Cloudera Community
VinceSailor
user rank
Explorer

Re: Nifi SSL - Insufficient Permissions : Untruste...

by Explorer in Support Questions
β€Ž07-13-2022 05:16 AM
β€Ž07-13-2022 05:16 AM
Hello Matt, Thank you ! this solved the error (now I'm facing another one, but will figure it out πŸ™‚ ). For further reference I had to configure those 3 lines in nifi.properties : nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?) nifi.security.identity.mapping.transform.dn=NONE nifi.security.identity.mapping.value.dn=$1@$2   Thanks. Vince. ... View more

Re: Nifi SSL - Insufficient Permissions : Untruste...

by Explorer in Support Questions
β€Ž07-12-2022 05:36 AM
β€Ž07-12-2022 05:36 AM
Hello AndrΓ©, Below is the error log : nifi-user_2022-06-03.log:2022-06-03 16:33:07,833 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.97.225.179 GET https://nif1-adm.mydomain.com:9091/nifi-api/flow/current-user [Untrusted proxy CN=nif1-adm.mydomain.com, OU=NIFI]   Attached the screenshot :       Kind regards. ... View more

Re: Nifi SSL - Insufficient Permissions : Untruste...

by Explorer in Support Questions
β€Ž07-12-2022 12:15 AM
β€Ž07-12-2022 12:15 AM
Hello, Sorry did not notice your reply. nifi-users.log : nifi-user_2022-06-03.log:2022-06-03 16:33:07,833 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed x.x.x.x GET https://nif1-adm.mydomain.com:9091/nifi-api/flow/current-user [Untrusted proxy CN=nif1-adm.mydomain.com, OU=NIFI]   I tried with the 3 members of the cluster, resulting in the same error.   Keystore :   keytool -v -list -keystore keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi-key Creation date: Jul 12, 2022 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=nif1-adm.mydomain.com, OU=NIFI Issuer: CN=amb1.mydomain.com, OU=NIFI     Thanks ! Regards.     ... View more

Nifi SSL - Insufficient Permissions : Untrusted pr...

by Explorer in Support Questions
β€Ž06-23-2022 03:15 AM
β€Ž06-23-2022 03:15 AM
Hello there,   I'm upgrading a Nifi cluster (managed by ambri) to v1.15.3, therefore I have to secure it and activate ssl. I followed the installation steps from the official documentations, generated certificates (using Ambari Certificate Authority), and configured the Node Identities in Ambari. Still I have the "Untrusted proxy" error when I try to reach Nifi web interface.   Below is my configuration : Nifi hosts as declared in Ambari : nif1.mydomain.com nif2.mydomain.com nif3.mydomain.com I'm accessing them (ssh & https) using other FQDNs, which I used to generate the certificates : nif1-adm.mydomain.com nif2-adm.mydomain.com nif3-adm.mydomain.com authorizers.xml   <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File" /> <property name="Initial User Identity 0">CN=admin, OU=NIFI</property> <property name="Initial User Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property> <property name="Initial User Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property> <property name="Initial User Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=admin, OU=NIFI</property> <property name="Legacy Authorized Users File" /> <property name="Node Identity 1">CN=nif1-adm.mydomain.com, OU=NIFI</property> <property name="Node Identity 2">CN=nif2-adm.mydomain.com, OU=NIFI</property> <property name="Node Identity 3">CN=nif3-adm.mydomain.com, OU=NIFI</property> </accessPolicyProvider> <authorizer> <identifier>file-provider</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer>   users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e" identity="CN=nif2-adm.mydomain.com, OU=NIFI"/> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="CN=admin, OU=NIFI"/> <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2" identity="CN=nif3-adm.mydomain.com, OU=NIFI"/> <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85" identity="CN=nif1-adm.mydomain.com, OU=NIFI"/> </users> </tenants> authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="260562db-2b2b-390b-8145-b5d7c772f16c" resource="/data/process-groups/296adb65-017d-10 00-9a99-58089f2f0766" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/> <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/> <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/> </policy> <policy identifier="b77d6f8f-ceb3-3131-8973-9cc5c6ccb566" resource="/data/process-groups/296adb65-017d-10 00-9a99-58089f2f0766" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/> <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/> <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/> </policy> <policy identifier="d9966a39-db8d-3533-b6e5-c4e18045f1d0" resource="/process-groups/296adb65-017d-1000-9a 99-58089f2f0766" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="68a09709-f44f-3b57-912d-96295e1574bf" resource="/process-groups/296adb65-017d-1000-9a 99-58089f2f0766" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7"/> </policy> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W"> <user identifier="7b93594a-ab1f-3a6e-acfc-37b3297e142e"/> <user identifier="af25d6b7-7c85-302d-9e7a-6323c0954fe2"/> <user identifier="b6942adc-1981-3c0e-b18a-a4e434ae5c85"/> </policy> </policies> </authorizations> My 3 hosts have the /proxy Write permission, still I face the error message.   I suspect an issue with the mismatch between hostnames in Ambari and hostnames in Nifi, but can't find a workaround.   Thanks in advance for your support.   Regards.   Vincent. ... View more
Labels:
Contact Me
Online
Offline
Last Visited
β€Ž08-05-2022 12:08 AM
Community Statistics
Member Since β€Ž06-22-2022 04:45 AM
Last Visited β€Ž08-05-2022 12:08 AM
Posts 4