Cloudera Community
juan_manuel_nie
user rank
Expert Contributor

Re: Nifi several issues trying to resolve Untruste...

by Expert Contributor in Support Questions
‎09-14-2017 07:49 AM
‎09-14-2017 07:49 AM
Thanks @Matt Clarke I added that entry because I had previous issues with the LDAP admin user, now I understand better how it works. I just removed the "Legacy Authorized Users File" value and it works. ... View more

Nifi several issues trying to resolve Untrusted pr...

by Expert Contributor in Support Questions
‎09-13-2017 03:52 PM
‎09-13-2017 03:52 PM
Hello community, I'm trying to setup a Nifi cluster with external certifcates (used tinycerts.org) and after setup SSL and LDAP authentication and add my nodes SSL CNs to authorizations.xml via ambari, I have the following message when trying to access to nifi console: Insufficient Permissions log outhome Untrusted proxy CN=node04.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES I have tried what is told in this link https://community.hortonworks.com/questions/80246/nifi-untrusted-proxy.html reading the pkcs12 certificate with keytool and getting the CN of the owner part of the certificate: Alias name: 1 Creation date: Sep 13, 2017 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=node01.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES Issuer: CN=Arq de Sistemas CA, OU=Secure Digital Certificate Signing, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES Serial number: 2cbd Valid from: Tue Sep 12 11:14:33 CEST 2017 until: Wed Sep 12 11:14:33 CEST 2018 Even with that I still having the same issue so after a bit of research I found this post https://community.hortonworks.com/questions/110527/nifi-hdf30-untrusted-proxy.html When I remove users.xml and authorizations.xml nifi is not able to create from authorizers.xml, and create an empty ones after that the nifi instances are unable to start and shows this error: 2017-09-13 17:26:47,480 ERROR [NiFi logging handler] org.apache.nifi.StdErr Failed to start web server: Error creating bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire method: public void org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setX509AuthenticationProvider(org.apache.nifi.web.security.x509.X509AuthenticationProvider); nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'x509AuthenticationProvider' defined in class path resource [nifi-web-security-context.xml]: Cannot resolve reference to bean 'authorizer' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizer': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.authorization.exception.AuthorizerCreationException: org.apache.nifi.authorization.exception.AuthorizerCreationException: Cannot provide an Initial Admin Identity and a Legacy Authorized Users File 2017-09-13 17:26:47,491 ERROR [NiFi logging handler] org.apache.nifi.StdErr Shutting down... SSL works fine with the certificates.. my authorizers.xml is the following: <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <!-- This file lists the authority providers to use when running securely. In order to use a specific provider it must be configured here and it's identifier must be specified in the nifi.properties file. --> <authorizers> <!-- The FileAuthorizer is NiFi"s provided authorizer and has the following properties: - Authorizations File - The file where the FileAuthorizer will store policies. - Users File - The file where the FileAuthorizer will store users and groups. - Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and given the ability to create additional users, groups, and policies. The value of this property could be a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized Users File can not be specified. NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity, so the value should be the unmapped identity. - Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically converted to the new authorizations model. If this property is specified then an Initial Admin Identity can not be specified, and this property will only be used when there are no other users, groups, and policies defined. - Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node should be defined, so that every node knows about every other node. If not clustered these properties can be ignored. The name of each property must be unique, for example for a three node cluster: "Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3" NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities, so the values should be the unmapped identities (i.e. full DN from a certificate). --> <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.FileAuthorizer</class> <property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property> <property name="Users File">/var/lib/nifi/conf/users.xml</property> <property name="Initial Admin Identity">cn=testuser,ou=Users,dc=nifi,dc=int</property> <property name="Legacy Authorized Users File">/root/authorized-users.xml</property> <!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. --> <property name="Node Identity 1">CN=node01.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property> <property name="Node Identity 2">CN=node03.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property> <property name="Node Identity 3">CN=node04.nifi.int, OU=Laboratorio, O=Arq de Sistemas, L=Tres Cantos, ST=Madrid, C=ES</property> </authorizer> </authorizers> Do you know what maybe happening? Thank you in advance. Best regards. ... View more
Labels:

Nifi don't show any login screen with ldap-provide...

by Expert Contributor in Support Questions
‎09-12-2017 11:36 AM
‎09-12-2017 11:36 AM
Hello, I'm doing some test with a nifi cluster (HDF 3), and I wanted to configure ldap as authentication service, I've not configured SSL yet but I would like to test the ldap authentication. But when I try to access the cluster it directly logs me as anonymous and I can see the flows without any login screen. My configuration is the following login-identity-providers.xml <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">cn=Manager,dc=nifi,dc=int</property> <property encryption="aes/gcm/256" name="Manager Password">mIV4TPuSpfOGzd3E||FZnVyewmvoWGEmf1sF5cCTCy4tztrwo</property> <property name="TLS - Keystore"/> <property name="TLS - Keystore Password"/> <property name="TLS - Keystore Type"/> <property name="TLS - Truststore"/> <property name="TLS - Truststore Password"/> <property name="TLS - Truststore Type"/> <property name="TLS - Client Auth"/> <property name="TLS - Protocol"/> <property name="TLS - Shutdown Gracefully"/> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="Url">ldap://node03.nifi.int:389</property> <property name="User Search Base">ou=Users,dc=nifi,dc=int</property> <property name="User Search Filter">uid={0}</property> <property name="Authentication Expiration">12 hours</property> </provider> nifi.properties: # Generated by Apache Ambari. Tue Sep 12 12:27:33 2017 nifi.administrative.yield.duration=30 sec nifi.authorizer.configuration.file=/usr/hdf/current/nifi/conf/authorizers.xml nifi.bored.yield.duration=10 millis nifi.cluster.flow.election.max.candidates=3 nifi.cluster.flow.election.max.wait.time=5 mins nifi.cluster.is.node=true nifi.cluster.node.address=node01.nifi.int nifi.cluster.node.connection.timeout=5 sec nifi.cluster.node.event.history.size=25 nifi.cluster.node.protocol.max.threads= nifi.cluster.node.protocol.port=9088 nifi.cluster.node.protocol.threads=10 nifi.cluster.node.read.timeout=5 sec nifi.cluster.protocol.heartbeat.interval=5 sec nifi.cluster.protocol.is.secure=False nifi.components.status.repository.buffer.size=1440 nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentStatusRepository nifi.components.status.snapshot.frequency=1 min nifi.content.claim.max.appendable.size=10 MB nifi.content.claim.max.flow.files=100 nifi.content.repository.always.sync=false nifi.content.repository.archive.enabled=true nifi.content.repository.archive.max.retention.period=12 hours nifi.content.repository.archive.max.usage.percentage=50% nifi.content.repository.directory.default=/var/lib/nifi/content_repository nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository nifi.content.viewer.url=/nifi-content-viewer/ nifi.database.directory=/var/lib/nifi/database_repository nifi.documentation.working.directory=/var/lib/nifi/work/docs/components nifi.flow.configuration.archive.dir=/var/lib/nifi/archive/ nifi.flow.configuration.archive.enabled=true nifi.flow.configuration.archive.max.count= nifi.flow.configuration.archive.max.storage=500 MB nifi.flow.configuration.archive.max.time=30 days nifi.flow.configuration.file=/var/lib/nifi/conf/flow.xml.gz nifi.flowcontroller.autoResumeState=true nifi.flowcontroller.graceful.shutdown.period=10 sec nifi.flowfile.repository.always.sync=false nifi.flowfile.repository.checkpoint.interval=2 mins nifi.flowfile.repository.directory=/var/lib/nifi/flowfile_repository nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository nifi.flowfile.repository.partitions=256 nifi.flowservice.writedelay.interval=500 ms nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE nifi.kerberos.krb5.file= nifi.kerberos.service.keytab.location= nifi.kerberos.service.principal= nifi.kerberos.spnego.authentication.expiration=12 hours nifi.kerberos.spnego.keytab.location= nifi.kerberos.spnego.principal= nifi.login.identity.provider.configuration.file=/usr/hdf/current/nifi/conf/login-identity-providers.xml nifi.nar.library.directory=/usr/hdf/current/nifi/lib nifi.nar.working.directory=/var/lib/nifi/work/nar nifi.provenance.repository.always.sync=false nifi.provenance.repository.buffer.size=100000 nifi.provenance.repository.compress.on.rollover=true nifi.provenance.repository.debug.frequency=1_000_000 nifi.provenance.repository.directory.default=/var/lib/nifi/provenance_repository nifi.provenance.repository.encryption.key= nifi.provenance.repository.encryption.key.id= nifi.provenance.repository.encryption.key.provider.implementation= nifi.provenance.repository.encryption.key.provider.location= nifi.provenance.repository.implementation=org.apache.nifi.provenance.PersistentProvenanceRepository nifi.provenance.repository.index.shard.size=500 MB nifi.provenance.repository.index.threads=1 nifi.provenance.repository.indexed.attributes= nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, Filename, ProcessorID, Relationship nifi.provenance.repository.journal.count=16 nifi.provenance.repository.max.attribute.length=65536 nifi.provenance.repository.max.storage.size=1 GB nifi.provenance.repository.max.storage.time=24 hours nifi.provenance.repository.query.threads=2 nifi.provenance.repository.rollover.size=100 MB nifi.provenance.repository.rollover.time=30 secs nifi.queue.swap.threshold=20000 nifi.remote.input.host= nifi.remote.input.http.enabled=true nifi.remote.input.http.transaction.ttl=30 sec nifi.remote.input.secure=False nifi.remote.input.socket.port= nifi.security.identity.mapping.pattern.dn= nifi.security.identity.mapping.pattern.kerb= nifi.security.identity.mapping.value.dn= nifi.security.identity.mapping.value.kerb= nifi.security.keyPasswd= nifi.security.keystore=/usr/hdf/current/nifi/conf/keystore.jks nifi.security.keystorePasswd= nifi.security.keystoreType=jks nifi.security.needClientAuth=False nifi.security.ocsp.responder.certificate= nifi.security.ocsp.responder.url= nifi.security.truststore=/usr/hdf/current/nifi/conf/truststore.jks nifi.security.truststorePasswd= nifi.security.truststoreType=jks nifi.security.user.authorizer=file-provider nifi.security.user.login.identity.provider=ldap-provider nifi.sensitive.props.additional.keys= nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL nifi.sensitive.props.key=wSdxEcJ0QRZGwFfr||CVtSGQsYIUSOXzAQEQBvu+IQFiwFpM/ZldwZgA nifi.sensitive.props.key.protected=aes/gcm/256 nifi.sensitive.props.provider=BC nifi.state.management.configuration.file=/usr/hdf/current/nifi/conf/state-management.xml nifi.state.management.embedded.zookeeper.properties=/usr/hdf/current/nifi/conf/zookeeper.properties nifi.state.management.embedded.zookeeper.start=false nifi.state.management.provider.cluster=zk-provider nifi.state.management.provider.local=local-provider nifi.swap.in.period=5 sec nifi.swap.in.threads=1 nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager nifi.swap.out.period=5 sec nifi.swap.out.threads=4 nifi.templates.directory=/var/lib/nifi/templates nifi.ui.autorefresh.interval=30 sec nifi.ui.banner.text= nifi.variable.registry.properties= nifi.version=1.2.0.3.0.1.0-43 nifi.web.http.host=node01.nifi.int nifi.web.http.network.interface.default= nifi.web.http.port=9090 nifi.web.https.host= nifi.web.https.network.interface.default= nifi.web.https.port= nifi.web.jetty.threads=200 nifi.web.jetty.working.directory=/var/lib/nifi/work/jetty nifi.web.war.directory=/usr/hdf/current/nifi/lib nifi.zookeeper.connect.string=node02.nifi.int:2181,node01.nifi.int:2181,node03.nifi.int:2181 nifi.zookeeper.connect.timeout=3 secs nifi.zookeeper.root.node=/nifi nifi.zookeeper.session.timeout=3 secs Do you have any idea about what is happening? Thank you in advance. ... View more
Labels:

Re: HDFS ports suddenly change after enable kerber...

by Expert Contributor in Support Questions
‎06-05-2017 09:22 AM
‎06-05-2017 09:22 AM
Thanks @yvora , I had seen that before I just didn't know why isn't documented in https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_reference/content/hdfs-ports.html ... View more

HDFS ports suddenly change after enable kerberos

by Expert Contributor in Support Questions
‎06-03-2017 06:03 PM
‎06-03-2017 06:03 PM
Hello, For some reason after enable kerberos security, ambari have changed my datanode ports to 1019, anyone know why is this happening? Because of this for some reason now my namenode is detecting the blocks of a full datanode as underreplicated and is replicated them. ... View more
Labels:

Lauch spark job from oozie shell-action in kerberi...

by Expert Contributor in Support Questions
‎05-18-2017 10:30 AM
‎05-18-2017 10:30 AM
Hello community, I've a cluster secured with one way trust relationship with an AD, before enable security in the cluster I was able to excute spark via oozie using a shell-action. Is there a way to keep doing it without have to propagate my keytab in every nodemamanager? I've seen that for hive from shell-action you can pass the HADOOP_TOKEN_FILE_LOCATION variable to use it, can I do something similar with spark? if not what alternatives do I have? The problem with the keytab is that I've to change the password every moth so I would have to copy the keytab everytime it changes... Thank you in advance. ... View more
Labels:

Re: Yarn ATS replay request on security enabled cl...

by Expert Contributor in Support Questions
‎05-17-2017 03:15 PM
‎05-17-2017 03:15 PM
Hello @Vipin Rathor, An apology for the delay in the answer, finally I solved it, as you said the problem with the replay was that he was trying to authenticate multiple times in a very short time, this was caused by curl and the -L parameter, for some reason curl wasn't storing the session cookie, I fixed it using -c <file path> -b <file path> parameter to store the cookie. Thank you. ... View more

Yarn ATS replay request on security enabled cluste...

by Expert Contributor in Support Questions
‎04-18-2017 05:57 PM
‎04-18-2017 05:57 PM
Hello community, I'have a cluster with kerberos and after a restart I'm having the following error when trying to reach the ATS <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))</title> </head> <body><h2>HTTP ERROR 403</h2> <p>Problem accessing /applicationhistory. Reason: <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))</pre></p><hr /><i><small>Powered by Jetty://ll></i><br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> <br/> </body> </html> I've tried with diferent principals but the issue persist. The resource manager and the rest of the spnego authenticated web consoles still working properly. Any idea about what is going on? Thank you in advance ... View more
Labels:

Re: Cant kill an oozie workflow

by Expert Contributor in Support Questions
‎04-03-2017 10:27 AM
‎04-03-2017 10:27 AM
Hello @yvora the mr/yarn job is not running, it didn't start ... View more

Cant kill an oozie workflow

by Expert Contributor in Support Questions
‎03-30-2017 02:27 PM
‎03-30-2017 02:27 PM
Hello community, One of my devs have executed some oozie workflows with a wrong namenode and now the workflows is frozen. I have tried to kill it in any possible way, it prompts like it's sucessfully killed, but the workflows still in the console as RUNNING. [oozie@hadoop01 oozie]$ oozie jobs -kill -filter status=RUNNING the following jobs have been killed Job ID App Name Status User Group Started Ended ------------------------------------------------------------------------------------------------------------------------------------ 0000006-170324203356317-oozie-oozi-W BIGDP46B - AppBigRexManClientRUNNING batch - 2017-03-29 14:31 GMT - ------------------------------------------------------------------------------------------------------------------------------------ 0000004-170324203356317-oozie-oozi-W BIGDP46B - AppBigRexManClientRUNNING bigdata - 2017-03-29 14:23 GMT - ------------------------------------------------------------------------------------------------------------------------------------ 0000003-170324203356317-oozie-oozi-W BIGDP46B - AppBigRexManClientRUNNING bigdata - 2017-03-29 14:21 GMT - ------------------------------------------------------------------------------------------------------------------------------------ 0000002-170324203356317-oozie-oozi-W BIGDP46B - AppBigRexManClientRUNNING bigdata - 2017-03-29 13:54 GMT - ------------------------------------------------------------------------------------------------------------------------------------ [oozie@hadoop01 oozie]$ oozie jobs -filter status=RUNNING Job ID App Name Status User Group Started Ended ------------------------------------------------------------------------------------------------------------------------------------ 0000006-170324203356317-oozie-oozi-W BIGDP46B - AppBigRexManClientRUNNING batch - 2017-03-29 14:31 GMT - ------------------------------------------------------------------------------------------------------------------------------------ 0000004-170324203356317-oozie-oozi-W BIGDP46B - AppBigRexManClientRUNNING bigdata - 2017-03-29 14:23 GMT - ------------------------------------------------------------------------------------------------------------------------------------ 0000003-170324203356317-oozie-oozi-W BIGDP46B - AppBigRexManClientRUNNING bigdata - 2017-03-29 14:21 GMT - ------------------------------------------------------------------------------------------------------------------------------------ 0000002-170324203356317-oozie-oozi-W BIGDP46B - AppBigRexManClientRUNNING bigdata - 2017-03-29 13:54 GMT - ------------------------------------------------------------------------------------------------------------------------------------ [oozie@LTBIG01 oozie]$ I don't know what is going on, I've tried restarting the server but the problem persist, I also have tried to change the status to KILLED directly in the DB from the tables WF_JOBS and WF_ACTIONS, but it keeps showing it as RUNNING. I have check the logs and it's clean. Do you know what maybe going on? Thank you in advance! ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎09-17-2018 08:46 AM
Community Statistics
Member Since ‎12-28-2015 11:11 AM
Last Visited ‎09-17-2018 08:46 AM
Posts 74
Kudos received 17