Cloudera Community
sambeth
user rank
New Contributor

Re: SSLHandshakeException Nifi and Nifi Registry

by Master Mentor Master Mentor in Support Questions
‎03-17-2021 06:02 AM
‎03-17-2021 06:02 AM
@sambeth    NiFi authorization lookups require an exact case sensitive match between the resulting authentication user string or associated group string (NIFi user group providers configured in the authorizers.xml are responsible for determining associations between user strings and group strings within NiFi) and the user/group strings which the the authorized policies are assigned to. So if the User identity string that results after Authentication process is: "CN=John, OU=Doe", then that exact case sensitive string must be what the policies are authorized against. NiFi does provide the ability to use Java regular expressions post authentication to manipulate the authentication string before it is passed on for authorization.  These Identity mapping pattern, value, and transform properties can be added to the nifi.properties file. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties For example: nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)$ nifi.security.identity.mapping.value.dn=$1 nifi.security.identity.mapping.transform=LOWER Now if Authentication resulted in string "CN=John, OU=Doe", the above Regex would match and the resulting user client string would be "john" (capture group 1 is value used and transformed to all lowercase) You can create as many of these mapping pattern sets of properties as you like as long as each property name is unique in its last field... nifi.security.identity.mapping.pattern.dn2= nifi.security.identity.mapping.pattern.kerb= nifi.security.identity.mapping.pattern.kerb2= nifi.security.identity.mapping.pattern.username= etc.... IMPORTANT note:  These "patterns" are evaluate against every authenticated string (this includes Mutual TLS authentication such as those between NIFi nodes using the NiFi keystore) in alpha-numeric order.  The first java regular expression to match will have its value applied and transformed.  So making sure you properties are build in order of most complex regex to most generic regex is very important. Hope this helps you, Matt ... View more

Re: why is there a # in nifi-registry UI url

by Master Mentor Master Mentor in Support Questions
‎03-15-2021 04:04 PM
2 Kudos
‎03-15-2021 04:04 PM
2 Kudos
@sambeth  The hash (#) character is reserved as a delimiter to separate the URI of an object from a fragment identifier. Registry has a number of different fragment Identifiers. The fragment identifier represents a part of, fragment of, or a sub-function within, an object.  The fragment identifier follows the "/#/" in the URL and can represent fragments in text documents by line and character range, or in graphics by coordinates, or in structured documents using ladders.  For example the "grid-list" of flows displayed when you access the NiFi UI. No, you cannot remove the # from the URL.  Are you encountering an issue? Hope this helps, Matt ... View more
Contact Me
Online
Offline
Last Visited
‎05-19-2021 08:52 AM
Community Statistics
Member Since ‎03-11-2021 05:41 AM
Last Visited ‎05-19-2021 08:52 AM
Posts 3