You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Tomislav Novosel <to...@gmail.com> on 2019/02/07 10:57:22 UTC
Nifi registry Kerberos Auth with Docker
Hi all,
I'm trying to configure Nifi registry authentication with Kerberos while
Nifi registry runs
inside Docker container.
I configured all security properties in nifi-registry.properties, login
identity provider and
authorizers.xml. Everything the same as for Nifi registry running as a
service without Docker container.
When I open UI in browser and type in login data, login dose not pass.
In /logs/nifi-registry-app.log I see error:
An Authentication object was not found in the SecurityContext Returning
401 response
java.lang.IllegalStateException: Access tokens are only issued over HTTPS
nifi.registry.web.https.host property is default because of Docker:
ae24ea32faef
nifi.registry.web.https.port=18080
How can I resolve this?
Thanks.
BR,
Tom
Re: Nifi registry Kerberos Auth with Docker
Posted by Kevin Doran <kd...@apache.org>.
Glad it is working for you! I replied to the points you raised inline below.
On February 14, 2019 at 00:52:06, Tomislav Novosel (to.novosel@gmail.com) wrote:
> Hi Kevin,
>
> Thank you for your suggestions. I succeeded to get everything working now.
> As you described, now is everything exectly like that in files you
> mentioned.
>
> One strange thing. At first stratup of container, I can login into UI
> without problems, but I cannot add new users and policies. After I
> refreshed UI in browser, I was able to do that. So just after refreshing. ??
>
I haven't seen this, though it is possible your browser was caching assets / data that was changed when you refreshed? Still that is odd. If you experience this as an ongoing issue plese let us know so we can dig into it.
> And also, Im not able to modify my initial admin and user privileges, I
> mean for myself, but for new added user I can.
This is by design. NiFI Registry does not let the current user modify their own privileges or delete their account, to prevent the initial admin from removing permissions and locking themselves out. As a workaround, you can create another admin account and use that to modify (or delete) the initial admin account that was created on first load of the server.
>
> I read on some forums that it can be slow snyc beetwen Nifi and AD. Im on
> my company's domain and there are couple of hundreds users.
>
A couple hundred users should sync just fine. I have seen the slow sync scenario that some users have experienced and reported, but they had thousands of users and groups in their enterprise directories.
A few tips to avoid this issue and tune your LDAP sync (should you give it a try):
- You do not need to sync your entire AD. Set the User Search Base/Filter and Group Search Base/Filter properties to be as restrictive as possible to avoid syncing unecessary users.
- Tune the Page Size and Sync Interval settings for the LdapUserGroupProvider. The page size will affect the number and duration of search queries to your AD server needed to pull all users and groups -- ie, a larger page size will use fewer retrievals with more results in each page, a smaller page size will have more retrievals, but each one will be for a smaller set of results. The Sync Interval is more important, you can increase this to run the sync less frequently if you are worried about background processing or load on your AD server.
Cheers,
Kevin
> BR,
> Tom
>
> On Wed, 13 Feb 2019, 15:29 Kevin Doran >
> > Hi Tom,
> >
> > How are you configuring the various config files? Through the docker
> > container's environment variables, or through modifying those files
> > directly? If modifying those files, are you injecting them through a volume
> > or something like that? Trying to determine if there is something else at
> > play here overwritting your settings on startup...
> >
> > It sounds like you are able to configure authentication/login
> > successfully, and are just running into a snag on the authorization /
> > initial admin side of things.
> >
> > Try this:
> >
> > 1. In authorizers.xml, set the "Initial User Identity 1" and "Initial
> > Admin Identity" properties to exactly match the user identity recognized by
> > NiFi (the one you see in the upper-right corner of the UI after logging
> > in). Make sure whitespace and capitalization all agree.
> >
> > 2. Delete users.xml and authorizations.xml files and restart NiFI Registry.
> >
> > If all goes successfully, your users.xml file should be regenerated to
> > hold a user with an identity matching "Initial User Identity 1", and
> > authorizations.xml should be regenerated to hold the policies for the
> > "Initial Admin Identity".
> >
> > If you get that working, you can improve things a bit by configuring the
> > LdapUserGroupProvider to sync users and groups from LDAP, letting you set
> > policies in the UI without having to manually create users that match the
> > LDAP directory users.
> >
> > Hope this helps,
> > Kevin
> >
> >
> > On February 13, 2019 at 03:56:52, Tomislav Novosel (to.novosel@gmail.com)
> > wrote:
> > > Also, FYI.
> > >
> > > If I set for INITIAL_ADMIN_IDENTITY my user's full DN,
> > cn=...,ou=...,dc=...
> > > I can also login into UI, but there is no properties button upper right
> > in
> > > the UI.
> > >
> > > [image: 1.PNG]
> > >
> > > If I set only USERNEMA to be u21g46, I can see properties button, but I
> > > can't add new users.
> > >
> > > BR,
> > > Tom
> > >
> > > On Fri, 8 Feb 2019 at 16:03, Bryan Bende wrote:
> > >
> > > > Thinking about it more, I guess if you are not trying to do spnego
> > > > then that message from the logs is not really an error. The registry
> > > > UI always tries the spnego end-point first and if it returns the
> > > > conflict response (as the log says) then you get sent to the login
> > > > page.
> > > >
> > > > Maybe try turning on debug logging by editing logback.xml > >
> > name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG.
> > > >
> > > > On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel
> > > > wrote:
> > > > >
> > > > > Hi Bryan,
> > > > >
> > > > > I don't have this properties populated in Nifi registry instance
> > > > > outside Docker (as a service on linux server), and everything works.
> > > > >
> > > > > What are this properties up to?
> > > > >
> > > > > Regards,
> > > > > Tom
> > > > >
> > > > >
> > > > >
> > > > > On Fri, 8 Feb 2019 at 15:25, Bryan Bende wrote:
> > > > >>
> > > > >> The message about "Kerberos service ticket login not supported by
> > this
> > > > >> NiFi Registry" means that one of the following properties is not
> > > > >> populated:
> > > > >>
> > > > >> nifi.registry.kerberos.spnego.principal=
> > > > >> nifi.registry.kerberos.spnego.keytab.location=
> > > > >>
> > > > >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel
> > > > wrote:
> > > > >> >
> > > > >> > Hi Daniel,
> > > > >> >
> > > > >> > Ok, I see. Thanks for the answer.
> > > > >> >
> > > > >> > I switched to official Nifi registry image. I succeeded to spin up
> > > > registry in docker container and to
> > > > >> > setup Kerberos provider in identity-providers.xml. Also I
> > configured
> > > > authorizers.xml as per afficial Nifi documentation.
> > > > >> >
> > > > >> > I already have the same setup with Kerberos, but not in Docker
> > > > container. And everything works like a charm.
> > > > >> >
> > > > >> > When I enter credentials, login does not pass. This is app log:
> > > > >> >
> > > > >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
> > > > o.a.n.r.w.m.IllegalStateExceptionMapper
> > java.lang.IllegalStateException:
> > > > Kerberos service ticket login not supported by this NiFi Registry.
> > > > Returning Conflict response.
> > > > >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
> > > > o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be
> > authenticated
> > > > due to:
> > > >
> > org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
> >
> > > > An Authentication object was not found in the SecurityContext
> > Returning 401
> > > > response.
> > > > >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
> > > > o.a.n.r.w.m.UnauthorizedExceptionMapper
> > > > org.apache.nifi.registry.web.exception.UnauthorizedException: The
> > supplied
> > > > client credentials are not valid.. Returning Unauthorized response.
> > > > >> >
> > > > >> > Not sure what is going on here.
> > > > >> >
> > > > >> > Regards,
> > > > >> > Tom
> > > > >> >
> > > > >> >
> > > > >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson
> > > > wrote:
> > > > >> >>
> > > > >> >> Hi Tomislav,
> > > > >> >> I created that build a long time ago before the official apache
> > one
> > > > was up, and it is out of date sorry.
> > > > >> >> Can I suggest you switch to the official apache image that Kevin
> > > > mentioned and try again? It is an up to date version and recommended
> > by the
> > > > community.
> > > > >> >>
> > > > >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <
> > > > to.novosel@gmail.com> wrote:
> > > > >> >>>
> > > > >> >>> Hi Kevin,
> > > > >> >>>
> > > > >> >>> I'm using image from Docker hub on this link:
> > > > >> >>> https://hub.docker.com/r/chaffelson/nifi-registry
> > > > >> >>>
> > > > >> >>> I think I know where is the problem. The problem is in config
> > file
> > > > where
> > > > >> >>> http host and http port property remains even if I manually set
> > > > https host and htpps port.
> > > > >> >>> I deleted http host and http port to be empty, but when I
> > started
> > > > container again, those values are again there.
> > > > >> >>>
> > > > >> >>> I don't know what the author of image wanted to say with this:
> > > > >> >>>
> > > > >> >>> The Docker image can be built using the following command:
> > > > >> >>>
> > > > >> >>> .
> > > >
> > ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
> >
> > > > >> >>>
> > > > >> >>> What does this commend mean?
> > > > >> >>>
> > > > >> >>> And this:
> > > > >> >>>
> > > > >> >>> Note: The default version of NiFi-Registry specified by the
> > > > Dockerfile is typically that of one that is unreleased if working from
> > > > source. To build an image for a prior released version, one can
> > override
> > > > the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
> > > > >> >>>
> > > > >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired
> > > > NiFi-Registry Version} -t apache/nifi-registry:latest .
> > > > >> >>>
> > > > >> >>> For this command above you need to have Dockerfile. I tried with
> > > > Dockerfile from docker hub, but there are errors in execution on this
> > line:
> > > > >> >>>
> > > > >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
> > > > >> >>>
> > > > >> >>> On the other hand, If I manage to get the image with first
> > > > command, I will get Nifi registry version 0.1.0 which I don't want.
> > > > >> >>>
> > > > >> >>> I'm little bit confused here, sorry for longer mail.
> > > > >> >>>
> > > > >> >>> Thanks.
> > > > >> >>>
> > > > >> >>> Regards,
> > > > >> >>> Tom
> > > > >> >>>
> > > > >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran wrote:
> > > > >> >>>>
> > > > >> >>>> Hi Tom,
> > > > >> >>>>
> > > > >> >>>> Are you using the apache/nifi-registry image or a custom image
> > for
> > > > this?
> > > > >> >>>>
> > > > >> >>>> Have you configured TLS?
> > > > >> >>>> Can you share your complete conf dir (removing sensitive values
> > > > such as password or domains)?
> > > > >> >>>>
> > > > >> >>>> Thanks,
> > > > >> >>>> Kevin
> > > > >> >>>>
> > > > >> >>>>
> > > > >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (
> > > > to.novosel@gmail.com) wrote:
> > > > >> >>>> > Hi all,
> > > > >> >>>> >
> > > > >> >>>> > I'm trying to configure Nifi registry authentication with
> > > > Kerberos while
> > > > >> >>>> > Nifi registry runs
> > > > >> >>>> > inside Docker container.
> > > > >> >>>> >
> > > > >> >>>> > I configured all security properties in
> > > > nifi-registry.properties, login
> > > > >> >>>> > identity provider and
> > > > >> >>>> > authorizers.xml. Everything the same as for Nifi registry
> > > > running as a
> > > > >> >>>> > service without Docker container.
> > > > >> >>>> >
> > > > >> >>>> > When I open UI in browser and type in login data, login dose
> > not
> > > > pass.
> > > > >> >>>> >
> > > > >> >>>> > In /logs/nifi-registry-app.log I see error:
> > > > >> >>>> >
> > > > >> >>>> > An Authentication object was not found in the SecurityContext
> > > > Returning
> > > > >> >>>> > 401 response
> > > > >> >>>> > java.lang.IllegalStateException: Access tokens are only
> > issued
> > > > over HTTPS
> > > > >> >>>> >
> > > > >> >>>> > nifi.registry.web.https.host property is default because of
> > > > Docker:
> > > > >> >>>> > ae24ea32faef
> > > > >> >>>> > nifi.registry.web.https.port=18080
> > > > >> >>>> >
> > > > >> >>>> > How can I resolve this?
> > > > >> >>>> > Thanks.
> > > > >> >>>> >
> > > > >> >>>> >
> > > > >> >>>> > BR,
> > > > >> >>>> > Tom
> > > > >> >>>> >
> > > > >> >>>>
> > > >
> > >
> >
> >
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Tomislav Novosel <to...@gmail.com>.
Hi Kevin,
Thank you for your suggestions. I succeeded to get everything working now.
As you described, now is everything exectly like that in files you
mentioned.
One strange thing. At first stratup of container, I can login into UI
without problems, but I cannot add new users and policies. After I
refreshed UI in browser, I was able to do that. So just after refreshing. ??
And also, Im not able to modify my initial admin and user privileges, I
mean for myself, but for new added user I can.
I read on some forums that it can be slow snyc beetwen Nifi and AD. Im on
my company's domain and there are couple of hundreds users.
BR,
Tom
On Wed, 13 Feb 2019, 15:29 Kevin Doran <kdoran@apache.org wrote:
> Hi Tom,
>
> How are you configuring the various config files? Through the docker
> container's environment variables, or through modifying those files
> directly? If modifying those files, are you injecting them through a volume
> or something like that? Trying to determine if there is something else at
> play here overwritting your settings on startup...
>
> It sounds like you are able to configure authentication/login
> successfully, and are just running into a snag on the authorization /
> initial admin side of things.
>
> Try this:
>
> 1. In authorizers.xml, set the "Initial User Identity 1" and "Initial
> Admin Identity" properties to exactly match the user identity recognized by
> NiFi (the one you see in the upper-right corner of the UI after logging
> in). Make sure whitespace and capitalization all agree.
>
> 2. Delete users.xml and authorizations.xml files and restart NiFI Registry.
>
> If all goes successfully, your users.xml file should be regenerated to
> hold a user with an identity matching "Initial User Identity 1", and
> authorizations.xml should be regenerated to hold the policies for the
> "Initial Admin Identity".
>
> If you get that working, you can improve things a bit by configuring the
> LdapUserGroupProvider to sync users and groups from LDAP, letting you set
> policies in the UI without having to manually create users that match the
> LDAP directory users.
>
> Hope this helps,
> Kevin
>
>
> On February 13, 2019 at 03:56:52, Tomislav Novosel (to.novosel@gmail.com)
> wrote:
> > Also, FYI.
> >
> > If I set for INITIAL_ADMIN_IDENTITY my user's full DN,
> cn=...,ou=...,dc=...
> > I can also login into UI, but there is no properties button upper right
> in
> > the UI.
> >
> > [image: 1.PNG]
> >
> > If I set only USERNEMA to be u21g46, I can see properties button, but I
> > can't add new users.
> >
> > BR,
> > Tom
> >
> > On Fri, 8 Feb 2019 at 16:03, Bryan Bende wrote:
> >
> > > Thinking about it more, I guess if you are not trying to do spnego
> > > then that message from the logs is not really an error. The registry
> > > UI always tries the spnego end-point first and if it returns the
> > > conflict response (as the log says) then you get sent to the login
> > > page.
> > >
> > > Maybe try turning on debug logging by editing logback.xml > >
> name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG.
> > >
> > > On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel
> > > wrote:
> > > >
> > > > Hi Bryan,
> > > >
> > > > I don't have this properties populated in Nifi registry instance
> > > > outside Docker (as a service on linux server), and everything works.
> > > >
> > > > What are this properties up to?
> > > >
> > > > Regards,
> > > > Tom
> > > >
> > > >
> > > >
> > > > On Fri, 8 Feb 2019 at 15:25, Bryan Bende wrote:
> > > >>
> > > >> The message about "Kerberos service ticket login not supported by
> this
> > > >> NiFi Registry" means that one of the following properties is not
> > > >> populated:
> > > >>
> > > >> nifi.registry.kerberos.spnego.principal=
> > > >> nifi.registry.kerberos.spnego.keytab.location=
> > > >>
> > > >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel
> > > wrote:
> > > >> >
> > > >> > Hi Daniel,
> > > >> >
> > > >> > Ok, I see. Thanks for the answer.
> > > >> >
> > > >> > I switched to official Nifi registry image. I succeeded to spin up
> > > registry in docker container and to
> > > >> > setup Kerberos provider in identity-providers.xml. Also I
> configured
> > > authorizers.xml as per afficial Nifi documentation.
> > > >> >
> > > >> > I already have the same setup with Kerberos, but not in Docker
> > > container. And everything works like a charm.
> > > >> >
> > > >> > When I enter credentials, login does not pass. This is app log:
> > > >> >
> > > >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
> > > o.a.n.r.w.m.IllegalStateExceptionMapper
> java.lang.IllegalStateException:
> > > Kerberos service ticket login not supported by this NiFi Registry.
> > > Returning Conflict response.
> > > >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
> > > o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be
> authenticated
> > > due to:
> > >
> org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
>
> > > An Authentication object was not found in the SecurityContext
> Returning 401
> > > response.
> > > >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
> > > o.a.n.r.w.m.UnauthorizedExceptionMapper
> > > org.apache.nifi.registry.web.exception.UnauthorizedException: The
> supplied
> > > client credentials are not valid.. Returning Unauthorized response.
> > > >> >
> > > >> > Not sure what is going on here.
> > > >> >
> > > >> > Regards,
> > > >> > Tom
> > > >> >
> > > >> >
> > > >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson
> > > wrote:
> > > >> >>
> > > >> >> Hi Tomislav,
> > > >> >> I created that build a long time ago before the official apache
> one
> > > was up, and it is out of date sorry.
> > > >> >> Can I suggest you switch to the official apache image that Kevin
> > > mentioned and try again? It is an up to date version and recommended
> by the
> > > community.
> > > >> >>
> > > >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <
> > > to.novosel@gmail.com> wrote:
> > > >> >>>
> > > >> >>> Hi Kevin,
> > > >> >>>
> > > >> >>> I'm using image from Docker hub on this link:
> > > >> >>> https://hub.docker.com/r/chaffelson/nifi-registry
> > > >> >>>
> > > >> >>> I think I know where is the problem. The problem is in config
> file
> > > where
> > > >> >>> http host and http port property remains even if I manually set
> > > https host and htpps port.
> > > >> >>> I deleted http host and http port to be empty, but when I
> started
> > > container again, those values are again there.
> > > >> >>>
> > > >> >>> I don't know what the author of image wanted to say with this:
> > > >> >>>
> > > >> >>> The Docker image can be built using the following command:
> > > >> >>>
> > > >> >>> .
> > >
> ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
>
> > > >> >>>
> > > >> >>> What does this commend mean?
> > > >> >>>
> > > >> >>> And this:
> > > >> >>>
> > > >> >>> Note: The default version of NiFi-Registry specified by the
> > > Dockerfile is typically that of one that is unreleased if working from
> > > source. To build an image for a prior released version, one can
> override
> > > the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
> > > >> >>>
> > > >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired
> > > NiFi-Registry Version} -t apache/nifi-registry:latest .
> > > >> >>>
> > > >> >>> For this command above you need to have Dockerfile. I tried with
> > > Dockerfile from docker hub, but there are errors in execution on this
> line:
> > > >> >>>
> > > >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
> > > >> >>>
> > > >> >>> On the other hand, If I manage to get the image with first
> > > command, I will get Nifi registry version 0.1.0 which I don't want.
> > > >> >>>
> > > >> >>> I'm little bit confused here, sorry for longer mail.
> > > >> >>>
> > > >> >>> Thanks.
> > > >> >>>
> > > >> >>> Regards,
> > > >> >>> Tom
> > > >> >>>
> > > >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran wrote:
> > > >> >>>>
> > > >> >>>> Hi Tom,
> > > >> >>>>
> > > >> >>>> Are you using the apache/nifi-registry image or a custom image
> for
> > > this?
> > > >> >>>>
> > > >> >>>> Have you configured TLS?
> > > >> >>>> Can you share your complete conf dir (removing sensitive values
> > > such as password or domains)?
> > > >> >>>>
> > > >> >>>> Thanks,
> > > >> >>>> Kevin
> > > >> >>>>
> > > >> >>>>
> > > >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (
> > > to.novosel@gmail.com) wrote:
> > > >> >>>> > Hi all,
> > > >> >>>> >
> > > >> >>>> > I'm trying to configure Nifi registry authentication with
> > > Kerberos while
> > > >> >>>> > Nifi registry runs
> > > >> >>>> > inside Docker container.
> > > >> >>>> >
> > > >> >>>> > I configured all security properties in
> > > nifi-registry.properties, login
> > > >> >>>> > identity provider and
> > > >> >>>> > authorizers.xml. Everything the same as for Nifi registry
> > > running as a
> > > >> >>>> > service without Docker container.
> > > >> >>>> >
> > > >> >>>> > When I open UI in browser and type in login data, login dose
> not
> > > pass.
> > > >> >>>> >
> > > >> >>>> > In /logs/nifi-registry-app.log I see error:
> > > >> >>>> >
> > > >> >>>> > An Authentication object was not found in the SecurityContext
> > > Returning
> > > >> >>>> > 401 response
> > > >> >>>> > java.lang.IllegalStateException: Access tokens are only
> issued
> > > over HTTPS
> > > >> >>>> >
> > > >> >>>> > nifi.registry.web.https.host property is default because of
> > > Docker:
> > > >> >>>> > ae24ea32faef
> > > >> >>>> > nifi.registry.web.https.port=18080
> > > >> >>>> >
> > > >> >>>> > How can I resolve this?
> > > >> >>>> > Thanks.
> > > >> >>>> >
> > > >> >>>> >
> > > >> >>>> > BR,
> > > >> >>>> > Tom
> > > >> >>>> >
> > > >> >>>>
> > >
> >
>
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Kevin Doran <kd...@apache.org>.
Hi Tom,
How are you configuring the various config files? Through the docker container's environment variables, or through modifying those files directly? If modifying those files, are you injecting them through a volume or something like that? Trying to determine if there is something else at play here overwritting your settings on startup...
It sounds like you are able to configure authentication/login successfully, and are just running into a snag on the authorization / initial admin side of things.
Try this:
1. In authorizers.xml, set the "Initial User Identity 1" and "Initial Admin Identity" properties to exactly match the user identity recognized by NiFi (the one you see in the upper-right corner of the UI after logging in). Make sure whitespace and capitalization all agree.
2. Delete users.xml and authorizations.xml files and restart NiFI Registry.
If all goes successfully, your users.xml file should be regenerated to hold a user with an identity matching "Initial User Identity 1", and authorizations.xml should be regenerated to hold the policies for the "Initial Admin Identity".
If you get that working, you can improve things a bit by configuring the LdapUserGroupProvider to sync users and groups from LDAP, letting you set policies in the UI without having to manually create users that match the LDAP directory users.
Hope this helps,
Kevin
On February 13, 2019 at 03:56:52, Tomislav Novosel (to.novosel@gmail.com) wrote:
> Also, FYI.
>
> If I set for INITIAL_ADMIN_IDENTITY my user's full DN, cn=...,ou=...,dc=...
> I can also login into UI, but there is no properties button upper right in
> the UI.
>
> [image: 1.PNG]
>
> If I set only USERNEMA to be u21g46, I can see properties button, but I
> can't add new users.
>
> BR,
> Tom
>
> On Fri, 8 Feb 2019 at 16:03, Bryan Bende wrote:
>
> > Thinking about it more, I guess if you are not trying to do spnego
> > then that message from the logs is not really an error. The registry
> > UI always tries the spnego end-point first and if it returns the
> > conflict response (as the log says) then you get sent to the login
> > page.
> >
> > Maybe try turning on debug logging by editing logback.xml > > name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG.
> >
> > On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel
> > wrote:
> > >
> > > Hi Bryan,
> > >
> > > I don't have this properties populated in Nifi registry instance
> > > outside Docker (as a service on linux server), and everything works.
> > >
> > > What are this properties up to?
> > >
> > > Regards,
> > > Tom
> > >
> > >
> > >
> > > On Fri, 8 Feb 2019 at 15:25, Bryan Bende wrote:
> > >>
> > >> The message about "Kerberos service ticket login not supported by this
> > >> NiFi Registry" means that one of the following properties is not
> > >> populated:
> > >>
> > >> nifi.registry.kerberos.spnego.principal=
> > >> nifi.registry.kerberos.spnego.keytab.location=
> > >>
> > >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel
> > wrote:
> > >> >
> > >> > Hi Daniel,
> > >> >
> > >> > Ok, I see. Thanks for the answer.
> > >> >
> > >> > I switched to official Nifi registry image. I succeeded to spin up
> > registry in docker container and to
> > >> > setup Kerberos provider in identity-providers.xml. Also I configured
> > authorizers.xml as per afficial Nifi documentation.
> > >> >
> > >> > I already have the same setup with Kerberos, but not in Docker
> > container. And everything works like a charm.
> > >> >
> > >> > When I enter credentials, login does not pass. This is app log:
> > >> >
> > >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
> > o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException:
> > Kerberos service ticket login not supported by this NiFi Registry.
> > Returning Conflict response.
> > >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
> > o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated
> > due to:
> > org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
> > An Authentication object was not found in the SecurityContext Returning 401
> > response.
> > >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
> > o.a.n.r.w.m.UnauthorizedExceptionMapper
> > org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied
> > client credentials are not valid.. Returning Unauthorized response.
> > >> >
> > >> > Not sure what is going on here.
> > >> >
> > >> > Regards,
> > >> > Tom
> > >> >
> > >> >
> > >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson
> > wrote:
> > >> >>
> > >> >> Hi Tomislav,
> > >> >> I created that build a long time ago before the official apache one
> > was up, and it is out of date sorry.
> > >> >> Can I suggest you switch to the official apache image that Kevin
> > mentioned and try again? It is an up to date version and recommended by the
> > community.
> > >> >>
> > >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <
> > to.novosel@gmail.com> wrote:
> > >> >>>
> > >> >>> Hi Kevin,
> > >> >>>
> > >> >>> I'm using image from Docker hub on this link:
> > >> >>> https://hub.docker.com/r/chaffelson/nifi-registry
> > >> >>>
> > >> >>> I think I know where is the problem. The problem is in config file
> > where
> > >> >>> http host and http port property remains even if I manually set
> > https host and htpps port.
> > >> >>> I deleted http host and http port to be empty, but when I started
> > container again, those values are again there.
> > >> >>>
> > >> >>> I don't know what the author of image wanted to say with this:
> > >> >>>
> > >> >>> The Docker image can be built using the following command:
> > >> >>>
> > >> >>> .
> > ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
> > >> >>>
> > >> >>> What does this commend mean?
> > >> >>>
> > >> >>> And this:
> > >> >>>
> > >> >>> Note: The default version of NiFi-Registry specified by the
> > Dockerfile is typically that of one that is unreleased if working from
> > source. To build an image for a prior released version, one can override
> > the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
> > >> >>>
> > >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired
> > NiFi-Registry Version} -t apache/nifi-registry:latest .
> > >> >>>
> > >> >>> For this command above you need to have Dockerfile. I tried with
> > Dockerfile from docker hub, but there are errors in execution on this line:
> > >> >>>
> > >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
> > >> >>>
> > >> >>> On the other hand, If I manage to get the image with first
> > command, I will get Nifi registry version 0.1.0 which I don't want.
> > >> >>>
> > >> >>> I'm little bit confused here, sorry for longer mail.
> > >> >>>
> > >> >>> Thanks.
> > >> >>>
> > >> >>> Regards,
> > >> >>> Tom
> > >> >>>
> > >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran wrote:
> > >> >>>>
> > >> >>>> Hi Tom,
> > >> >>>>
> > >> >>>> Are you using the apache/nifi-registry image or a custom image for
> > this?
> > >> >>>>
> > >> >>>> Have you configured TLS?
> > >> >>>> Can you share your complete conf dir (removing sensitive values
> > such as password or domains)?
> > >> >>>>
> > >> >>>> Thanks,
> > >> >>>> Kevin
> > >> >>>>
> > >> >>>>
> > >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (
> > to.novosel@gmail.com) wrote:
> > >> >>>> > Hi all,
> > >> >>>> >
> > >> >>>> > I'm trying to configure Nifi registry authentication with
> > Kerberos while
> > >> >>>> > Nifi registry runs
> > >> >>>> > inside Docker container.
> > >> >>>> >
> > >> >>>> > I configured all security properties in
> > nifi-registry.properties, login
> > >> >>>> > identity provider and
> > >> >>>> > authorizers.xml. Everything the same as for Nifi registry
> > running as a
> > >> >>>> > service without Docker container.
> > >> >>>> >
> > >> >>>> > When I open UI in browser and type in login data, login dose not
> > pass.
> > >> >>>> >
> > >> >>>> > In /logs/nifi-registry-app.log I see error:
> > >> >>>> >
> > >> >>>> > An Authentication object was not found in the SecurityContext
> > Returning
> > >> >>>> > 401 response
> > >> >>>> > java.lang.IllegalStateException: Access tokens are only issued
> > over HTTPS
> > >> >>>> >
> > >> >>>> > nifi.registry.web.https.host property is default because of
> > Docker:
> > >> >>>> > ae24ea32faef
> > >> >>>> > nifi.registry.web.https.port=18080
> > >> >>>> >
> > >> >>>> > How can I resolve this?
> > >> >>>> > Thanks.
> > >> >>>> >
> > >> >>>> >
> > >> >>>> > BR,
> > >> >>>> > Tom
> > >> >>>> >
> > >> >>>>
> >
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Tomislav Novosel <to...@gmail.com>.
Also, FYI.
If I set for INITIAL_ADMIN_IDENTITY my user's full DN, cn=...,ou=...,dc=...
I can also login into UI, but there is no properties button upper right in
the UI.
[image: 1.PNG]
If I set only USERNEMA to be u21g46, I can see properties button, but I
can't add new users.
BR,
Tom
On Fri, 8 Feb 2019 at 16:03, Bryan Bende <bb...@gmail.com> wrote:
> Thinking about it more, I guess if you are not trying to do spnego
> then that message from the logs is not really an error. The registry
> UI always tries the spnego end-point first and if it returns the
> conflict response (as the log says) then you get sent to the login
> page.
>
> Maybe try turning on debug logging by editing logback.xml <logger
> name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG.
>
> On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >
> > Hi Bryan,
> >
> > I don't have this properties populated in Nifi registry instance
> > outside Docker (as a service on linux server), and everything works.
> >
> > What are this properties up to?
> >
> > Regards,
> > Tom
> >
> >
> >
> > On Fri, 8 Feb 2019 at 15:25, Bryan Bende <bb...@gmail.com> wrote:
> >>
> >> The message about "Kerberos service ticket login not supported by this
> >> NiFi Registry" means that one of the following properties is not
> >> populated:
> >>
> >> nifi.registry.kerberos.spnego.principal=
> >> nifi.registry.kerberos.spnego.keytab.location=
> >>
> >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >> >
> >> > Hi Daniel,
> >> >
> >> > Ok, I see. Thanks for the answer.
> >> >
> >> > I switched to official Nifi registry image. I succeeded to spin up
> registry in docker container and to
> >> > setup Kerberos provider in identity-providers.xml. Also I configured
> authorizers.xml as per afficial Nifi documentation.
> >> >
> >> > I already have the same setup with Kerberos, but not in Docker
> container. And everything works like a charm.
> >> >
> >> > When I enter credentials, login does not pass. This is app log:
> >> >
> >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos service ticket login not supported by this NiFi Registry.
> Returning Conflict response.
> >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
> o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated
> due to:
> org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
> An Authentication object was not found in the SecurityContext Returning 401
> response.
> >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.UnauthorizedExceptionMapper
> org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied
> client credentials are not valid.. Returning Unauthorized response.
> >> >
> >> > Not sure what is going on here.
> >> >
> >> > Regards,
> >> > Tom
> >> >
> >> >
> >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <ch...@gmail.com>
> wrote:
> >> >>
> >> >> Hi Tomislav,
> >> >> I created that build a long time ago before the official apache one
> was up, and it is out of date sorry.
> >> >> Can I suggest you switch to the official apache image that Kevin
> mentioned and try again? It is an up to date version and recommended by the
> community.
> >> >>
> >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <
> to.novosel@gmail.com> wrote:
> >> >>>
> >> >>> Hi Kevin,
> >> >>>
> >> >>> I'm using image from Docker hub on this link:
> >> >>> https://hub.docker.com/r/chaffelson/nifi-registry
> >> >>>
> >> >>> I think I know where is the problem. The problem is in config file
> where
> >> >>> http host and http port property remains even if I manually set
> https host and htpps port.
> >> >>> I deleted http host and http port to be empty, but when I started
> container again, those values are again there.
> >> >>>
> >> >>> I don't know what the author of image wanted to say with this:
> >> >>>
> >> >>> The Docker image can be built using the following command:
> >> >>>
> >> >>> .
> ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
> >> >>>
> >> >>> What does this commend mean?
> >> >>>
> >> >>> And this:
> >> >>>
> >> >>> Note: The default version of NiFi-Registry specified by the
> Dockerfile is typically that of one that is unreleased if working from
> source. To build an image for a prior released version, one can override
> the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
> >> >>>
> >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired
> NiFi-Registry Version} -t apache/nifi-registry:latest .
> >> >>>
> >> >>> For this command above you need to have Dockerfile. I tried with
> Dockerfile from docker hub, but there are errors in execution on this line:
> >> >>>
> >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
> >> >>>
> >> >>> On the other hand, If I manage to get the image with first
> command, I will get Nifi registry version 0.1.0 which I don't want.
> >> >>>
> >> >>> I'm little bit confused here, sorry for longer mail.
> >> >>>
> >> >>> Thanks.
> >> >>>
> >> >>> Regards,
> >> >>> Tom
> >> >>>
> >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
> >> >>>>
> >> >>>> Hi Tom,
> >> >>>>
> >> >>>> Are you using the apache/nifi-registry image or a custom image for
> this?
> >> >>>>
> >> >>>> Have you configured TLS?
> >> >>>> Can you share your complete conf dir (removing sensitive values
> such as password or domains)?
> >> >>>>
> >> >>>> Thanks,
> >> >>>> Kevin
> >> >>>>
> >> >>>>
> >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (
> to.novosel@gmail.com) wrote:
> >> >>>> > Hi all,
> >> >>>> >
> >> >>>> > I'm trying to configure Nifi registry authentication with
> Kerberos while
> >> >>>> > Nifi registry runs
> >> >>>> > inside Docker container.
> >> >>>> >
> >> >>>> > I configured all security properties in
> nifi-registry.properties, login
> >> >>>> > identity provider and
> >> >>>> > authorizers.xml. Everything the same as for Nifi registry
> running as a
> >> >>>> > service without Docker container.
> >> >>>> >
> >> >>>> > When I open UI in browser and type in login data, login dose not
> pass.
> >> >>>> >
> >> >>>> > In /logs/nifi-registry-app.log I see error:
> >> >>>> >
> >> >>>> > An Authentication object was not found in the SecurityContext
> Returning
> >> >>>> > 401 response
> >> >>>> > java.lang.IllegalStateException: Access tokens are only issued
> over HTTPS
> >> >>>> >
> >> >>>> > nifi.registry.web.https.host property is default because of
> Docker:
> >> >>>> > ae24ea32faef
> >> >>>> > nifi.registry.web.https.port=18080
> >> >>>> >
> >> >>>> > How can I resolve this?
> >> >>>> > Thanks.
> >> >>>> >
> >> >>>> >
> >> >>>> > BR,
> >> >>>> > Tom
> >> >>>> >
> >> >>>>
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Tomislav Novosel <to...@gmail.com>.
Yes, this log INFO I see also on my Nifi registry without docker.
I configured logback to DEBUG inside my container and I found in app.log
this exeption:
un.security.krb5.KrbException: Cannot locate default realm
I started container with --ad-host command to add in hosts file all my
Domain Kerberos FQDN's
for KDC server. I triad also to ping it from container and it is alive.
Don't know what else it could be.
Any suggestions?
Thank you.
BR,
Tom
On Fri, 8 Feb 2019 at 16:03, Bryan Bende <bb...@gmail.com> wrote:
> Thinking about it more, I guess if you are not trying to do spnego
> then that message from the logs is not really an error. The registry
> UI always tries the spnego end-point first and if it returns the
> conflict response (as the log says) then you get sent to the login
> page.
>
> Maybe try turning on debug logging by editing logback.xml <logger
> name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG.
>
> On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >
> > Hi Bryan,
> >
> > I don't have this properties populated in Nifi registry instance
> > outside Docker (as a service on linux server), and everything works.
> >
> > What are this properties up to?
> >
> > Regards,
> > Tom
> >
> >
> >
> > On Fri, 8 Feb 2019 at 15:25, Bryan Bende <bb...@gmail.com> wrote:
> >>
> >> The message about "Kerberos service ticket login not supported by this
> >> NiFi Registry" means that one of the following properties is not
> >> populated:
> >>
> >> nifi.registry.kerberos.spnego.principal=
> >> nifi.registry.kerberos.spnego.keytab.location=
> >>
> >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >> >
> >> > Hi Daniel,
> >> >
> >> > Ok, I see. Thanks for the answer.
> >> >
> >> > I switched to official Nifi registry image. I succeeded to spin up
> registry in docker container and to
> >> > setup Kerberos provider in identity-providers.xml. Also I configured
> authorizers.xml as per afficial Nifi documentation.
> >> >
> >> > I already have the same setup with Kerberos, but not in Docker
> container. And everything works like a charm.
> >> >
> >> > When I enter credentials, login does not pass. This is app log:
> >> >
> >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos service ticket login not supported by this NiFi Registry.
> Returning Conflict response.
> >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
> o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated
> due to:
> org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
> An Authentication object was not found in the SecurityContext Returning 401
> response.
> >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.UnauthorizedExceptionMapper
> org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied
> client credentials are not valid.. Returning Unauthorized response.
> >> >
> >> > Not sure what is going on here.
> >> >
> >> > Regards,
> >> > Tom
> >> >
> >> >
> >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <ch...@gmail.com>
> wrote:
> >> >>
> >> >> Hi Tomislav,
> >> >> I created that build a long time ago before the official apache one
> was up, and it is out of date sorry.
> >> >> Can I suggest you switch to the official apache image that Kevin
> mentioned and try again? It is an up to date version and recommended by the
> community.
> >> >>
> >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <
> to.novosel@gmail.com> wrote:
> >> >>>
> >> >>> Hi Kevin,
> >> >>>
> >> >>> I'm using image from Docker hub on this link:
> >> >>> https://hub.docker.com/r/chaffelson/nifi-registry
> >> >>>
> >> >>> I think I know where is the problem. The problem is in config file
> where
> >> >>> http host and http port property remains even if I manually set
> https host and htpps port.
> >> >>> I deleted http host and http port to be empty, but when I started
> container again, those values are again there.
> >> >>>
> >> >>> I don't know what the author of image wanted to say with this:
> >> >>>
> >> >>> The Docker image can be built using the following command:
> >> >>>
> >> >>> .
> ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
> >> >>>
> >> >>> What does this commend mean?
> >> >>>
> >> >>> And this:
> >> >>>
> >> >>> Note: The default version of NiFi-Registry specified by the
> Dockerfile is typically that of one that is unreleased if working from
> source. To build an image for a prior released version, one can override
> the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
> >> >>>
> >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired
> NiFi-Registry Version} -t apache/nifi-registry:latest .
> >> >>>
> >> >>> For this command above you need to have Dockerfile. I tried with
> Dockerfile from docker hub, but there are errors in execution on this line:
> >> >>>
> >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
> >> >>>
> >> >>> On the other hand, If I manage to get the image with first
> command, I will get Nifi registry version 0.1.0 which I don't want.
> >> >>>
> >> >>> I'm little bit confused here, sorry for longer mail.
> >> >>>
> >> >>> Thanks.
> >> >>>
> >> >>> Regards,
> >> >>> Tom
> >> >>>
> >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
> >> >>>>
> >> >>>> Hi Tom,
> >> >>>>
> >> >>>> Are you using the apache/nifi-registry image or a custom image for
> this?
> >> >>>>
> >> >>>> Have you configured TLS?
> >> >>>> Can you share your complete conf dir (removing sensitive values
> such as password or domains)?
> >> >>>>
> >> >>>> Thanks,
> >> >>>> Kevin
> >> >>>>
> >> >>>>
> >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (
> to.novosel@gmail.com) wrote:
> >> >>>> > Hi all,
> >> >>>> >
> >> >>>> > I'm trying to configure Nifi registry authentication with
> Kerberos while
> >> >>>> > Nifi registry runs
> >> >>>> > inside Docker container.
> >> >>>> >
> >> >>>> > I configured all security properties in
> nifi-registry.properties, login
> >> >>>> > identity provider and
> >> >>>> > authorizers.xml. Everything the same as for Nifi registry
> running as a
> >> >>>> > service without Docker container.
> >> >>>> >
> >> >>>> > When I open UI in browser and type in login data, login dose not
> pass.
> >> >>>> >
> >> >>>> > In /logs/nifi-registry-app.log I see error:
> >> >>>> >
> >> >>>> > An Authentication object was not found in the SecurityContext
> Returning
> >> >>>> > 401 response
> >> >>>> > java.lang.IllegalStateException: Access tokens are only issued
> over HTTPS
> >> >>>> >
> >> >>>> > nifi.registry.web.https.host property is default because of
> Docker:
> >> >>>> > ae24ea32faef
> >> >>>> > nifi.registry.web.https.port=18080
> >> >>>> >
> >> >>>> > How can I resolve this?
> >> >>>> > Thanks.
> >> >>>> >
> >> >>>> >
> >> >>>> > BR,
> >> >>>> > Tom
> >> >>>> >
> >> >>>>
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Tomislav Novosel <to...@gmail.com>.
Hi all,
I gave up regarding Kerberos auth from Docker, it is strange issue.
I switched after to LDAP auth form Docker container and it works.
I'm using official nifi image and I used 'docker run' command form the site:
https://hub.docker.com/r/apache/nifi
But still, issue remains...after I login, I cant add new users or modify
them.
In conf folder I see in authorizations.xml that my Initial admin identitiy
user has rights to do that.
My conf for authorizers,xml is this:
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">user1</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group
Provider">file-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">user1</property>
<property name="NiFi Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
In identity-providers.xml everything is good i believe as I can login into
Nifi UI.
Also when I open user1 properties in Nifi UI I can see privileges of that
initial user and it has all the rights to create new users, policies etc.
What am I missing?
Thanks,
Tom
On Fri, 8 Feb 2019 at 16:03, Bryan Bende <bb...@gmail.com> wrote:
> Thinking about it more, I guess if you are not trying to do spnego
> then that message from the logs is not really an error. The registry
> UI always tries the spnego end-point first and if it returns the
> conflict response (as the log says) then you get sent to the login
> page.
>
> Maybe try turning on debug logging by editing logback.xml <logger
> name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG.
>
> On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >
> > Hi Bryan,
> >
> > I don't have this properties populated in Nifi registry instance
> > outside Docker (as a service on linux server), and everything works.
> >
> > What are this properties up to?
> >
> > Regards,
> > Tom
> >
> >
> >
> > On Fri, 8 Feb 2019 at 15:25, Bryan Bende <bb...@gmail.com> wrote:
> >>
> >> The message about "Kerberos service ticket login not supported by this
> >> NiFi Registry" means that one of the following properties is not
> >> populated:
> >>
> >> nifi.registry.kerberos.spnego.principal=
> >> nifi.registry.kerberos.spnego.keytab.location=
> >>
> >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >> >
> >> > Hi Daniel,
> >> >
> >> > Ok, I see. Thanks for the answer.
> >> >
> >> > I switched to official Nifi registry image. I succeeded to spin up
> registry in docker container and to
> >> > setup Kerberos provider in identity-providers.xml. Also I configured
> authorizers.xml as per afficial Nifi documentation.
> >> >
> >> > I already have the same setup with Kerberos, but not in Docker
> container. And everything works like a charm.
> >> >
> >> > When I enter credentials, login does not pass. This is app log:
> >> >
> >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos service ticket login not supported by this NiFi Registry.
> Returning Conflict response.
> >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
> o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated
> due to:
> org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
> An Authentication object was not found in the SecurityContext Returning 401
> response.
> >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.UnauthorizedExceptionMapper
> org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied
> client credentials are not valid.. Returning Unauthorized response.
> >> >
> >> > Not sure what is going on here.
> >> >
> >> > Regards,
> >> > Tom
> >> >
> >> >
> >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <ch...@gmail.com>
> wrote:
> >> >>
> >> >> Hi Tomislav,
> >> >> I created that build a long time ago before the official apache one
> was up, and it is out of date sorry.
> >> >> Can I suggest you switch to the official apache image that Kevin
> mentioned and try again? It is an up to date version and recommended by the
> community.
> >> >>
> >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <
> to.novosel@gmail.com> wrote:
> >> >>>
> >> >>> Hi Kevin,
> >> >>>
> >> >>> I'm using image from Docker hub on this link:
> >> >>> https://hub.docker.com/r/chaffelson/nifi-registry
> >> >>>
> >> >>> I think I know where is the problem. The problem is in config file
> where
> >> >>> http host and http port property remains even if I manually set
> https host and htpps port.
> >> >>> I deleted http host and http port to be empty, but when I started
> container again, those values are again there.
> >> >>>
> >> >>> I don't know what the author of image wanted to say with this:
> >> >>>
> >> >>> The Docker image can be built using the following command:
> >> >>>
> >> >>> .
> ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
> >> >>>
> >> >>> What does this commend mean?
> >> >>>
> >> >>> And this:
> >> >>>
> >> >>> Note: The default version of NiFi-Registry specified by the
> Dockerfile is typically that of one that is unreleased if working from
> source. To build an image for a prior released version, one can override
> the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
> >> >>>
> >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired
> NiFi-Registry Version} -t apache/nifi-registry:latest .
> >> >>>
> >> >>> For this command above you need to have Dockerfile. I tried with
> Dockerfile from docker hub, but there are errors in execution on this line:
> >> >>>
> >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
> >> >>>
> >> >>> On the other hand, If I manage to get the image with first
> command, I will get Nifi registry version 0.1.0 which I don't want.
> >> >>>
> >> >>> I'm little bit confused here, sorry for longer mail.
> >> >>>
> >> >>> Thanks.
> >> >>>
> >> >>> Regards,
> >> >>> Tom
> >> >>>
> >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
> >> >>>>
> >> >>>> Hi Tom,
> >> >>>>
> >> >>>> Are you using the apache/nifi-registry image or a custom image for
> this?
> >> >>>>
> >> >>>> Have you configured TLS?
> >> >>>> Can you share your complete conf dir (removing sensitive values
> such as password or domains)?
> >> >>>>
> >> >>>> Thanks,
> >> >>>> Kevin
> >> >>>>
> >> >>>>
> >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (
> to.novosel@gmail.com) wrote:
> >> >>>> > Hi all,
> >> >>>> >
> >> >>>> > I'm trying to configure Nifi registry authentication with
> Kerberos while
> >> >>>> > Nifi registry runs
> >> >>>> > inside Docker container.
> >> >>>> >
> >> >>>> > I configured all security properties in
> nifi-registry.properties, login
> >> >>>> > identity provider and
> >> >>>> > authorizers.xml. Everything the same as for Nifi registry
> running as a
> >> >>>> > service without Docker container.
> >> >>>> >
> >> >>>> > When I open UI in browser and type in login data, login dose not
> pass.
> >> >>>> >
> >> >>>> > In /logs/nifi-registry-app.log I see error:
> >> >>>> >
> >> >>>> > An Authentication object was not found in the SecurityContext
> Returning
> >> >>>> > 401 response
> >> >>>> > java.lang.IllegalStateException: Access tokens are only issued
> over HTTPS
> >> >>>> >
> >> >>>> > nifi.registry.web.https.host property is default because of
> Docker:
> >> >>>> > ae24ea32faef
> >> >>>> > nifi.registry.web.https.port=18080
> >> >>>> >
> >> >>>> > How can I resolve this?
> >> >>>> > Thanks.
> >> >>>> >
> >> >>>> >
> >> >>>> > BR,
> >> >>>> > Tom
> >> >>>> >
> >> >>>>
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Tomislav Novosel <to...@gmail.com>.
Yes, this log INFO I see also on my Nifi registry without docker.
I configured logback to DEBUG inside my container and I found in app.log
this exception:
un.security.krb5.KrbException: Cannot locate default realm
I started container with --add-host command to add in hosts file all my
Domain Kerberos FQDN's
for KDC server. I tried also to ping it from container and it is alive.
FYI. I crated volume for container to have access to krb5.conf file.
krb5.conf file is the same as for
my Nifi registry as a service where everything works. File permissions are
added also.
Don't know what else it could be.
Any suggestions?
Thank you.
BR,
Tom
On Fri, 8 Feb 2019 at 16:03, Bryan Bende <bb...@gmail.com> wrote:
> Thinking about it more, I guess if you are not trying to do spnego
> then that message from the logs is not really an error. The registry
> UI always tries the spnego end-point first and if it returns the
> conflict response (as the log says) then you get sent to the login
> page.
>
> Maybe try turning on debug logging by editing logback.xml <logger
> name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG.
>
> On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >
> > Hi Bryan,
> >
> > I don't have this properties populated in Nifi registry instance
> > outside Docker (as a service on linux server), and everything works.
> >
> > What are this properties up to?
> >
> > Regards,
> > Tom
> >
> >
> >
> > On Fri, 8 Feb 2019 at 15:25, Bryan Bende <bb...@gmail.com> wrote:
> >>
> >> The message about "Kerberos service ticket login not supported by this
> >> NiFi Registry" means that one of the following properties is not
> >> populated:
> >>
> >> nifi.registry.kerberos.spnego.principal=
> >> nifi.registry.kerberos.spnego.keytab.location=
> >>
> >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >> >
> >> > Hi Daniel,
> >> >
> >> > Ok, I see. Thanks for the answer.
> >> >
> >> > I switched to official Nifi registry image. I succeeded to spin up
> registry in docker container and to
> >> > setup Kerberos provider in identity-providers.xml. Also I configured
> authorizers.xml as per afficial Nifi documentation.
> >> >
> >> > I already have the same setup with Kerberos, but not in Docker
> container. And everything works like a charm.
> >> >
> >> > When I enter credentials, login does not pass. This is app log:
> >> >
> >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos service ticket login not supported by this NiFi Registry.
> Returning Conflict response.
> >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
> o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated
> due to:
> org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
> An Authentication object was not found in the SecurityContext Returning 401
> response.
> >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.UnauthorizedExceptionMapper
> org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied
> client credentials are not valid.. Returning Unauthorized response.
> >> >
> >> > Not sure what is going on here.
> >> >
> >> > Regards,
> >> > Tom
> >> >
> >> >
> >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <ch...@gmail.com>
> wrote:
> >> >>
> >> >> Hi Tomislav,
> >> >> I created that build a long time ago before the official apache one
> was up, and it is out of date sorry.
> >> >> Can I suggest you switch to the official apache image that Kevin
> mentioned and try again? It is an up to date version and recommended by the
> community.
> >> >>
> >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <
> to.novosel@gmail.com> wrote:
> >> >>>
> >> >>> Hi Kevin,
> >> >>>
> >> >>> I'm using image from Docker hub on this link:
> >> >>> https://hub.docker.com/r/chaffelson/nifi-registry
> >> >>>
> >> >>> I think I know where is the problem. The problem is in config file
> where
> >> >>> http host and http port property remains even if I manually set
> https host and htpps port.
> >> >>> I deleted http host and http port to be empty, but when I started
> container again, those values are again there.
> >> >>>
> >> >>> I don't know what the author of image wanted to say with this:
> >> >>>
> >> >>> The Docker image can be built using the following command:
> >> >>>
> >> >>> .
> ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
> >> >>>
> >> >>> What does this commend mean?
> >> >>>
> >> >>> And this:
> >> >>>
> >> >>> Note: The default version of NiFi-Registry specified by the
> Dockerfile is typically that of one that is unreleased if working from
> source. To build an image for a prior released version, one can override
> the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
> >> >>>
> >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired
> NiFi-Registry Version} -t apache/nifi-registry:latest .
> >> >>>
> >> >>> For this command above you need to have Dockerfile. I tried with
> Dockerfile from docker hub, but there are errors in execution on this line:
> >> >>>
> >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
> >> >>>
> >> >>> On the other hand, If I manage to get the image with first
> command, I will get Nifi registry version 0.1.0 which I don't want.
> >> >>>
> >> >>> I'm little bit confused here, sorry for longer mail.
> >> >>>
> >> >>> Thanks.
> >> >>>
> >> >>> Regards,
> >> >>> Tom
> >> >>>
> >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
> >> >>>>
> >> >>>> Hi Tom,
> >> >>>>
> >> >>>> Are you using the apache/nifi-registry image or a custom image for
> this?
> >> >>>>
> >> >>>> Have you configured TLS?
> >> >>>> Can you share your complete conf dir (removing sensitive values
> such as password or domains)?
> >> >>>>
> >> >>>> Thanks,
> >> >>>> Kevin
> >> >>>>
> >> >>>>
> >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (
> to.novosel@gmail.com) wrote:
> >> >>>> > Hi all,
> >> >>>> >
> >> >>>> > I'm trying to configure Nifi registry authentication with
> Kerberos while
> >> >>>> > Nifi registry runs
> >> >>>> > inside Docker container.
> >> >>>> >
> >> >>>> > I configured all security properties in
> nifi-registry.properties, login
> >> >>>> > identity provider and
> >> >>>> > authorizers.xml. Everything the same as for Nifi registry
> running as a
> >> >>>> > service without Docker container.
> >> >>>> >
> >> >>>> > When I open UI in browser and type in login data, login dose not
> pass.
> >> >>>> >
> >> >>>> > In /logs/nifi-registry-app.log I see error:
> >> >>>> >
> >> >>>> > An Authentication object was not found in the SecurityContext
> Returning
> >> >>>> > 401 response
> >> >>>> > java.lang.IllegalStateException: Access tokens are only issued
> over HTTPS
> >> >>>> >
> >> >>>> > nifi.registry.web.https.host property is default because of
> Docker:
> >> >>>> > ae24ea32faef
> >> >>>> > nifi.registry.web.https.port=18080
> >> >>>> >
> >> >>>> > How can I resolve this?
> >> >>>> > Thanks.
> >> >>>> >
> >> >>>> >
> >> >>>> > BR,
> >> >>>> > Tom
> >> >>>> >
> >> >>>>
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Bryan Bende <bb...@gmail.com>.
Thinking about it more, I guess if you are not trying to do spnego
then that message from the logs is not really an error. The registry
UI always tries the spnego end-point first and if it returns the
conflict response (as the log says) then you get sent to the login
page.
Maybe try turning on debug logging by editing logback.xml <logger
name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG.
On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel <to...@gmail.com> wrote:
>
> Hi Bryan,
>
> I don't have this properties populated in Nifi registry instance
> outside Docker (as a service on linux server), and everything works.
>
> What are this properties up to?
>
> Regards,
> Tom
>
>
>
> On Fri, 8 Feb 2019 at 15:25, Bryan Bende <bb...@gmail.com> wrote:
>>
>> The message about "Kerberos service ticket login not supported by this
>> NiFi Registry" means that one of the following properties is not
>> populated:
>>
>> nifi.registry.kerberos.spnego.principal=
>> nifi.registry.kerberos.spnego.keytab.location=
>>
>> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <to...@gmail.com> wrote:
>> >
>> > Hi Daniel,
>> >
>> > Ok, I see. Thanks for the answer.
>> >
>> > I switched to official Nifi registry image. I succeeded to spin up registry in docker container and to
>> > setup Kerberos provider in identity-providers.xml. Also I configured authorizers.xml as per afficial Nifi documentation.
>> >
>> > I already have the same setup with Kerberos, but not in Docker container. And everything works like a charm.
>> >
>> > When I enter credentials, login does not pass. This is app log:
>> >
>> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response.
>> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13] o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext Returning 401 response.
>> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14] o.a.n.r.w.m.UnauthorizedExceptionMapper org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied client credentials are not valid.. Returning Unauthorized response.
>> >
>> > Not sure what is going on here.
>> >
>> > Regards,
>> > Tom
>> >
>> >
>> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <ch...@gmail.com> wrote:
>> >>
>> >> Hi Tomislav,
>> >> I created that build a long time ago before the official apache one was up, and it is out of date sorry.
>> >> Can I suggest you switch to the official apache image that Kevin mentioned and try again? It is an up to date version and recommended by the community.
>> >>
>> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <to...@gmail.com> wrote:
>> >>>
>> >>> Hi Kevin,
>> >>>
>> >>> I'm using image from Docker hub on this link:
>> >>> https://hub.docker.com/r/chaffelson/nifi-registry
>> >>>
>> >>> I think I know where is the problem. The problem is in config file where
>> >>> http host and http port property remains even if I manually set https host and htpps port.
>> >>> I deleted http host and http port to be empty, but when I started container again, those values are again there.
>> >>>
>> >>> I don't know what the author of image wanted to say with this:
>> >>>
>> >>> The Docker image can be built using the following command:
>> >>>
>> >>> . ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
>> >>>
>> >>> What does this commend mean?
>> >>>
>> >>> And this:
>> >>>
>> >>> Note: The default version of NiFi-Registry specified by the Dockerfile is typically that of one that is unreleased if working from source. To build an image for a prior released version, one can override the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
>> >>>
>> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired NiFi-Registry Version} -t apache/nifi-registry:latest .
>> >>>
>> >>> For this command above you need to have Dockerfile. I tried with Dockerfile from docker hub, but there are errors in execution on this line:
>> >>>
>> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
>> >>>
>> >>> On the other hand, If I manage to get the image with first command, I will get Nifi registry version 0.1.0 which I don't want.
>> >>>
>> >>> I'm little bit confused here, sorry for longer mail.
>> >>>
>> >>> Thanks.
>> >>>
>> >>> Regards,
>> >>> Tom
>> >>>
>> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
>> >>>>
>> >>>> Hi Tom,
>> >>>>
>> >>>> Are you using the apache/nifi-registry image or a custom image for this?
>> >>>>
>> >>>> Have you configured TLS?
>> >>>> Can you share your complete conf dir (removing sensitive values such as password or domains)?
>> >>>>
>> >>>> Thanks,
>> >>>> Kevin
>> >>>>
>> >>>>
>> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (to.novosel@gmail.com) wrote:
>> >>>> > Hi all,
>> >>>> >
>> >>>> > I'm trying to configure Nifi registry authentication with Kerberos while
>> >>>> > Nifi registry runs
>> >>>> > inside Docker container.
>> >>>> >
>> >>>> > I configured all security properties in nifi-registry.properties, login
>> >>>> > identity provider and
>> >>>> > authorizers.xml. Everything the same as for Nifi registry running as a
>> >>>> > service without Docker container.
>> >>>> >
>> >>>> > When I open UI in browser and type in login data, login dose not pass.
>> >>>> >
>> >>>> > In /logs/nifi-registry-app.log I see error:
>> >>>> >
>> >>>> > An Authentication object was not found in the SecurityContext Returning
>> >>>> > 401 response
>> >>>> > java.lang.IllegalStateException: Access tokens are only issued over HTTPS
>> >>>> >
>> >>>> > nifi.registry.web.https.host property is default because of Docker:
>> >>>> > ae24ea32faef
>> >>>> > nifi.registry.web.https.port=18080
>> >>>> >
>> >>>> > How can I resolve this?
>> >>>> > Thanks.
>> >>>> >
>> >>>> >
>> >>>> > BR,
>> >>>> > Tom
>> >>>> >
>> >>>>
Re: Nifi registry Kerberos Auth with Docker
Posted by Tomislav Novosel <to...@gmail.com>.
Hi Bryan,
I don't have this properties populated in Nifi registry instance
outside Docker (as a service on linux server), and everything works.
What are this properties up to?
Regards,
Tom
On Fri, 8 Feb 2019 at 15:25, Bryan Bende <bb...@gmail.com> wrote:
> The message about "Kerberos service ticket login not supported by this
> NiFi Registry" means that one of the following properties is not
> populated:
>
> nifi.registry.kerberos.spnego.principal=
> nifi.registry.kerberos.spnego.keytab.location=
>
> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <to...@gmail.com>
> wrote:
> >
> > Hi Daniel,
> >
> > Ok, I see. Thanks for the answer.
> >
> > I switched to official Nifi registry image. I succeeded to spin up
> registry in docker container and to
> > setup Kerberos provider in identity-providers.xml. Also I configured
> authorizers.xml as per afficial Nifi documentation.
> >
> > I already have the same setup with Kerberos, but not in Docker
> container. And everything works like a charm.
> >
> > When I enter credentials, login does not pass. This is app log:
> >
> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos service ticket login not supported by this NiFi Registry.
> Returning Conflict response.
> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
> o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated
> due to:
> org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
> An Authentication object was not found in the SecurityContext Returning 401
> response.
> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
> o.a.n.r.w.m.UnauthorizedExceptionMapper
> org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied
> client credentials are not valid.. Returning Unauthorized response.
> >
> > Not sure what is going on here.
> >
> > Regards,
> > Tom
> >
> >
> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <ch...@gmail.com>
> wrote:
> >>
> >> Hi Tomislav,
> >> I created that build a long time ago before the official apache one was
> up, and it is out of date sorry.
> >> Can I suggest you switch to the official apache image that Kevin
> mentioned and try again? It is an up to date version and recommended by the
> community.
> >>
> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <to...@gmail.com>
> wrote:
> >>>
> >>> Hi Kevin,
> >>>
> >>> I'm using image from Docker hub on this link:
> >>> https://hub.docker.com/r/chaffelson/nifi-registry
> >>>
> >>> I think I know where is the problem. The problem is in config file
> where
> >>> http host and http port property remains even if I manually set https
> host and htpps port.
> >>> I deleted http host and http port to be empty, but when I started
> container again, those values are again there.
> >>>
> >>> I don't know what the author of image wanted to say with this:
> >>>
> >>> The Docker image can be built using the following command:
> >>>
> >>> .
> ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
> >>>
> >>> What does this commend mean?
> >>>
> >>> And this:
> >>>
> >>> Note: The default version of NiFi-Registry specified by the Dockerfile
> is typically that of one that is unreleased if working from source. To
> build an image for a prior released version, one can override the
> NIFI_REGISTRY_VERSIONbuild-arg with the following command:
> >>>
> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired NiFi-Registry
> Version} -t apache/nifi-registry:latest .
> >>>
> >>> For this command above you need to have Dockerfile. I tried with
> Dockerfile from docker hub, but there are errors in execution on this line:
> >>>
> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
> >>>
> >>> On the other hand, If I manage to get the image with first command, I
> will get Nifi registry version 0.1.0 which I don't want.
> >>>
> >>> I'm little bit confused here, sorry for longer mail.
> >>>
> >>> Thanks.
> >>>
> >>> Regards,
> >>> Tom
> >>>
> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
> >>>>
> >>>> Hi Tom,
> >>>>
> >>>> Are you using the apache/nifi-registry image or a custom image for
> this?
> >>>>
> >>>> Have you configured TLS?
> >>>> Can you share your complete conf dir (removing sensitive values such
> as password or domains)?
> >>>>
> >>>> Thanks,
> >>>> Kevin
> >>>>
> >>>>
> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (
> to.novosel@gmail.com) wrote:
> >>>> > Hi all,
> >>>> >
> >>>> > I'm trying to configure Nifi registry authentication with Kerberos
> while
> >>>> > Nifi registry runs
> >>>> > inside Docker container.
> >>>> >
> >>>> > I configured all security properties in nifi-registry.properties,
> login
> >>>> > identity provider and
> >>>> > authorizers.xml. Everything the same as for Nifi registry running
> as a
> >>>> > service without Docker container.
> >>>> >
> >>>> > When I open UI in browser and type in login data, login dose not
> pass.
> >>>> >
> >>>> > In /logs/nifi-registry-app.log I see error:
> >>>> >
> >>>> > An Authentication object was not found in the SecurityContext
> Returning
> >>>> > 401 response
> >>>> > java.lang.IllegalStateException: Access tokens are only issued over
> HTTPS
> >>>> >
> >>>> > nifi.registry.web.https.host property is default because of Docker:
> >>>> > ae24ea32faef
> >>>> > nifi.registry.web.https.port=18080
> >>>> >
> >>>> > How can I resolve this?
> >>>> > Thanks.
> >>>> >
> >>>> >
> >>>> > BR,
> >>>> > Tom
> >>>> >
> >>>>
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Bryan Bende <bb...@gmail.com>.
The message about "Kerberos service ticket login not supported by this
NiFi Registry" means that one of the following properties is not
populated:
nifi.registry.kerberos.spnego.principal=
nifi.registry.kerberos.spnego.keytab.location=
On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel <to...@gmail.com> wrote:
>
> Hi Daniel,
>
> Ok, I see. Thanks for the answer.
>
> I switched to official Nifi registry image. I succeeded to spin up registry in docker container and to
> setup Kerberos provider in identity-providers.xml. Also I configured authorizers.xml as per afficial Nifi documentation.
>
> I already have the same setup with Kerberos, but not in Docker container. And everything works like a charm.
>
> When I enter credentials, login does not pass. This is app log:
>
> 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14] o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos service ticket login not supported by this NiFi Registry. Returning Conflict response.
> 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13] o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated due to: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext Returning 401 response.
> 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14] o.a.n.r.w.m.UnauthorizedExceptionMapper org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied client credentials are not valid.. Returning Unauthorized response.
>
> Not sure what is going on here.
>
> Regards,
> Tom
>
>
> On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <ch...@gmail.com> wrote:
>>
>> Hi Tomislav,
>> I created that build a long time ago before the official apache one was up, and it is out of date sorry.
>> Can I suggest you switch to the official apache image that Kevin mentioned and try again? It is an up to date version and recommended by the community.
>>
>> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <to...@gmail.com> wrote:
>>>
>>> Hi Kevin,
>>>
>>> I'm using image from Docker hub on this link:
>>> https://hub.docker.com/r/chaffelson/nifi-registry
>>>
>>> I think I know where is the problem. The problem is in config file where
>>> http host and http port property remains even if I manually set https host and htpps port.
>>> I deleted http host and http port to be empty, but when I started container again, those values are again there.
>>>
>>> I don't know what the author of image wanted to say with this:
>>>
>>> The Docker image can be built using the following command:
>>>
>>> . ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
>>>
>>> What does this commend mean?
>>>
>>> And this:
>>>
>>> Note: The default version of NiFi-Registry specified by the Dockerfile is typically that of one that is unreleased if working from source. To build an image for a prior released version, one can override the NIFI_REGISTRY_VERSIONbuild-arg with the following command:
>>>
>>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired NiFi-Registry Version} -t apache/nifi-registry:latest .
>>>
>>> For this command above you need to have Dockerfile. I tried with Dockerfile from docker hub, but there are errors in execution on this line:
>>>
>>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
>>>
>>> On the other hand, If I manage to get the image with first command, I will get Nifi registry version 0.1.0 which I don't want.
>>>
>>> I'm little bit confused here, sorry for longer mail.
>>>
>>> Thanks.
>>>
>>> Regards,
>>> Tom
>>>
>>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
>>>>
>>>> Hi Tom,
>>>>
>>>> Are you using the apache/nifi-registry image or a custom image for this?
>>>>
>>>> Have you configured TLS?
>>>> Can you share your complete conf dir (removing sensitive values such as password or domains)?
>>>>
>>>> Thanks,
>>>> Kevin
>>>>
>>>>
>>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (to.novosel@gmail.com) wrote:
>>>> > Hi all,
>>>> >
>>>> > I'm trying to configure Nifi registry authentication with Kerberos while
>>>> > Nifi registry runs
>>>> > inside Docker container.
>>>> >
>>>> > I configured all security properties in nifi-registry.properties, login
>>>> > identity provider and
>>>> > authorizers.xml. Everything the same as for Nifi registry running as a
>>>> > service without Docker container.
>>>> >
>>>> > When I open UI in browser and type in login data, login dose not pass.
>>>> >
>>>> > In /logs/nifi-registry-app.log I see error:
>>>> >
>>>> > An Authentication object was not found in the SecurityContext Returning
>>>> > 401 response
>>>> > java.lang.IllegalStateException: Access tokens are only issued over HTTPS
>>>> >
>>>> > nifi.registry.web.https.host property is default because of Docker:
>>>> > ae24ea32faef
>>>> > nifi.registry.web.https.port=18080
>>>> >
>>>> > How can I resolve this?
>>>> > Thanks.
>>>> >
>>>> >
>>>> > BR,
>>>> > Tom
>>>> >
>>>>
Re: Nifi registry Kerberos Auth with Docker
Posted by Tomislav Novosel <to...@gmail.com>.
Hi Daniel,
Ok, I see. Thanks for the answer.
I switched to official Nifi registry image. I succeeded to spin up registry
in docker container and to
setup Kerberos provider in identity-providers.xml. Also I configured
authorizers.xml as per afficial Nifi documentation.
I already have the same setup with Kerberos, but not in Docker container.
And everything works like a charm.
When I enter credentials, login does not pass. This is app log:
2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14]
o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException:
Kerberos service ticket login not supported by this NiFi Registry.
Returning Conflict response.
2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13]
o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated
due to:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext Returning 401
response.
2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14]
o.a.n.r.w.m.UnauthorizedExceptionMapper
org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied
client credentials are not valid.. Returning Unauthorized response.
Not sure what is going on here.
Regards,
Tom
On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson <ch...@gmail.com> wrote:
> Hi Tomislav,
> I created that build a long time ago before the official apache one was
> up, and it is out of date sorry.
> Can I suggest you switch to the official apache image that Kevin mentioned
> and try again? It is an up to date version and recommended by the community.
>
> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <to...@gmail.com>
> wrote:
>
>> Hi Kevin,
>>
>> I'm using image from Docker hub on this link:
>> https://hub.docker.com/r/chaffelson/nifi-registry
>>
>> I think I know where is the problem. The problem is in config file where
>> http host and http port property remains even if I manually set https
>> host and htpps port.
>> I deleted http host and http port to be empty, but when I started
>> container again, those values are again there.
>>
>> I don't know what the author of image wanted to say with this:
>>
>> The Docker image can be built using the following command:
>>
>> . ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
>>
>> What does this commend mean?
>>
>> And this:
>>
>> Note: The default version of NiFi-Registry specified by the Dockerfile
>> is typically that of one that is unreleased if working from source. To
>> build an image for a prior released version, one can override the
>> NIFI_REGISTRY_VERSIONbuild-arg with the following command:
>>
>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired NiFi-Registry Version} -t apache/nifi-registry:latest .
>>
>> For this command above you need to have Dockerfile. I tried with
>> Dockerfile from docker hub, but there are errors in execution on this line:
>>
>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
>>
>> On the other hand, If I manage to get the image with first command, I
>> will get Nifi registry version 0.1.0 which I don't want.
>>
>> I'm little bit confused here, sorry for longer mail.
>>
>> Thanks.
>>
>> Regards,
>> Tom
>>
>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
>>
>>> Hi Tom,
>>>
>>> Are you using the apache/nifi-registry image or a custom image for this?
>>>
>>> Have you configured TLS?
>>> Can you share your complete conf dir (removing sensitive values such as
>>> password or domains)?
>>>
>>> Thanks,
>>> Kevin
>>>
>>>
>>> On February 7, 2019 at 05:57:37, Tomislav Novosel (to.novosel@gmail.com)
>>> wrote:
>>> > Hi all,
>>> >
>>> > I'm trying to configure Nifi registry authentication with Kerberos
>>> while
>>> > Nifi registry runs
>>> > inside Docker container.
>>> >
>>> > I configured all security properties in nifi-registry.properties, login
>>> > identity provider and
>>> > authorizers.xml. Everything the same as for Nifi registry running as a
>>> > service without Docker container.
>>> >
>>> > When I open UI in browser and type in login data, login dose not pass.
>>> >
>>> > In /logs/nifi-registry-app.log I see error:
>>> >
>>> > An Authentication object was not found in the SecurityContext Returning
>>> > 401 response
>>> > java.lang.IllegalStateException: Access tokens are only issued over
>>> HTTPS
>>> >
>>> > nifi.registry.web.https.host property is default because of Docker:
>>> > ae24ea32faef
>>> > nifi.registry.web.https.port=18080
>>> >
>>> > How can I resolve this?
>>> > Thanks.
>>> >
>>> >
>>> > BR,
>>> > Tom
>>> >
>>>
>>>
Re: Nifi registry Kerberos Auth with Docker
Posted by Daniel Chaffelson <ch...@gmail.com>.
Hi Tomislav,
I created that build a long time ago before the official apache one was up,
and it is out of date sorry.
Can I suggest you switch to the official apache image that Kevin mentioned
and try again? It is an up to date version and recommended by the community.
On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel <to...@gmail.com>
wrote:
> Hi Kevin,
>
> I'm using image from Docker hub on this link:
> https://hub.docker.com/r/chaffelson/nifi-registry
>
> I think I know where is the problem. The problem is in config file where
> http host and http port property remains even if I manually set https host
> and htpps port.
> I deleted http host and http port to be empty, but when I started
> container again, those values are again there.
>
> I don't know what the author of image wanted to say with this:
>
> The Docker image can be built using the following command:
>
> . ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
>
> What does this commend mean?
>
> And this:
>
> Note: The default version of NiFi-Registry specified by the Dockerfile is
> typically that of one that is unreleased if working from source. To build
> an image for a prior released version, one can override the
> NIFI_REGISTRY_VERSIONbuild-arg with the following command:
>
> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired NiFi-Registry Version} -t apache/nifi-registry:latest .
>
> For this command above you need to have Dockerfile. I tried with
> Dockerfile from docker hub, but there are errors in execution on this line:
>
> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
>
> On the other hand, If I manage to get the image with first command, I
> will get Nifi registry version 0.1.0 which I don't want.
>
> I'm little bit confused here, sorry for longer mail.
>
> Thanks.
>
> Regards,
> Tom
>
> On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
>
>> Hi Tom,
>>
>> Are you using the apache/nifi-registry image or a custom image for this?
>>
>> Have you configured TLS?
>> Can you share your complete conf dir (removing sensitive values such as
>> password or domains)?
>>
>> Thanks,
>> Kevin
>>
>>
>> On February 7, 2019 at 05:57:37, Tomislav Novosel (to.novosel@gmail.com)
>> wrote:
>> > Hi all,
>> >
>> > I'm trying to configure Nifi registry authentication with Kerberos while
>> > Nifi registry runs
>> > inside Docker container.
>> >
>> > I configured all security properties in nifi-registry.properties, login
>> > identity provider and
>> > authorizers.xml. Everything the same as for Nifi registry running as a
>> > service without Docker container.
>> >
>> > When I open UI in browser and type in login data, login dose not pass.
>> >
>> > In /logs/nifi-registry-app.log I see error:
>> >
>> > An Authentication object was not found in the SecurityContext Returning
>> > 401 response
>> > java.lang.IllegalStateException: Access tokens are only issued over
>> HTTPS
>> >
>> > nifi.registry.web.https.host property is default because of Docker:
>> > ae24ea32faef
>> > nifi.registry.web.https.port=18080
>> >
>> > How can I resolve this?
>> > Thanks.
>> >
>> >
>> > BR,
>> > Tom
>> >
>>
>>
Re: Nifi registry Kerberos Auth with Docker
Posted by Tomislav Novosel <to...@gmail.com>.
Hi Kevin,
I'm using image from Docker hub on this link:
https://hub.docker.com/r/chaffelson/nifi-registry
I think I know where is the problem. The problem is in config file where
http host and http port property remains even if I manually set https host
and htpps port.
I deleted http host and http port to be empty, but when I started container
again, those values are again there.
I don't know what the author of image wanted to say with this:
The Docker image can be built using the following command:
. ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh
What does this commend mean?
And this:
Note: The default version of NiFi-Registry specified by the Dockerfile is
typically that of one that is unreleased if working from source. To build
an image for a prior released version, one can override the
NIFI_REGISTRY_VERSIONbuild-arg with the following command:
docker build --build-arg=NIFI_REGISRTY_VERSION={Desired NiFi-Registry
Version} -t apache/nifi-registry:latest .
For this command above you need to have Dockerfile. I tried with Dockerfile
from docker hub, but there are errors in execution on this line:
ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/
On the other hand, If I manage to get the image with first command, I will
get Nifi registry version 0.1.0 which I don't want.
I'm little bit confused here, sorry for longer mail.
Thanks.
Regards,
Tom
On Thu, 7 Feb 2019 at 17:38, Kevin Doran <kd...@apache.org> wrote:
> Hi Tom,
>
> Are you using the apache/nifi-registry image or a custom image for this?
>
> Have you configured TLS?
> Can you share your complete conf dir (removing sensitive values such as
> password or domains)?
>
> Thanks,
> Kevin
>
>
> On February 7, 2019 at 05:57:37, Tomislav Novosel (to.novosel@gmail.com)
> wrote:
> > Hi all,
> >
> > I'm trying to configure Nifi registry authentication with Kerberos while
> > Nifi registry runs
> > inside Docker container.
> >
> > I configured all security properties in nifi-registry.properties, login
> > identity provider and
> > authorizers.xml. Everything the same as for Nifi registry running as a
> > service without Docker container.
> >
> > When I open UI in browser and type in login data, login dose not pass.
> >
> > In /logs/nifi-registry-app.log I see error:
> >
> > An Authentication object was not found in the SecurityContext Returning
> > 401 response
> > java.lang.IllegalStateException: Access tokens are only issued over HTTPS
> >
> > nifi.registry.web.https.host property is default because of Docker:
> > ae24ea32faef
> > nifi.registry.web.https.port=18080
> >
> > How can I resolve this?
> > Thanks.
> >
> >
> > BR,
> > Tom
> >
>
>
Re: Nifi registry Kerberos Auth with Docker
Posted by Kevin Doran <kd...@apache.org>.
Hi Tom,
Are you using the apache/nifi-registry image or a custom image for this?
Have you configured TLS?
Can you share your complete conf dir (removing sensitive values such as password or domains)?
Thanks,
Kevin
On February 7, 2019 at 05:57:37, Tomislav Novosel (to.novosel@gmail.com) wrote:
> Hi all,
>
> I'm trying to configure Nifi registry authentication with Kerberos while
> Nifi registry runs
> inside Docker container.
>
> I configured all security properties in nifi-registry.properties, login
> identity provider and
> authorizers.xml. Everything the same as for Nifi registry running as a
> service without Docker container.
>
> When I open UI in browser and type in login data, login dose not pass.
>
> In /logs/nifi-registry-app.log I see error:
>
> An Authentication object was not found in the SecurityContext Returning
> 401 response
> java.lang.IllegalStateException: Access tokens are only issued over HTTPS
>
> nifi.registry.web.https.host property is default because of Docker:
> ae24ea32faef
> nifi.registry.web.https.port=18080
>
> How can I resolve this?
> Thanks.
>
>
> BR,
> Tom
>