nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Gough <thena...@gmail.com>
Subject Re: Communication Error Between NiFi and Registry: Error retrieving all buckets
Date Tue, 06 Aug 2019 19:11:09 GMT
Nathan,

You would need to create a user in NiFi registry with the exact DN of the
NiFi certificate being used to access NiFi registry.

>From your example, you would create a user in NiFi registry with the exact
string "CN=nifi.example.com, L=Anytown, ST=IN, C=US" and apply the read
buckets and proxy user permissions.

Cheers,
Nathan

On Tue, Aug 6, 2019 at 2:22 PM Nathan Maynes <nathanmaynes@gmail.com> wrote:

> Thanks for pointing this out Bryan. To be sure I was entering the
> information correctly I used the Java Keytool to examine the certificate
> contents. Here is what the sanitized output looks like.
>
> $ keytool -list -v -keystore nifi.jks
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: nifi-https
> Creation date: Jun 20, 2019
> Entry type: PrivateKeyEntry
> Certificate chain length: 3
> Certificate[1]:
> Owner: CN=nifi.example.com, L=Anytown, ST=IN, C=US
> Issuer: CN=Internal Intermediate CA (2015), DC=EXAMPLE, DC=com
> Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> Valid from: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> ...[two more certs in chain]
>
>
> The user I create for the registry has the following value:
>
> "CN=nifi.example.com, OU=NIFI"
>
> I then granted that user permission to read buckets and proxy user
> requests. I am not sure the organizational unit, OU in the example above,
> is NIFI. I have created a number of other users with slight variations on
> the CN and OU values but any attempt to connect the two services fails.
> Still getting the error, "Unable to obtain listing of buckets:
> org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all
> buckets: An Authentication object was not found in the SecurityContext
> Contact the system administrator."
>
> I am trying to use the certificate issued to the NiFi server. Do I need to
> create a unique certificate for authentication between the two services?
>
> On Mon, Aug 5, 2019 at 3:12 PM Bryan Bende <bbende@gmail.com> wrote:
>
>> Your NiFi identity will always be the DN of the server certificate
>> that NiFi is using which is specified in nifi.security.keystore in
>> nifi.properties.
>>
>> Kerberos is only for the end-users that use the NiFi web application.
>>
>> In the video around 6:45 where a user is added to registry like
>> "CN=localhost, OU=NIFI", you would do the same thing, except it would
>> be the value coming from your NiFi server cert, so it would have your
>> hostname and possibly a different OU.
>>
>> On Mon, Aug 5, 2019 at 2:57 PM Nathan Maynes <nathanmaynes@gmail.com>
>> wrote:
>> >
>> > The video shows appears to show certificate based access. When I set
>> the NiFi Identity 1 for a Kerberos scheme should it follow the
>> user@DOMAIN.COM format? If it does, would the NiFi Identity 1 for
>> localhost be nifi@LOCALHOST?
>> >
>> > On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <bbende@gmail.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >> I believe the video should cover this, but did you add a user
>> >> representing your NiFi instance and grant it the permissions for proxy
>> >> and read all buckets?
>> >>
>> >> That is what "NiFi Identity 1" would have done, but that only gets
>> >> used on initial setup, so you would do it from the UI now.
>> >>
>> >> -Bryan
>> >>
>> >> On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <nathanmaynes@gmail.com>
>> wrote:
>> >> >
>> >> > Hopefully I can get some guidance on configuring secure
>> communication between NiFi and NiFi-Registry. The Error I have been trying
>> to resolve occurs when trying to send a processor group to NiFi-Registry
>> for versioning. Below is the error message displayed in the NiFi UI.
>> >> >
>> >> > "Unable to obtain listing of buckets:
>> org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all
>> buckets: An Authentication object was not found in the SecurityContext
>> Contact the system administrator. "
>> >> >
>> >> > I started out by watching the tutorial video "Setting Up a Secure
>> NiFi to Integrate with a Secure NiFi Registry" posted on the Registry home
>> page. I am using a Kerberos file-based authentication scheme with the
>> initial admin and initial user set to the same value, eg "name@DOMAIN.COM."
>> (This is a sanitized value and is used in the configuration example below)
>> It is based on the configuration we are using for NiFi. My
>> nifi-registry.properties file has the following relevant values set.
>> >> >
>> >> > # security properties #
>> >> > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12
>> >> > nifi.registry.security.keystoreType=pkcs12
>> >> > nifi.registry.security.keystorePasswd=XXXXXX
>> >> > nifi.registry.security.keyPasswd=XXXXXX
>> >> > nifi.registry.security.truststore=/path/to/cacerts
>> >> > nifi.registry.security.truststoreType=jks
>> >> > nifi.registry.security.truststorePasswd=XXXXXX
>> >> > nifi.registry.security.needClientAuth=false
>> >> >
>> nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
>> >> > nifi.registry.security.authorizer=managed-authorizer
>> >> >
>> nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
>> >> > nifi.registry.security.identity.provider=kerberos-identity-provider
>> >> >
>> >> > ...
>> >> >
>> >> > # kerberos properties #
>> >> > nifi.registry.kerberos.krb5.file=/etc/krb5.conf
>> >> > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM
>> >> > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab
>> >> > nifi.registry.kerberos.spnego.authentication.expiration=2 hours
>> >> >
>> >> > And in authorizers.xml I have:
>> >> >
>> >> > <userGroupProvider>
>> >> >         <identifier>file-user-group-provider</identifier>
>> >> >
>>  <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
>> >> >         <property name="Users File">./conf/users.xml</property>
>> >> >         <property name="Initial User Identity 1">user@DOMAIN.COM
>> </property>
>> >> > </userGroupProvider>
>> >> >
>> >> > <accessPolicyProvider>
>> >> >         <identifier>file-access-policy-provider</identifier>
>> >> >
>>  <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>> >> >         <property name="User Group
>> Provider">file-user-group-provider</property>
>> >> >         <property name="Authorizations
>> File">./conf/authorizations.xml</property>
>> >> >         <property name="Initial Admin Identity">user@DOMAIN.COM
>> </property>
>> >> >         <property name="NiFi Identity 1"></property>
>> >> > </accessPolicyProvider>
>> >> > <authorizer>
>> >> >         <identifier>managed-authorizer</identifier>
>> >> >
>>  <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
>> >> >         <property name="Access Policy
>> Provider">file-access-policy-provider</property>
>> >> > </authorizer>
>> >> >
>> >> > The SSL configuration appears to be correctly set. I am able to
>> access via username and password, the NiFi Registry UI. Despite my best
>> efforts to read the documentation, I am unclear on the following points.
>> >> >
>> >> > Do I need to set the <property name="NiFi Identity 1"></property>?
>> >> > Is there any special considerations I need to be aware of if I run
>> NiFi and the NiFi Registry from the same box and use the same domain name?
>> >> >
>> >> > Any guidance you may be able to share would be appreciated.
>> >> >
>> >> >
>> >> > --
>> >> > Nathan Maynes
>> >> > @nathanmaynes
>> >
>> >
>> >
>> > --
>> > Nathan Maynes
>> > @nathanmaynes
>>
>
>
> --
> Nathan Maynes <http://bit.ly/115hXAt>
> @nathanmaynes
>

Mime
View raw message