OU=NIFI</property> <property name="Legacy Authorized Users File"></property> <!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. --> <property name="CN=localhost, OU=NIFI"></property> <!-- <property name="Node Identity 2"></property> <property name="Node Identity 3"></property> <property name="Node Identity 4"></property> --> </authorizer> </authorizers> - This is content of my P12 file (truncated, the one I imported to my browser) which contains 2 certificates: keytool -list -v -keystore CN=scarroll_OU=NIFI.p12 -storetype PKCS12 Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry Alias name: nifi-key Creation date: Feb 21, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=scarroll, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 16910e7d2b300000000 Valid from: Thu Feb 21 11:33:42 EST 2019 until: Sun Feb 20 11:33:42 EST 2022 Certificate fingerprints:... Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: .... Certificate[2]: Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 16910e7c21e00000000 Valid from: Thu Feb 21 11:33:37 EST 2019 until: Sun Feb 20 11:33:37 EST 2022 Certificate fingerprints:... Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 - This is content of keystore (truncated) in my Nifi server: Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-key Creation date: Feb 21, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 16910e7c84000000000 Valid from: Thu Feb 21 11:33:39 EST 2019 until: Sun Feb 20 11:33:39 EST 2022 Certificate fingerprints:... Extensions: ... Certificate[2]: Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 16910e7c21e00000000 Valid from: Thu Feb 21 11:33:37 EST 2019 until: Sun Feb 20 11:33:37 EST 2022 Certificate fingerprints: ... Signature algorithm name: SHA256withRSA Version: 3 - This is content of trustore (truncated) in my Nifi server: Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-cert Creation date: Feb 21, 2019 Entry type: trustedCertEntry Owner: CN=localhost, OU=NIFI Issuer: CN=localhost, OU=NIFI Serial number: 16910e7c21e00000000 Valid from: Thu Feb 21 11:33:37 EST 2019 until: Sun Feb 20 11:33:37 EST 2022 Certificate fingerprints: ... Version: 3 Extensions: - users.xml: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants>     <groups/>     <users>         <user identifier="fea243e2-c7e5-3a98-b666-f646700c4b89" identity="CN=scarroll, OU=NIFI"/>     </users> </tenants> authorizations.xmlusers.xml ... View more
Labels:

Re: Enabling SSL to access Nifi web UI: HTTPS host...

by Explorer in Support Questions
‎02-18-2019 05:04 PM
‎02-18-2019 05:04 PM
Hi @Geoffrey Shelton Okot: Do you see anything I would do to troubleshoot this problem? ... View more

Re: Enabling SSL to access Nifi web UI: HTTPS host...

by Explorer in Support Questions
‎02-13-2019 07:09 PM
‎02-13-2019 07:09 PM
Hi @Geoffrey Shelton Okot. Thank you for the hint. I changed the name of that host. The "hostname -f" now shows "my_host_name.com" correctly but still the same issue in the Nifi UI. This is what I did: Change hostname of host, confirm output of "hostname -f". Restarted Nifi service. Few logs from Nifi which would indicate Nifi picked up the change in hostname: 2019-02-13 09:06:20,577 INFO [main] o.a.nifi.web.server.HostHeaderHandler Determined 11 valid hostnames and IP addresses for incoming headers: 127.0.0.1, 127.0.0.1:9091, localhost, localhost:9091, [::1], [::1]:9091, my_host_name.com, my_host_name.com:9091, my_host_IP, my_host_IP:9091, 2019-02-13 09:06:20,577 INFO [main] org.apache.nifi.web.server.JettyServer Created HostHeaderHandler [HostHeaderHandler for my_host_name.com:9091] I'm accessing Nifi UI via: https://my_host_name.com:9091/nifi/; it then returns: javax.ws.rs.ProcessingException: java.io.IOException: HTTPS hostname wrong: should be <my_host_name.com> This is content of my certification showed in Firefox: Issued to: E=admin@abc.com,CN=my_host_name.com,OU=Dev,O=ABC,L=Saint Petersburg,ST=FL,C=US Serial number: 00:F8:BE:97:FB:1D:AA:21:C8 Valid from February 7, 2019, 8:53:09 AM GMT-5 to February 6, 2022, 8:53:09 AM GMT-5 Email addresses: admin@abc.com Issued by: E=dnn@abc.com,CN=Ingestion,OU=Dev,O=Bl,L=Saint Petersburg,ST=FL,C=US Stored on: Software Security Device ... View more

Re: Enabling SSL to access Nifi web UI: HTTPS host...

by Explorer in Support Questions
‎02-11-2019 01:52 PM
‎02-11-2019 01:52 PM
Hi @Geoffrey Shelton Okot: Thank you for taking a look. I'm sorry I didn't get notification from your response till now - my apology for that. I confirmed the "nifi.web.https.host" changed to "my_host_name.com"; but still the same issue. ... View more

Enabling SSL to access Nifi web UI: HTTPS hostname...

by Explorer in Support Questions
‎02-07-2019 11:28 PM
‎02-07-2019 11:28 PM
Hi, I'd like to enable SSL for my Nifi cluster. A few background: - I have only 2 nodes: 1 Nifi node, 1 Ambari node. - I followed this article to generate CA/keystore/truststore and client certification: https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif.html I restarted Nifi (things looks good in the log, I'm pretty sure Nifi is running since I saw some processor in my data flow such as PutCassandra is doing its job). I imported the certificate to my browser as instructed in the article, I access the Nifi UI at: https://my_host_name.com:9091/nifi. The page then show me Nifi logo with message: "ProcessingException: java.io.IOException: HTTPS hostname wrong: should be <my_host_name.com>" - This is some setting from my nifi.property: nifi.web.https.host=my_host_name.com.com nifi.zookeeper.connect.string=my_host_name.com:2181,ambari_node:2181 nifi.remote.input.host= - This is content of certification that I imported into my browser: /usr/jdk64/jdk1.8.0_77/jre/bin/keytool -v -list -keystore server.p12 -storetype PKCS12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry Alias name: server Creation date: Feb 7, 2019 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: EMAILADDRESS=myemail, CN=my_name_host.com, OU=Dev, O=xxx, L=Saint Petersburg, ST=FL, C=US Issuer: EMAILADDRESS=issuer_email, CN=Ingestion, OU=Dev, O=Bloom, L=Saint Petersburg, ST=FL, C=US Serial number: f8be97fb1daa21c8 Valid from: Thu Feb 07 08:53:09 EST 2019 until: Sun Feb 06 08:53:09 EST 2022 Certificate fingerprints: MD5: D5:0F:C5:E6:48:99:FF:D3:8E:5E:42:80:81:29:2F:91 SHA1: A9:7B:8F:CC:E5:E8:E0:B1:6D:E8:AF:A7:6F:26:66:0C:18:BB:24:4C SHA256: DD:61:2D:78:22:9A:B3:8F:A8:6B:74:86:B5:03:50:34:11:EF:D3:AB:70:32:58:93:8E:95:25:B0:37:04:66:E1 Signature algorithm name: SHA256withRSA Version: 1 - The "CN" in my certificate looks exactly same with nifi server's hostname - why would I receive this error? Would you give me some hints to troubleshoot it? Thank you. ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎03-05-2019 02:10 PM
Community Statistics
Member Since ‎12-29-2017 07:12 PM
Last Visited ‎03-05-2019 02:10 PM
Posts 9