nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: Communication Error Between NiFi and Registry: Error retrieving all buckets
Date Mon, 05 Aug 2019 19:11:53 GMT
Your NiFi identity will always be the DN of the server certificate
that NiFi is using which is specified in nifi.security.keystore in
nifi.properties.

Kerberos is only for the end-users that use the NiFi web application.

In the video around 6:45 where a user is added to registry like
"CN=localhost, OU=NIFI", you would do the same thing, except it would
be the value coming from your NiFi server cert, so it would have your
hostname and possibly a different OU.

On Mon, Aug 5, 2019 at 2:57 PM Nathan Maynes <nathanmaynes@gmail.com> wrote:
>
> The video shows appears to show certificate based access. When I set the NiFi Identity
1 for a Kerberos scheme should it follow the user@DOMAIN.COM format? If it does, would the
NiFi Identity 1 for localhost be nifi@LOCALHOST?
>
> On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <bbende@gmail.com> wrote:
>>
>> Hello,
>>
>> I believe the video should cover this, but did you add a user
>> representing your NiFi instance and grant it the permissions for proxy
>> and read all buckets?
>>
>> That is what "NiFi Identity 1" would have done, but that only gets
>> used on initial setup, so you would do it from the UI now.
>>
>> -Bryan
>>
>> On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <nathanmaynes@gmail.com> wrote:
>> >
>> > Hopefully I can get some guidance on configuring secure communication between
NiFi and NiFi-Registry. The Error I have been trying to resolve occurs when trying to send
a processor group to NiFi-Registry for versioning. Below is the error message displayed in
the NiFi UI.
>> >
>> > "Unable to obtain listing of buckets: org.apache.nifi.registry.client.NiFiRegistryException:
Error retrieving all buckets: An Authentication object was not found in the SecurityContext
Contact the system administrator. "
>> >
>> > I started out by watching the tutorial video "Setting Up a Secure NiFi to Integrate
with a Secure NiFi Registry" posted on the Registry home page. I am using a Kerberos file-based
authentication scheme with the initial admin and initial user set to the same value, eg "name@DOMAIN.COM."
(This is a sanitized value and is used in the configuration example below) It is based on
the configuration we are using for NiFi. My nifi-registry.properties file has the following
relevant values set.
>> >
>> > # security properties #
>> > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12
>> > nifi.registry.security.keystoreType=pkcs12
>> > nifi.registry.security.keystorePasswd=XXXXXX
>> > nifi.registry.security.keyPasswd=XXXXXX
>> > nifi.registry.security.truststore=/path/to/cacerts
>> > nifi.registry.security.truststoreType=jks
>> > nifi.registry.security.truststorePasswd=XXXXXX
>> > nifi.registry.security.needClientAuth=false
>> > nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
>> > nifi.registry.security.authorizer=managed-authorizer
>> > nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
>> > nifi.registry.security.identity.provider=kerberos-identity-provider
>> >
>> > ...
>> >
>> > # kerberos properties #
>> > nifi.registry.kerberos.krb5.file=/etc/krb5.conf
>> > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM
>> > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab
>> > nifi.registry.kerberos.spnego.authentication.expiration=2 hours
>> >
>> > And in authorizers.xml I have:
>> >
>> > <userGroupProvider>
>> >         <identifier>file-user-group-provider</identifier>
>> >         <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
>> >         <property name="Users File">./conf/users.xml</property>
>> >         <property name="Initial User Identity 1">user@DOMAIN.COM</property>
>> > </userGroupProvider>
>> >
>> > <accessPolicyProvider>
>> >         <identifier>file-access-policy-provider</identifier>
>> >         <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>> >         <property name="User Group Provider">file-user-group-provider</property>
>> >         <property name="Authorizations File">./conf/authorizations.xml</property>
>> >         <property name="Initial Admin Identity">user@DOMAIN.COM</property>
>> >         <property name="NiFi Identity 1"></property>
>> > </accessPolicyProvider>
>> > <authorizer>
>> >         <identifier>managed-authorizer</identifier>
>> >         <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
>> >         <property name="Access Policy Provider">file-access-policy-provider</property>
>> > </authorizer>
>> >
>> > The SSL configuration appears to be correctly set. I am able to access via username
and password, the NiFi Registry UI. Despite my best efforts to read the documentation, I am
unclear on the following points.
>> >
>> > Do I need to set the <property name="NiFi Identity 1"></property>?
>> > Is there any special considerations I need to be aware of if I run NiFi and
the NiFi Registry from the same box and use the same domain name?
>> >
>> > Any guidance you may be able to share would be appreciated.
>> >
>> >
>> > --
>> > Nathan Maynes
>> > @nathanmaynes
>
>
>
> --
> Nathan Maynes
> @nathanmaynes

Mime
View raw message