Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.
gwrose0
New Contributor

Initial NIFI login - Insufficient Permissions Untr...

by New Contributor in Support Questions
‎12-06-2019 05:06 AM
‎12-06-2019 05:06 AM
Problem: Untrusted Proxy error on first log in to NIFI  Just installed Ambari 2.7.3 on HDF 3.4.1.1-4, and installed two node NIFI 1.9.0 cluster. So we have: ambari server, Misc server for zookeeper and ambari metrics, and NIFI 1 server and NIFI 2 server. Used TinyCert to create certificates. Enabled SSL.  Now logging straight into NIFI , no load balancer yet, on NIFI 1 using the external IP. All servers are VM instances on Google Cloud.  Login url is: https://{ext IP of VM instance}:9091/nifi     I updated the nifi.web.proxy.host  with the IP addresses and ports,  and full host names  we are using. We reach the NIFI page, which displays: Insufficient Permissions Untrusted Proxy { our full DN string, matching the cert and what is in the NIFI-USER.log}    In the NIFI-USER.log 2019-12-06 12:38:20,386 INFO [NiFi Web Server-2993405] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=xxxxxxxl, OU=NIFI, O=xxxx, L=xxxx, ST=xxx, C=xx 2019-12-06 12:38:20,465 INFO [NiFi Web Server-2841] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<CN=xxxxxxx, OU=NIFI, O=xxxx, L=xxxx, ST=xxxx, C=xx><CN=, OU=NIFI, O=STAQ, L=, ST=, C=>) GET https://FQDN:9091/nifi-api/flow/current-user (source ip: {internal google cloud IP}) 2019-12-06 12:38:20,466 WARN [NiFi Web Server-2841] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=, OU=NIFI, O=, L=, ST=, C=   FQDN is fully qualified domain name of NIFI 1 server, as in hostname -f.   The Initial Admin Identity is the full DN name, from the certificate and as it appears in the NIFI-USER.log: CN=FQDN, OU=NIFI, O=xx, L=xx, ST=xxx, C=US There are no spaces between comma separated values in this string.   Here is the authorizers.xml   <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">/var/lib/nifi/conf/users.xml</property> <property name="Legacy Authorized Users File" /> <property name="Initial User Identity 0">CN=FQDN, OU=NIFI, O=xxx, L=xxx, ST=xxx, C=US</property> <property name="Nifi1">CN=FQDN, OU=xx, O=xx L=xxx, ST=xx, C=US</property> <property name="Nifi2">CN=FQDN, OU=xx, O=xx, L=xxxx, ST=xxxx, C=US</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">/var/lib/nifi/conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=FQDN, OU=NIFI, O=xx, L=xx, STxx, C=US</property> <property name="Legacy Authorized Users File" /> <property name="Nifi1">CN=FQDN, OU=NIFI, O=xx, L=xx, ST=xx, C=US</property> <property name="Nifi2">CN=FQDN, OU=NIFI, O=xx, L=xx, ST=xx, C=US</property> </accessPolicyProvider> <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>  ----------------------- The  resulting authorizations.xml is missing write on /flow, and it has no policies for /proxy, and I don't know why that is.    authorizations.xml   <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="f0725755-3d0d-3d9d-ae1e-7f65ffbf8f96" resource="/data/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" action="R"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="c7d5c857-594d-30f9-91e7-feba235ee798" resource="/data/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" action="W"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="95e78424-2f26-3ce6-8924-d650c6cd36c1" resource="/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" action="R"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="a71bf188-f0a0-3995-8577-faca82af5574" resource="/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" action="W"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> </policies> </authorizations> ----------------------- users.xml   <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0" identity="CN=FQDN, OU=NIFI, O=xx, L=xx, ST=xx, C=US"/> </users> </tenants> -------------------------------------------------------   OK, I just added thismanually to the authorizations.xml on each nifi node: <policy identifier="efeb048a-a6ce-3e7d-89c2-9fd2417b8059" resource="/proxy" action="R"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy> <policy identifier="20a75180-0463-393f-9bc6-b6dee87c174f" resource="/proxy" action="W"> <user identifier="65917dfa-e897-3337-90c2-ea5e137bb8a0"/> </policy>   Now I can reach the first page. Why were /proxy policies missing ?        ... View more
Contact Me
Online
Offline
Last Visited
‎12-17-2019 09:48 AM
Public Statistics
Date Registered ‎11-12-2019 01:51 PM
Last Visited ‎12-17-2019 09:48 AM
Total Messages Posted 3