Member since
05-30-2018
1322
Posts
715
Kudos Received
148
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 4076 | 08-20-2018 08:26 PM | |
| 1966 | 08-15-2018 01:59 PM | |
| 2394 | 08-13-2018 02:20 PM | |
| 4148 | 07-23-2018 04:37 PM | |
| 5049 | 07-19-2018 12:52 PM |
01-27-2017
10:41 PM
@Bryan Bende I used your suggestion and continue to get error Untrusted proxy CN=sunman0.field.hortonworks.com, OU=NIFI Log error: 2017-01-27 22:38:53,187 INFO [NiFi Web Server-47] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=nifiadmin, OU=FIELD.HORTONWORKS.COM) GET https://sunman0.field.hortonworks.com:9091/nifi-api/flow/current-user (source ip: xx.xx.80.117)
2017-01-27 22:38:53,191 INFO [NiFi Web Server-47] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifiadmin, OU=FIELD.HORTONWORKS.COM
2017-01-27 22:38:53,340 INFO [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<CN=nifiadmin, OU=FIELD.HORTONWORKS.COM><CN=sunman0.field.hortonworks.com, OU=NIFI>) GET https://sunman0.field.hortonworks.com:9091/nifi-api/flow/current-user (source ip: xxx.xx.197.193)
2017-01-27 22:38:53,347 INFO [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=sunman0.field.hortonworks.com, OU=NIFI
I updated the node identities <!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->
<property name="Node Identity 1">"CN=sunman0.field.hortonworks.com, OU=NIFI"</property>
<!--
<property name="Node Identity 2"></property>
<property name="Node Identity 3"></property>
<property name="Node Identity 4"></property>
-->
lastly I removed authorizations.xml and user.xml and restarted nifi.
... View more
01-27-2017
07:48 PM
I am getting error Untrusted proxy CN=xxx.field.hortonworks.com, OU=NIFI while trying to log into NiFi UI via my admin ssl cert. I read this post but not able to follow how to provide my proxy access..truly didn't know I was using a proxy https://community.hortonworks.com/questions/61159/getting-untrusted-proxy-message-while-trying-to-se.html I added my DN to the node identities <!-- Provide the identity (typically a DN) of each node when clustered (see tool tip for detailed description of Node Identity). Must be specified when Ranger Nifi plugin will not be used for authorization. -->
<property name="Node Identity 1">xxx.field.hortonworks.com</property>
<!--
<property name="Node Identity 2"></property>
<property name="Node Identity 3"></property>
<property name="Node Identity 4"></property>
-->
Here is my authorizers.xml
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!--
This file lists the authority providers to use when running securely. In order
to use a specific provider it must be configured here and it's identifier
must be specified in the nifi.properties file.
-->
<authorizers>
<!--
The FileAuthorizer is NiFi"s provided authorizer and has the following properties:
- Authorizations File - The file where the FileAuthorizer will store policies.
- Users File - The file where the FileAuthorizer will store users and groups.
- Initial Admin Identity - The identity of an initial admin user that will be granted access to the UI and
given the ability to create additional users, groups, and policies. The value of this property could be
a DN when using certificates or LDAP, or a Kerberos principal. This property will only be used when there
are no other users, groups, and policies defined. If this property is specified then a Legacy Authorized
Users File can not be specified.
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the initial admin identity,
so the value should be the unmapped identity.
- Legacy Authorized Users File - The full path to an existing authorized-users.xml that will be automatically
converted to the new authorizations model. If this property is specified then an Initial Admin Identity can
not be specified, and this property will only be used when there are no other users, groups, and policies defined.
- Node Identity [unique key] - The identity of a NiFi cluster node. When clustered, a property for each node
should be defined, so that every node knows about every other node. If not clustered these properties can be ignored.
The name of each property must be unique, for example for a three node cluster:
"Node Identity A", "Node Identity B", "Node Identity C" or "Node Identity 1", "Node Identity 2", "Node Identity 3"
NOTE: Any identity mapping rules specified in nifi.properties will also be applied to the node identities,
so the values should be the unmapped identities (i.e. full DN from a certificate).
-->
<authorizer>
<identifier>{{nifi_authorizer}}</identifier>
{% if has_ranger_admin and enable_ranger_nifi %}
<class>org.apache.nifi.ranger.authorization.RangerNiFiAuthorizer</class>
<property name="Ranger Audit Config Path">{{nifi_config_dir}}/ranger-nifi-audit.xml</property>
<property name="Ranger Security Config Path">{{nifi_config_dir}}/ranger-nifi-security.xml</property>
<property name="Ranger Service Type">nifi</property>
<property name="Ranger Application Id">nifi</property>
<property name="Allow Anonymous">true</property>
<property name="Ranger Admin Identity">{{ranger_admin_identity}}</property>
{% if security_enabled %}
<property name="Ranger Kerberos Enabled">true</property>
{% else %}
<property name="Ranger Kerberos Enabled">false</property>
{% endif %}
{% else %}
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">{{nifi_flow_config_dir}}/authorizations.xml</property>
<property name="Users File">{{nifi_flow_config_dir}}/users.xml</property>
<property name="Initial Admin Identity">{{nifi_initial_admin_id}}</property>
<property name="Legacy Authorized Users File"></property>
{% endif %}
{{nifi_ssl_config_content}}
</authorizer>
</authorizers>
Any suggestions?
... View more
Labels:
- Labels:
-
Apache NiFi
01-27-2017
07:44 PM
Thank you all for responses. Great stuff. I was able to parse the nifi user log as suggested and found my cert was wrong user. I am getting proxy error now. will open another post. thank you again.
... View more
01-27-2017
07:32 PM
@Andy LoPresto got it. but how am I suppose to provide read access to admin if i am not able to get into UI using admin cert.
... View more
01-27-2017
07:23 PM
I have enabled SSL and created cert /var/lib/ambari-agent/cache/common-services/NIFI/1.0.0/package/files/nifi-toolkit-1.1.0.2.1.1.0-2/bin/tls-toolkit.sh client -c xxxxx.field.hortonworks.com -D 'CN=nifiadmin, OU=FIELD.HORTONWORKS.COM' -p 10443 -t admin -T pkcs12 Add cert to my keychain. and loaded pem in chrome I have my initial admin identity set to CN=nifiadmin, OU=FIELD.HORTONWORKS.COM This is in my users.xml <tenants>
<groups/>
<users>
<user identifier="92f3fcec-cd4d-347d-b750-c54eb8f7d04f" identity="CN=nifiadmin, OU=FIELD.HORTONWORKS.COM">
<role name="ROLE_ADMIN"/>
<user identifier="b7851c46-a903-34d5-928e-483bf61ddc17" identity="xxxxx.field.hortonworks.com">
<role name="ROLE_ADMIN"/>
</users>
</tenants>
When I hit the UI it says I have insufficient privileges. Any ideas? I have deleted authorizations.xml and users.xml, restarted nifi and same issue. I have also updated the users.xml and set <role name="ROLE_ADMIN"/> for each user. I removed this spinet as well. same issue.
... View more
Labels:
- Labels:
-
Apache NiFi
01-25-2017
05:03 PM
@Michael Rivera If this has answered your question, please close out by accepting answer. thank you.
... View more
01-25-2017
04:48 PM
1 Kudo
You can execute a processor on a schedule via crontab more info here https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_UserGuide/content/scheduling-tab.html CRON driven: When using the CRON driven scheduling mode, the Processor is scheduled to run periodically, similar to the Timer driven scheduling mode. However, the CRON driven mode provides significantly more flexibility at the expense of increasing the complexity of the configuration. This value is made up of six fields, each separated by a space. These fields include: Seconds Minutes Hours Day of Month Month Day of Week Year The value for each of these fields should be a number, range, or increment. Range here refers to a syntax of <number>-<number>. For example,the Seconds field could be set to 0-30, meaning that the Processor should only be scheduled if the time is 0 to 30 seconds after the minute. Additionally, a value of * indicates that all values are valid for this field. Multiple values can also be entered using a , as a separator: 0,5,10,15,30 . An increment is written as <start value>/<increment>. For example, settings a value of 0/10 for the seconds fields means that valid values are 0, 10, 20, 30, 40, and 50. However, if we change this to 5/10 , valid values become 5, 15, 25, 35, 45, and 55. For the Month field, valid values are 1 (January) through 12 (December). For the Day of Week field, valid values are 1 (Sunday) through 7 (Saturday). Additionally, a value of L may be appended to one of these values to indicate the last occurrence of this day in the month. For example, 1L can be used to indicate the last Monday of the month. Next, the Scheduling Tab provides a configuration option named 'Concurrent tasks.' This controls how many threads the Processor will use. Said a different way, this controls how many FlowFiles should be processed by this Processor at the same time. Increasing this value will typically allow the Processor to handle more data in the same amount of time. However, it does this by using system resources that then are not usable by other Processors. This essentially provides a relative weighting of Processors - it controls how much of the system's resources should be allocated to this Processor instead of other Processors. This field is available for most Processors. There are, however, some types of Processors that can only be scheduled with a single Concurrent task. The "Run schedule" dictates how often the Processor should be scheduled to run. The valid values for this field depend on the selected Scheduling Strategy (see above). If using the Event driven Scheduling Strategy, this field is not available. When using the Timer driven Scheduling Strategy, this value is a time duration specified by a number followed by a time unit. For example, 1 second or 5 mins . The default value of 0 sec means that the Processor should run as often as possible as long as it has data to process. This is true for any time duration of 0, regardless of the time unit (i.e., 0 sec , 0 mins , 0 days ). For an explanation of values that are applicable for the CRON driven Scheduling Strategy, see the description of the CRON driven Scheduling Strategy itself. The right-hand side of the tab contains a slider for choosing the 'Run duration.' This controls how long the Processor should be scheduled to run each time that it is triggered. On the left-hand side of the slider, it is marked 'Lower latency' while the right-hand side is marked 'Higher throughput.' When a Processor finishes running, it must update the repository in order to transfer the FlowFiles to the next Connection. Updating the repository is expensive, so the more work that can be done at once before updating the repository, the more work the Processor can handle (Higher throughput). However, this means that the next Processor cannot start processing those FlowFiles until the previous Process updates this repository. As a result, the latency will be longer (the time required to process the FlowFile from beginning to end will be longer). As a result, the slider provides a spectrum from which the DFM can choose to favor Lower Latency or Higher Throughput.
... View more
01-24-2017
12:30 AM
From your details I can't parse if authorizers.xml is the same on all nodes? can you verify it is?
... View more
01-16-2017
09:58 PM
I am interested in creating NiFi Cluster using Cloudbreak. I understand in the past this was not doable since NiFi was not deployable via ambari. that is changed in latest nifi release. This is branching from old thread here. If deploying nifi via cloudbreak is now possible, does anyone having working blueprint which they have tried with cloudbreak? My concerns nifi requires mpacks. Not sure how CB handles that. Please note - I know this question has been asked by others. I need to understand if this is not possible, why. I understand anything which is deployable via blueprint should in theory be deployed via CB. looking for addtional techincal insights on the why not.
... View more
Labels:
- Labels:
-
Apache NiFi
-
Hortonworks Cloudbreak