nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Maynes <nathanmay...@gmail.com>
Subject Re: Communication Error Between NiFi and Registry: Error retrieving all buckets
Date Mon, 05 Aug 2019 18:57:29 GMT
The video shows appears to show certificate based access. When I set the
NiFi Identity 1 for a Kerberos scheme should it follow the user@DOMAIN.COM
format? If it does, would the NiFi Identity 1 for localhost be
nifi@LOCALHOST?

On Mon, Aug 5, 2019 at 1:47 PM Bryan Bende <bbende@gmail.com> wrote:

> Hello,
>
> I believe the video should cover this, but did you add a user
> representing your NiFi instance and grant it the permissions for proxy
> and read all buckets?
>
> That is what "NiFi Identity 1" would have done, but that only gets
> used on initial setup, so you would do it from the UI now.
>
> -Bryan
>
> On Mon, Aug 5, 2019 at 1:30 PM Nathan Maynes <nathanmaynes@gmail.com>
> wrote:
> >
> > Hopefully I can get some guidance on configuring secure communication
> between NiFi and NiFi-Registry. The Error I have been trying to resolve
> occurs when trying to send a processor group to NiFi-Registry for
> versioning. Below is the error message displayed in the NiFi UI.
> >
> > "Unable to obtain listing of buckets:
> org.apache.nifi.registry.client.NiFiRegistryException: Error retrieving all
> buckets: An Authentication object was not found in the SecurityContext
> Contact the system administrator. "
> >
> > I started out by watching the tutorial video "Setting Up a Secure NiFi
> to Integrate with a Secure NiFi Registry" posted on the Registry home page.
> I am using a Kerberos file-based authentication scheme with the initial
> admin and initial user set to the same value, eg "name@DOMAIN.COM." (This
> is a sanitized value and is used in the configuration example below) It is
> based on the configuration we are using for NiFi. My
> nifi-registry.properties file has the following relevant values set.
> >
> > # security properties #
> > nifi.registry.security.keystore=/etc/ssl/nifi2019.p12
> > nifi.registry.security.keystoreType=pkcs12
> > nifi.registry.security.keystorePasswd=XXXXXX
> > nifi.registry.security.keyPasswd=XXXXXX
> > nifi.registry.security.truststore=/path/to/cacerts
> > nifi.registry.security.truststoreType=jks
> > nifi.registry.security.truststorePasswd=XXXXXX
> > nifi.registry.security.needClientAuth=false
> >
> nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
> > nifi.registry.security.authorizer=managed-authorizer
> >
> nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
> > nifi.registry.security.identity.provider=kerberos-identity-provider
> >
> > ...
> >
> > # kerberos properties #
> > nifi.registry.kerberos.krb5.file=/etc/krb5.conf
> > nifi.registry.kerberos.spnego.principal=svcnififsaccess/DOMAIN.COM
> > nifi.registry.kerberos.spnego.keytab.location=/etc/ssl/example.keytab
> > nifi.registry.kerberos.spnego.authentication.expiration=2 hours
> >
> > And in authorizers.xml I have:
> >
> > <userGroupProvider>
> >         <identifier>file-user-group-provider</identifier>
> >
>  <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
> >         <property name="Users File">./conf/users.xml</property>
> >         <property name="Initial User Identity 1">user@DOMAIN.COM
> </property>
> > </userGroupProvider>
> >
> > <accessPolicyProvider>
> >         <identifier>file-access-policy-provider</identifier>
> >
>  <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
> >         <property name="User Group
> Provider">file-user-group-provider</property>
> >         <property name="Authorizations
> File">./conf/authorizations.xml</property>
> >         <property name="Initial Admin Identity">user@DOMAIN.COM
> </property>
> >         <property name="NiFi Identity 1"></property>
> > </accessPolicyProvider>
> > <authorizer>
> >         <identifier>managed-authorizer</identifier>
> >
>  <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
> >         <property name="Access Policy
> Provider">file-access-policy-provider</property>
> > </authorizer>
> >
> > The SSL configuration appears to be correctly set. I am able to access
> via username and password, the NiFi Registry UI. Despite my best efforts to
> read the documentation, I am unclear on the following points.
> >
> > Do I need to set the <property name="NiFi Identity 1"></property>?
> > Is there any special considerations I need to be aware of if I run NiFi
> and the NiFi Registry from the same box and use the same domain name?
> >
> > Any guidance you may be able to share would be appreciated.
> >
> >
> > --
> > Nathan Maynes
> > @nathanmaynes
>


-- 
Nathan Maynes <http://bit.ly/115hXAt>
@nathanmaynes

Mime
View raw message