nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopre...@apache.org>
Subject Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node
Date Tue, 18 Sep 2018 16:43:26 GMT
A few things to note:

Between NiFi 1.3.0 and NiFi 1.7.0, the authorizer structure changed, as the user and group
provider was separated from the policy provider. This means there are two components (UserGroupProvider)
and (AccessPolicyProvider) that are defined independently and compose the ManagedAuthorizer.
This means that for a cluster, the proxies must be defined in two locations in the authorizers.xml
file (see below).

Also, in NiFi 1.7.1, there were changes to hostname verification and wildcard certificates
are fixed but wildcard certificates are not supported. If you are using wildcard certificates
in your cluster, you should convert these to unique, explicit certificates for each node.
Each node certificate should also contain a SubjectAlternativeName entry with the explicit
DNS name of the service. More information can be found in the Admin Guide [1] or the Migration
Guidance [2].

Here is an example authorizers.xml file with the proxies defined in both locations.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity A">CN=alopresto_NIFI-5370, OU=NIFI</property>
        <property name="Initial User Identity 1">CN=node1.nifi.apache.org, OU=NIFI</property>
        <property name="Initial User Identity 2">CN=node2.nifi.apache.org, OU=NIFI</property>
        <property name="Initial User Identity 3">CN=node3.nifi.apache.org, OU=NIFI</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=alopresto_NIFI-5370, OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1">CN=node1.nifi.apache.org, OU=NIFI</property>
        <property name="Node Identity 2">CN=node2.nifi.apache.org, OU=NIFI</property>
        <property name="Node Identity 3">CN=node3.nifi.apache.org, OU=NIFI</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit
[2] https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Sep 18, 2018, at 4:55 AM, Peter Wilcsinszky <peterwilcsinszky@gmail.com> wrote:
> 
> Hi,
> 
> are your hosts registered in LDAP properly? If you don't want them to come
> from LDAP then they should come from the file-user-group-provider as
> initial user identities in addition to your "Initial User Identity 1".
> 
> Peter
> 
> On Tue, Sep 18, 2018 at 11:54 AM nifi-san <nairsandeepk@gmail.com> wrote:
> 
>> Hello,
>> 
>> We are trying to integrate Nifi-7.1 with SSL and LDAP.
>> 
>> We have two different Nifi installation,one which is a standalone node and
>> the other which is a three node cluster.
>> 
>> Nifi Standalone:-
>> We were able to successfully integrate the Standalone node with SSL and
>> login to the Nifi UI with the client certificate.
>> 
>> Nifi Cluster:-
>> With the same configurations for authorizers.xml as is for the Nifi
>> standalone, on the Nifi cluster nodes,we get the below error:-
>> 
>> ERROR:-
>> ********************************************
>> Insufficient Permissions
>> Untrusted proxy CN=host1, OU=NIFI
>> ********************************************
>> 
>> The authorizers.xml configurations on the cluster is as follows:-
>> 
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <authorizers>
>>    <userGroupProvider>
>>        <identifier>file-user-group-provider</identifier>
>>        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>>        <property name="Users
>> File">/opt/app/resources/nifi/users.xml</property>
>>        <property name="Legacy Authorized Users File"></property>
>> 
>>        <property name="Initial User Identity 1">CN=NADMIN,
>> OU=NIFI</property>
>>    </userGroupProvider>
>>    <accessPolicyProvider>
>>        <identifier>file-access-policy-provider</identifier>
>> 
>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>        <property name="User Group
>> Provider">file-user-group-provider</property>
>>        <property name="Authorizations
>> File">/opt/app/resources/nifi/authorizations.xml</property>
>>        <property name="Initial Admin Identity">CN=NADMIN,
>> OU=NIFI</property>
>>        <property name="Legacy Authorized Users File"></property>
>> 
>>        <property
>> name="ohlvnfiap002dd.oh.dev.dat.aws.vz-connect.net"></property>
>>        <property name="Node Identity 1">CN=host1, OU=NIFI</property>
>> <property name="Node Identity 2">CN=host2, OU=NIFI</property>
>> <property name="Node Identity 3">CN=host3, OU=NIFI</property>
>>    </accessPolicyProvider>
>>    <authorizer>
>>        <identifier>managed-authorizer</identifier>
>> 
>> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>>        <property name="Access Policy
>> Provider">file-access-policy-provider</property>
>>    </authorizer>
>> </authorizers>
>> 
>> We have checked the FQDN and the CN Name of the certificates generated and
>> all other configurations but could not identify anything specifically that
>> could be the root cause of the issue.
>> 
>> Apart from the above error with respect to privilege, we do not see any
>> other error in the logs.
>> 
>> The same configurations worked fine on Nifi-1.3,however, not sure why it
>> does not work on Nifi-1.7.
>> Also, it works fine on the standalone node but not on the cluster.
>> 
>> Appreciate if you could provide any assistance on this as it has already
>> been a while that we have been blocked because of this issue.
>> 
>> 
>> 
>> --
>> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
>> 


Mime
View raw message