nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Maynes <nathanmay...@gmail.com>
Subject Communication Error Between NiFi and Registry: Error retrieving all buckets
Date Mon, 05 Aug 2019 17:30:32 GMT
Hopefully I can get some guidance on configuring secure communication
between NiFi and NiFi-Registry. The Error I have been trying to resolve
occurs when trying to send a processor group to NiFi-Registry for
versioning. Below is the error message displayed in the NiFi UI.

"Unable to obtain listing of buckets:
org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all
buckets: An Authentication object was not found in the SecurityContext
Contact the system administrator. "

I started out by watching the tutorial video <https://youtu.be/DSO12fhnZ90>
"Setting Up a Secure NiFi to Integrate with a Secure NiFi Registry" posted
on the Registry home page. I am using a Kerberos file-based authentication
scheme with the initial admin and initial user set to the same value, eg "
name@DOMAIN.COM." (This is a sanitized value and is used in the
configuration example below) It is based on the configuration we are using
for NiFi. My nifi-registry.properties file has the following relevant
values set.

# security properties #
nifi.registry.security.keystore=/etc/ssl/nifi2019.p12
nifi.registry.security.keystoreType=pkcs12
nifi.registry.security.keystorePasswd=XXXXXX
nifi.registry.security.keyPasswd=XXXXXX
nifi.registry.security.truststore=/path/to/cacerts
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=XXXXXX
nifi.registry.security.needClientAuth=false
nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
nifi.registry.security.identity.provider=kerberos-identity-provider

...

# kerberos properties #
nifi.registry.kerberos.krb5.file=/etc/krb5.conf
nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM
nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab
nifi.registry.kerberos.spnego.authentication.expiration=2 hours

And in authorizers.xml I have:

<userGroupProvider>
        <identifier>file-user-group-provider</identifier>

<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial User Identity 1">user@DOMAIN.COM</property>
</userGroupProvider>

<accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
        <property name="User Group
Provider">file-user-group-provider</property>
        <property name="Authorizations
File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">user@DOMAIN.COM</property>
        <property name="NiFi Identity 1"></property>
</accessPolicyProvider>
<authorizer>
        <identifier>managed-authorizer</identifier>

<class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>

The SSL configuration appears to be correctly set. I am able to access via
username and password, the NiFi Registry UI. Despite my best efforts to
read the documentation, I am unclear on the following points.

Do I need to set the <property name="NiFi Identity 1"></property>?
Is there any special considerations I need to be aware of if I run NiFi and
the NiFi Registry from the same box and use the same domain name?

Any guidance you may be able to share would be appreciated.


-- 
Nathan Maynes <http://bit.ly/115hXAt>
@nathanmaynes

Mime
View raw message