nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Maynes <nathanmay...@gmail.com>
Subject Re: Communication Error Between NiFi and Registry: Error retrieving all buckets
Date Tue, 06 Aug 2019 18:22:21 GMT
Thanks for pointing this out Bryan. To be sure I was entering the
information correctly I used the Java Keytool to examine the certificate
contents. Here is what the sanitized output looks like.

$ keytool -list -v -keystore nifi.jks

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nifi-https
Creation date: Jun 20, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=nifi.example.com, L=Anytown, ST=IN, C=US
Issuer: CN=Internal Intermediate CA (2015), DC=EXAMPLE, DC=com
Serial number: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Valid from: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

...[two more certs in chain]


The user I create for the registry has the following value:

"CN=nifi.example.com, OU=NIFI"

I then granted that user permission to read buckets and proxy user
requests. I am not sure the organizational unit, OU in the example above,
is NIFI. I have created a number of other users with slight variations on
the CN and OU values but any attempt to connect the two services fails.
Still getting the error, "Unable to obtain listing of buckets:
org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all
buckets: An Authentication object was not found in the SecurityContext
Contact the system administrator."

I am trying to use the certificate issued to the NiFi server. Do I need to
create a unique certificate for authentication between the two services?

On Mon, Aug 5, 2019 at 3:12 PM Bryan Bende <bbende@gmail.com> wrote:

> Your NiFi identity will always be the DN of the server certificate
> that NiFi is using which is specified in nifi.security.keystore in
> nifi.properties.
>
> Kerberos is only for the end-users that use the NiFi web application.
>
> In the video around 6:45 where a user is added to registry like
> "CN=localhost, OU=NIFI", you would do the same thing, except it would
> be the value coming from your NiFi server cert, so it would have your
> hostname and possibly a different OU.
>
> On Mon, Aug 5, 2019 at 2:57 PM Nathan Maynes <nathanmaynes@gmail.com>
> wrote:
> >
> > The video shows appears to show certificate based access. When I set the
> NiFi Identity 1 for a Kerberos scheme should it follow the user@DOMAIN.COM
> format? If it does, would the NiFi Identity 1 for localhost be
> nifi@LOCALHOST?
> >
> > On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <bbende@gmail.com> wrote:
> >>
> >> Hello,
> >>
> >> I believe the video should cover this, but did you add a user
> >> representing your NiFi instance and grant it the permissions for proxy
> >> and read all buckets?
> >>
> >> That is what "NiFi Identity 1" would have done, but that only gets
> >> used on initial setup, so you would do it from the UI now.
> >>
> >> -Bryan
> >>
> >> On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <nathanmaynes@gmail.com>
> wrote:
> >> >
> >> > Hopefully I can get some guidance on configuring secure communication
> between NiFi and NiFi-Registry. The Error I have been trying to resolve
> occurs when trying to send a processor group to NiFi-Registry for
> versioning. Below is the error message displayed in the NiFi UI.
> >> >
> >> > "Unable to obtain listing of buckets:
> org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all
> buckets: An Authentication object was not found in the SecurityContext
> Contact the system administrator. "
> >> >
> >> > I started out by watching the tutorial video "Setting Up a Secure
> NiFi to Integrate with a Secure NiFi Registry" posted on the Registry home
> page. I am using a Kerberos file-based authentication scheme with the
> initial admin and initial user set to the same value, eg "name@DOMAIN.COM."
> (This is a sanitized value and is used in the configuration example below)
> It is based on the configuration we are using for NiFi. My
> nifi-registry.properties file has the following relevant values set.
> >> >
> >> > # security properties #
> >> > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12
> >> > nifi.registry.security.keystoreType=pkcs12
> >> > nifi.registry.security.keystorePasswd=XXXXXX
> >> > nifi.registry.security.keyPasswd=XXXXXX
> >> > nifi.registry.security.truststore=/path/to/cacerts
> >> > nifi.registry.security.truststoreType=jks
> >> > nifi.registry.security.truststorePasswd=XXXXXX
> >> > nifi.registry.security.needClientAuth=false
> >> >
> nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
> >> > nifi.registry.security.authorizer=managed-authorizer
> >> >
> nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
> >> > nifi.registry.security.identity.provider=kerberos-identity-provider
> >> >
> >> > ...
> >> >
> >> > # kerberos properties #
> >> > nifi.registry.kerberos.krb5.file=/etc/krb5.conf
> >> > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM
> >> > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab
> >> > nifi.registry.kerberos.spnego.authentication.expiration=2 hours
> >> >
> >> > And in authorizers.xml I have:
> >> >
> >> > <userGroupProvider>
> >> >         <identifier>file-user-group-provider</identifier>
> >> >
>  <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
> >> >         <property name="Users File">./conf/users.xml</property>
> >> >         <property name="Initial User Identity 1">user@DOMAIN.COM
> </property>
> >> > </userGroupProvider>
> >> >
> >> > <accessPolicyProvider>
> >> >         <identifier>file-access-policy-provider</identifier>
> >> >
>  <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
> >> >         <property name="User Group
> Provider">file-user-group-provider</property>
> >> >         <property name="Authorizations
> File">./conf/authorizations.xml</property>
> >> >         <property name="Initial Admin Identity">user@DOMAIN.COM
> </property>
> >> >         <property name="NiFi Identity 1"></property>
> >> > </accessPolicyProvider>
> >> > <authorizer>
> >> >         <identifier>managed-authorizer</identifier>
> >> >
>  <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
> >> >         <property name="Access Policy
> Provider">file-access-policy-provider</property>
> >> > </authorizer>
> >> >
> >> > The SSL configuration appears to be correctly set. I am able to
> access via username and password, the NiFi Registry UI. Despite my best
> efforts to read the documentation, I am unclear on the following points.
> >> >
> >> > Do I need to set the <property name="NiFi Identity 1"></property>?
> >> > Is there any special considerations I need to be aware of if I run
> NiFi and the NiFi Registry from the same box and use the same domain name?
> >> >
> >> > Any guidance you may be able to share would be appreciated.
> >> >
> >> >
> >> > --
> >> > Nathan Maynes
> >> > @nathanmaynes
> >
> >
> >
> > --
> > Nathan Maynes
> > @nathanmaynes
>


-- 
Nathan Maynes <http://bit.ly/115hXAt>
@nathanmaynes

Mime
View raw message