nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anil Rai <anilrain...@gmail.com>
Subject Re: setting up secure nifi
Date Thu, 01 Feb 2018 15:35:46 GMT
Thanks Andy. It did resolve my issue. I got it working.
Thanks again for all the links. Very helpful.

Cheers
Anil


On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <alopresto@apache.org> wrote:

> Hi Anil,
>
> In addition to Bryan’s explanation, there are a number of blog posts and
> articles covering this topic:
>
> * Authorization and Multi-Tenancy by Bryan Bende [1]
> * Secured Cluster Setup by Pierre Villard [2]
> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
> * Initial Admin Identity section of Apache NiFi Admin Guide [4]
> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan
> Rosander [6]
>
> The sequence “dc=example,dc=com” in your current user DN (Distinguished
> Name) is incorrect and not present in the DN of the certificate. I imagine
> you copied this from an example posted online. “dc=“ is a sequence used in
> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is
> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com”
> would be the parent DN. But when you generated the certificate, you did not
> provide this information, so the DNs do not match, and NiFi correctly
> asserts that this is not a valid certificate identifying the user DN you
> specified in your XML files. Removing “dc=example,dc=com” from that
> definition as Bryan suggested will resolve your issue.
>
> [1] https://bryanbende.com/development/2016/08/17/apache-
> nifi-1-0-0-authorization-and-multi-tenancy
> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-
> secured-cluster-setup/
> [3] https://nifi.apache.org/docs/nifi-docs/html/
> administration-guide.html#tls-generation-toolkit
> [4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#
> initial-admin-identity
> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/
> 09/19/tls-toolkit-intro.html
> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/
> 09/20/tls-toolkit-standalone-multi.html
> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_
> Access_Protocol#Directory_structure
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <alopresto.apache@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Jan 31, 2018, at 7:32 PM, Bryan Bende <bbende@gmail.com> wrote:
>
> It’s the same problem, your initial admin should be:
>
> CN=TC, OU=NIFI
>
> Not
>
> CN=TC,OU=NIFI,dc=example,dc=com
>
> The first one is the DN of your client cert, the second one is not.
>
> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <anilrainifi@gmail.com> wrote:
>
> Hi Bryan,
>
> Thanks for the quick reply. I did followed your steps. But I am seeing the
> same error.
> Now the entry looks like
>        <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
> dc=com</property>
>
> Also what does dc stand for after CN and OU. Is that a problem.
> Is there a blog that talks about installing and making it https using
> toolkit?. I did not find any good post that talks end to end from
> installing to making it secure using tls toolkit.
>
> Any help is appreciated.
>
> Thanks
> Anil
>
>
>
> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bbende@gmail.com> wrote:
>
> Hello,
>
> The identity in authorizers.xml for your initial admin does not match the
> identity of your client cert.
>
> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>
> is
>
> the DN of your client cert.
>
> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
> authorizations.xml, and start back up.
>
> Thanks,
>
> Bryan
>
> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <anilrainifi@gmail.com> wrote:
>
> All,
>
> I am trying to install nifi 1.5 and making it https. Below is the steps
> followed and the error i am getting. Below is the config and log files
> content. Please help
>
> 1. Installed nifi 1.5
> 2. Installed nifi toolkit 1.5
> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> 'CN=TC,OU=NIFI' -O -o ../security_output
> 4. Copied generated keystore, truststore and nifi properties to
>
> nifi/config
>
> folder
> 5. Imported the generated certificate to chrome browser
> 6. Modified authorizers.xml as attached.
> 7. With required restarts. Now when i enter the below url in the
>
> browser, I
>
> see the below error.
>
> https://localhost:9443/nifi/
>
> Insufficient Permissions
>
>   - home
>
> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> administrator.
>
>
> authorizers.xml
> --------------------
>    <userGroupProvider>
>        <identifier>file-user-group-provider</identifier>
>        <class>org.apache.nifi.authorization.
>
> FileUserGroupProvider</class>
>
>        <property name="Users File">./conf/users.xml</property>
>        <property name="Legacy Authorized Users File"></property>
>
>        <property name="Initial User Identity
> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>    </userGroupProvider>
>
>    <accessPolicyProvider>
>        <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>        <property name="User Group
> Provider">file-user-group-provider</property>
>        <property name="Authorizations
> File">./conf/authorizations.xml</property>
>        <property name="Initial Admin
> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>        <property name="Legacy Authorized Users File"></property>
>
>        <property name="Node Identity 1"></property>
>    </accessPolicyProvider>
> ------------------------
>
> nifi-user.log
> -----------------------
> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>
> Creating
>
> new users file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Creating new authorizations file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>
> authorizations.xml
>
> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Populating authorizations for Initial Admin:
> cn=TC,ou=NIFI,dc=example,dc=com
> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> o.a.n.w.a.c.IllegalStateExceptionMapper
>
> java.lang.IllegalStateException:
>
> Kerberos ticket login not supported by this NiFi.. Returning Conflict
> response.
> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> o.a.n.w.a.c.IllegalStateExceptionMapper
>
> java.lang.IllegalStateException:
>
> OpenId Connect is not configured.. Returning Conflict response.
> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>
> OU=NIFI)
>
> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> 127.0.0.1)
> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> OU=NIFI
> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>
> groups[]
>
> does not have permission to access the requested resource. Unknown user
> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> ------------------------------
>
> Generated users.xml
> --------------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
>    <groups/>
>    <users>
>        <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>    </users>
> </tenants>
> --------------------------------
>
> Generated authorizations.xml
> --------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
>    <policies>
>        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>
> action="R">
>
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>
> action="W">
>
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>    </policies>
> </authorizations>
> ------------------------------------
>
> nifi.properties
> ----------------------------
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=localhost
> nifi.web.https.port=9443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
> nifi.web.max.header.size=16 KB
> nifi.web.proxy.context.path=
>
> # security properties #
> nifi.sensitive.props.key=
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> nifi.sensitive.props.provider=BC
> nifi.sensitive.props.additional.keys=
>
> nifi.security.keystore=./conf/keystore.jks
> nifi.security.keystoreType=jks
>
> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>
> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.truststore=./conf/truststore.jks
> nifi.security.truststoreType=jks
> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>
> ZHZyqI4
>
> nifi.security.needClientAuth=
> nifi.security.user.authorizer=managed-authorizer
> nifi.security.user.login.identity.provider=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
> ----------------------
>
>
>
> Please help.
>
> Regards
> Anil
>
> --
> Sent from Gmail Mobile
>
>
> --
> Sent from Gmail Mobile
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message