nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: Authorization and Multi-Tenancy functionnalities Evaluation -> Unable to locate initial admin error
Date Sat, 11 Nov 2017 18:40:46 GMT
Hello,

The default authorizers.xml that comes with 1.4.0 has a new style of
configuration which requires you to enter the initial admin identity
in two places.

First in the userGroupProvider in <property name="Initial User
Identity 1"></property>

Second in the accessPolicyProvider in <property name="Initial Admin
Identity"></property>

Those two values need to be the same, you are basically telling the
accessPolicyProvider which user from the userGroupProvider is the
initial admin.

Thanks,

Bryan

On Sat, Nov 11, 2017 at 12:41 AM, Cédric <cch@globepayroll.com> wrote:
> Hello,
>
> I would like to know what is the easiest way to evaluate Authorization and
> Multi-Tenancy functionnalities ?
>
> I've tried installation with the following steps but I've a "Unable to
> locate initial admin" at the end.
>
> Steps :
> - Download nifi-1.4.0-bin.zip and unzip in nifi-1.4.0
>
> - download nifi-toolkit-1.4.0-bin.zip and unzip in nifi-toolkit-1.4.0
>
> - cd nifi-toolkit-1.4.0
>
> # .\bin\tls-toolkit.bat standalone -n localhost -C "CN=bbende,
> OU=ApacheNiFi" -o ../target
>
> 2017/11/11 06:18:11 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No
> nifiPropertiesFile specified, using embedded one.
> 2017/11/11 06:18:12 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running
> standalone certificate generation with output directory ..\target
> 2017/11/11 06:18:12 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing
> CA certificate ..\target\nifi-cert.pem and key ..\target\nifi-key.key
> 2017/11/11 06:18:12 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl
> configuration to ..\target\localhost
> 2017/11/11 06:18:13 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
> generated TLS configuration for localhost 1 in ..\target\localhost
> 2017/11/11 06:18:13 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new
> client certificate ..\target\CN=bbende_OU=ApacheNiFi.p12
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> **********************************************************************************
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> WARNING!!!!
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> **********************************************************************************
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> Unlimited JCE Policy is not installed which means we cannot utilize a
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> PKCS12 password longer than 7 characters.
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> Autogenerated password has been reduced to 7 characters.
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> Please strongly consider installing Unlimited JCE Policy at
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> Another alternative is to add a stronger password with the openssl tool to
> the
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> resulting client certificate: ..\target\CN=bbende_OU=ApacheNiFi.p12
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> openssl pkcs12 -in '..\target\CN=bbende_OU=ApacheNiFi.p12' -out
> '/tmp/CN=bbende_OU=ApacheNiFi.p12'
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> openssl pkcs12 -export -in '/tmp/CN=bbende_OU=ApacheNiFi.p12' -out
> '..\target\CN=bbende_OU=ApacheNiFi.p12'
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> rm -f '/tmp/CN=bbende_OU=ApacheNiFi.p12'
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2017/11/11 06:18:13 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> **********************************************************************************
> 2017/11/11 06:18:13 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
> generated client certificate ..\target\CN=bbende_OU=ApacheNiFi.p12
> 2017/11/11 06:18:13 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
> standalone completed successfully
>
>
> # cd ..
>
> # copy target\localhost\* nifi-1.4.0\conf
>
> - Edit nifi-1.4.0\conf\authorizers.xml and set the following:
> <accessPolicyProvider>
>
>         <identifier>file-access-policy-provider</identifier>
>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>
>         <property name="User Group
> Provider">file-user-group-provider</property>
>
>         <property name="Authorizations
> File">./conf/authorizations.xml</property>
>
>         <property name="Initial Admin Identity">CN=bbende,
> OU=ApacheNiFi</property>
>
>         <property name="Legacy Authorized Users File"></property>
>
>
>         <property name="Node Identity 1"></property>
>
> </accessPolicyProvider>
>
> - Start apache nifi :
> # cd  nifi-1.4.0
> # bin\run-nifi.bat
>
> Failed to determine if Process 14172 is running; assuming that it is not
> 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command
> Starting Apache NiFi...
> 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command
> Working Directory: C:\Users\cedri\nifi\NIFI-1~1.0
> 2017-11-11 06:26:22,402 INFO [main] org.apache.nifi.bootstrap.Command
> Command: C:\Program Files\Java\jdk1.8.0_144\bin\java.exe -classpath
> C:\Users\cedri\nifi\NIFI-1~1.0\.\conf;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\javax.servlet-api-3.1.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jcl-over-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jetty-schemas-3.1.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\jul-to-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\log4j-over-slf4j-1.7.25.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\logback-classic-1.2.3.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\logback-core-1.2.3.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-api-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-framework-api-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-nar-utils-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-properties-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\nifi-runtime-1.4.0.jar;C:\Users\cedri\nifi\NIFI-1~1.0\.\lib\slf4j-api-1.7.25.jar
> -Dorg.apache.jasper.compiler.disablejsr199=true -Xmx512m -Xms512m
> -Djava.security.egd=file:/dev/urandom
> -Dsun.net.http.allowRestrictedHeaders=true -Djava.net.preferIPv4Stack=true
> -Djava.awt.headless=true -XX:+UseG1GC
> -Djava.protocol.handler.pkgs=sun.net.www.protocol
> -Dnifi.properties.file.path=C:\Users\cedri\nifi\NIFI-1~1.0\.\conf\nifi.properties
> -Dnifi.bootstrap.listen.port=50727 -Dapp=NiFi
> -Dorg.apache.nifi.bootstrap.config.log.dir=C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\\logs
> org.apache.nifi.NiFi
> 2017-11-11 06:26:22,787 WARN [main] org.apache.nifi.bootstrap.Command Failed
> to set permissions so that only the owner can read pid file
> C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\run\nifi.pid; this may allows others
> to have access to the key needed to communicate with NiFi. Permissions
> should be changed so that only the owner can read this file
> 2017-11-11 06:26:22,787 WARN [main] org.apache.nifi.bootstrap.Command Failed
> to set permissions so that only the owner can read status file
> C:\Users\cedri\nifi\NIFI-1~1.0\bin\..\run\nifi.status; this may allows
> others to have access to the key needed to communicate with NiFi.
> Permissions should be changed so that only the owner can read this file
> 2017-11-11 06:26:22,802 INFO [main] org.apache.nifi.bootstrap.Command
> Launched Apache NiFi with Process ID 12968
>
>
> But the server fail to start :-( with this error :
>  Error creating bean with name 'authorizer': FactoryBean threw exception on
> object creation; nested exception is
> org.apache.nifi.authorization.exception.AuthorizerCreationException:
> org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
> to locate initial admin CN=bbende, OU=ApacheNiFi to seed policies
> .
>  What I'm missing ?
>
> nifi-app.log
> <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-app.log>
> nifi-bootstrap.log
> <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-bootstrap.log>
> nifi-user.log
> <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi-user.log>
> authorizers.xml
> <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/authorizers.xml>
> nifi.properties
> <http://apache-nifi-users-list.2361937.n4.nabble.com/file/t341/nifi.properties>
>
>
> Regards
>
> Cédric
>
>
>
>
>
>
>
> --
> Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/

Mime
View raw message