You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Anil Rai <an...@gmail.com> on 2018/01/31 23:11:14 UTC
setting up secure nifi
All,
I am trying to install nifi 1.5 and making it https. Below is the steps
followed and the error i am getting. Below is the config and log files
content. Please help
1. Installed nifi 1.5
2. Installed nifi toolkit 1.5
3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
'CN=TC,OU=NIFI' -O -o ../security_output
4. Copied generated keystore, truststore and nifi properties to nifi/config
folder
5. Imported the generated certificate to chrome browser
6. Modified authorizers.xml as attached.
7. With required restarts. Now when i enter the below url in the browser, I
see the below error.
https://localhost:9443/nifi/
Insufficient Permissions
- home
Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
administrator.
authorizers.xml
--------------------
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity
1">cn=TC,ou=NIFI,dc=example,dc=com</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group
Provider">file-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin
Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
------------------------
nifi-user.log
-----------------------
2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider Creating
new users file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
Creating new authorizations file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/authorizations.xml
2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
Populating authorizations for Initial Admin: cn=TC,ou=NIFI,dc=example,dc=com
2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, OU=NIFI)
GET https://localhost:9443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC, OU=NIFI
2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], groups[]
does not have permission to access the requested resource. Unknown user
with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
------------------------------
Generated users.xml
--------------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
</users>
</tenants>
--------------------------------
Generated authorizations.xml
--------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
resource="/flow" action="R">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="R">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="W">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="R">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="W">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
resource="/restricted-components" action="W">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
resource="/tenants" action="R">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
resource="/tenants" action="W">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
resource="/policies" action="R">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
resource="/policies" action="W">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
resource="/controller" action="R">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
resource="/controller" action="W">
<user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
</policy>
</policies>
</authorizations>
------------------------------------
nifi.properties
----------------------------
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=localhost
nifi.web.https.port=9443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=
# security properties #
nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=
nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3ZHZyqI4
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
----------------------
Please help.
Regards
Anil
Re: setting up secure nifi
Posted by Andy LoPresto <al...@apache.org>.
Hi Anil,
In addition to Bryan’s explanation, there are a number of blog posts and articles covering this topic:
* Authorization and Multi-Tenancy by Bryan Bende [1]
* Secured Cluster Setup by Pierre Villard [2]
* TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
* Initial Admin Identity section of Apache NiFi Admin Guide [4]
* Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
* Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan Rosander [6]
The sequence “dc=example,dc=com” in your current user DN (Distinguished Name) is incorrect and not present in the DN of the certificate. I imagine you copied this from an example posted online. “dc=“ is a sequence used in DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” would be the parent DN. But when you generated the certificate, you did not provide this information, so the DNs do not match, and NiFi correctly asserts that this is not a valid certificate identifying the user DN you specified in your XML files. Removing “dc=example,dc=com” from that definition as Bryan suggested will resolve your issue.
[1] https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy <https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy>
[2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/ <https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/>
[3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit>
[4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity>
[5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html <https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html>
[6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/tls-toolkit-standalone-multi.html <https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/tls-toolkit-standalone-multi.html>
[7] https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure <https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure>
Andy LoPresto
alopresto@apache.org <ma...@apache.org>
alopresto.apache@gmail.com <ma...@gmail.com>
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Jan 31, 2018, at 7:32 PM, Bryan Bende <bbende@gmail.com <ma...@gmail.com>> wrote:
>
> It’s the same problem, your initial admin should be:
>
> CN=TC, OU=NIFI
>
> Not
>
> CN=TC,OU=NIFI,dc=example,dc=com
>
> The first one is the DN of your client cert, the second one is not.
>
> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <anilrainifi@gmail.com <ma...@gmail.com>> wrote:
>
>> Hi Bryan,
>>
>> Thanks for the quick reply. I did followed your steps. But I am seeing the
>> same error.
>> Now the entry looks like
>> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
>> dc=com</property>
>>
>> Also what does dc stand for after CN and OU. Is that a problem.
>> Is there a blog that talks about installing and making it https using
>> toolkit?. I did not find any good post that talks end to end from
>> installing to making it secure using tls toolkit.
>>
>> Any help is appreciated.
>>
>> Thanks
>> Anil
>>
>>
>>
>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bbende@gmail.com <ma...@gmail.com>> wrote:
>>
>>> Hello,
>>>
>>> The identity in authorizers.xml for your initial admin does not match the
>>> identity of your client cert.
>>>
>>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>> is
>>> the DN of your client cert.
>>>
>>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
>>> authorizations.xml, and start back up.
>>>
>>> Thanks,
>>>
>>> Bryan
>>>
>>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <anilrainifi@gmail.com <ma...@gmail.com>> wrote:
>>>
>>>> All,
>>>>
>>>> I am trying to install nifi 1.5 and making it https. Below is the steps
>>>> followed and the error i am getting. Below is the config and log files
>>>> content. Please help
>>>>
>>>> 1. Installed nifi 1.5
>>>> 2. Installed nifi toolkit 1.5
>>>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
>>>> 'CN=TC,OU=NIFI' -O -o ../security_output
>>>> 4. Copied generated keystore, truststore and nifi properties to
>>> nifi/config
>>>> folder
>>>> 5. Imported the generated certificate to chrome browser
>>>> 6. Modified authorizers.xml as attached.
>>>> 7. With required restarts. Now when i enter the below url in the
>>> browser, I
>>>> see the below error.
>>>>
>>>> https://localhost:9443/nifi/ <https://localhost:9443/nifi/>
>>>>
>>>> Insufficient Permissions
>>>>
>>>> - home
>>>>
>>>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
>>>> administrator.
>>>>
>>>>
>>>> authorizers.xml
>>>> --------------------
>>>> <userGroupProvider>
>>>> <identifier>file-user-group-provider</identifier>
>>>> <class>org.apache.nifi.authorization.
>>> FileUserGroupProvider</class>
>>>> <property name="Users File">./conf/users.xml</property>
>>>> <property name="Legacy Authorized Users File"></property>
>>>>
>>>> <property name="Initial User Identity
>>>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>> </userGroupProvider>
>>>>
>>>> <accessPolicyProvider>
>>>> <identifier>file-access-policy-provider</identifier>
>>>>
>>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>>> <property name="User Group
>>>> Provider">file-user-group-provider</property>
>>>> <property name="Authorizations
>>>> File">./conf/authorizations.xml</property>
>>>> <property name="Initial Admin
>>>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>> <property name="Legacy Authorized Users File"></property>
>>>>
>>>> <property name="Node Identity 1"></property>
>>>> </accessPolicyProvider>
>>>> ------------------------
>>>>
>>>> nifi-user.log
>>>> -----------------------
>>>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>>> Creating
>>>> new users file at
>>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
>>>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
>>>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
>>>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Creating new authorizations file at
>>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>>> authorizations.xml
>>>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Populating authorizations for Initial Admin:
>>>> cn=TC,ou=NIFI,dc=example,dc=com
>>>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
>>>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
>>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>> java.lang.IllegalStateException:
>>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>>>> response.
>>>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
>>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>> java.lang.IllegalStateException:
>>>> OpenId Connect is not configured.. Returning Conflict response.
>>>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
>>>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>>> OU=NIFI)
>>>> GET https://localhost:9443/nifi-api/flow/current-user <https://localhost:9443/nifi-api/flow/current-user> (source ip:
>>>> 127.0.0.1)
>>>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
>>>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
>>>> OU=NIFI
>>>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
>>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>>> groups[]
>>>> does not have permission to access the requested resource. Unknown user
>>>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
>>>> ------------------------------
>>>>
>>>> Generated users.xml
>>>> --------------------------------
>>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>> <tenants>
>>>> <groups/>
>>>> <users>
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
>>>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>>>> </users>
>>>> </tenants>
>>>> --------------------------------
>>>>
>>>> Generated authorizations.xml
>>>> --------------------------
>>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>> <authorizations>
>>>> <policies>
>>>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>>>> resource="/flow" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
>>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>> action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
>>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>> action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
>>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
>>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>>>> resource="/restricted-components" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>>>> resource="/tenants" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>>>> resource="/tenants" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>>>> resource="/policies" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>>>> resource="/policies" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>>>> resource="/controller" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>>>> resource="/controller" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> </policies>
>>>> </authorizations>
>>>> ------------------------------------
>>>>
>>>> nifi.properties
>>>> ----------------------------
>>>> # web properties #
>>>> nifi.web.war.directory=./lib
>>>> nifi.web.http.host=
>>>> nifi.web.http.port=
>>>> nifi.web.http.network.interface.default=
>>>> nifi.web.https.host=localhost
>>>> nifi.web.https.port=9443
>>>> nifi.web.https.network.interface.default=
>>>> nifi.web.jetty.working.directory=./work/jetty
>>>> nifi.web.jetty.threads=200
>>>> nifi.web.max.header.size=16 KB
>>>> nifi.web.proxy.context.path=
>>>>
>>>> # security properties #
>>>> nifi.sensitive.props.key=
>>>> nifi.sensitive.props.key.protected=
>>>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
>>>> nifi.sensitive.props.provider=BC
>>>> nifi.sensitive.props.additional.keys=
>>>>
>>>> nifi.security.keystore=./conf/keystore.jks
>>>> nifi.security.keystoreType=jks
>>>>
>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>> nifi.security.truststore=./conf/truststore.jks
>>>> nifi.security.truststoreType=jks
>>>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>>> ZHZyqI4
>>>> nifi.security.needClientAuth=
>>>> nifi.security.user.authorizer=managed-authorizer
>>>> nifi.security.user.login.identity.provider=
>>>> nifi.security.ocsp.responder.url=
>>>> nifi.security.ocsp.responder.certificate=
>>>> ----------------------
>>>>
>>>>
>>>>
>>>> Please help.
>>>>
>>>> Regards
>>>> Anil
>>>>
>>> --
>>> Sent from Gmail Mobile
>>>
>>
> --
> Sent from Gmail Mobile
Re: setting up secure nifi
Posted by Andy LoPresto <al...@apache.org>.
Hi Anil,
In addition to Bryan’s explanation, there are a number of blog posts and articles covering this topic:
* Authorization and Multi-Tenancy by Bryan Bende [1]
* Secured Cluster Setup by Pierre Villard [2]
* TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
* Initial Admin Identity section of Apache NiFi Admin Guide [4]
* Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
* Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan Rosander [6]
The sequence “dc=example,dc=com” in your current user DN (Distinguished Name) is incorrect and not present in the DN of the certificate. I imagine you copied this from an example posted online. “dc=“ is a sequence used in DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” would be the parent DN. But when you generated the certificate, you did not provide this information, so the DNs do not match, and NiFi correctly asserts that this is not a valid certificate identifying the user DN you specified in your XML files. Removing “dc=example,dc=com” from that definition as Bryan suggested will resolve your issue.
[1] https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy <https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy>
[2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/ <https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/>
[3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit>
[4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity>
[5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html <https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html>
[6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/tls-toolkit-standalone-multi.html <https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/tls-toolkit-standalone-multi.html>
[7] https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure <https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure>
Andy LoPresto
alopresto@apache.org <ma...@apache.org>
alopresto.apache@gmail.com <ma...@gmail.com>
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Jan 31, 2018, at 7:32 PM, Bryan Bende <bbende@gmail.com <ma...@gmail.com>> wrote:
>
> It’s the same problem, your initial admin should be:
>
> CN=TC, OU=NIFI
>
> Not
>
> CN=TC,OU=NIFI,dc=example,dc=com
>
> The first one is the DN of your client cert, the second one is not.
>
> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <anilrainifi@gmail.com <ma...@gmail.com>> wrote:
>
>> Hi Bryan,
>>
>> Thanks for the quick reply. I did followed your steps. But I am seeing the
>> same error.
>> Now the entry looks like
>> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
>> dc=com</property>
>>
>> Also what does dc stand for after CN and OU. Is that a problem.
>> Is there a blog that talks about installing and making it https using
>> toolkit?. I did not find any good post that talks end to end from
>> installing to making it secure using tls toolkit.
>>
>> Any help is appreciated.
>>
>> Thanks
>> Anil
>>
>>
>>
>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bbende@gmail.com <ma...@gmail.com>> wrote:
>>
>>> Hello,
>>>
>>> The identity in authorizers.xml for your initial admin does not match the
>>> identity of your client cert.
>>>
>>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>> is
>>> the DN of your client cert.
>>>
>>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
>>> authorizations.xml, and start back up.
>>>
>>> Thanks,
>>>
>>> Bryan
>>>
>>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <anilrainifi@gmail.com <ma...@gmail.com>> wrote:
>>>
>>>> All,
>>>>
>>>> I am trying to install nifi 1.5 and making it https. Below is the steps
>>>> followed and the error i am getting. Below is the config and log files
>>>> content. Please help
>>>>
>>>> 1. Installed nifi 1.5
>>>> 2. Installed nifi toolkit 1.5
>>>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
>>>> 'CN=TC,OU=NIFI' -O -o ../security_output
>>>> 4. Copied generated keystore, truststore and nifi properties to
>>> nifi/config
>>>> folder
>>>> 5. Imported the generated certificate to chrome browser
>>>> 6. Modified authorizers.xml as attached.
>>>> 7. With required restarts. Now when i enter the below url in the
>>> browser, I
>>>> see the below error.
>>>>
>>>> https://localhost:9443/nifi/ <https://localhost:9443/nifi/>
>>>>
>>>> Insufficient Permissions
>>>>
>>>> - home
>>>>
>>>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
>>>> administrator.
>>>>
>>>>
>>>> authorizers.xml
>>>> --------------------
>>>> <userGroupProvider>
>>>> <identifier>file-user-group-provider</identifier>
>>>> <class>org.apache.nifi.authorization.
>>> FileUserGroupProvider</class>
>>>> <property name="Users File">./conf/users.xml</property>
>>>> <property name="Legacy Authorized Users File"></property>
>>>>
>>>> <property name="Initial User Identity
>>>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>> </userGroupProvider>
>>>>
>>>> <accessPolicyProvider>
>>>> <identifier>file-access-policy-provider</identifier>
>>>>
>>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>>> <property name="User Group
>>>> Provider">file-user-group-provider</property>
>>>> <property name="Authorizations
>>>> File">./conf/authorizations.xml</property>
>>>> <property name="Initial Admin
>>>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>> <property name="Legacy Authorized Users File"></property>
>>>>
>>>> <property name="Node Identity 1"></property>
>>>> </accessPolicyProvider>
>>>> ------------------------
>>>>
>>>> nifi-user.log
>>>> -----------------------
>>>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>>> Creating
>>>> new users file at
>>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
>>>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
>>>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
>>>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Creating new authorizations file at
>>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>>> authorizations.xml
>>>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Populating authorizations for Initial Admin:
>>>> cn=TC,ou=NIFI,dc=example,dc=com
>>>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
>>>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
>>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>> java.lang.IllegalStateException:
>>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>>>> response.
>>>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
>>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>> java.lang.IllegalStateException:
>>>> OpenId Connect is not configured.. Returning Conflict response.
>>>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
>>>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>>> OU=NIFI)
>>>> GET https://localhost:9443/nifi-api/flow/current-user <https://localhost:9443/nifi-api/flow/current-user> (source ip:
>>>> 127.0.0.1)
>>>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
>>>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
>>>> OU=NIFI
>>>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
>>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>>> groups[]
>>>> does not have permission to access the requested resource. Unknown user
>>>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
>>>> ------------------------------
>>>>
>>>> Generated users.xml
>>>> --------------------------------
>>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>> <tenants>
>>>> <groups/>
>>>> <users>
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
>>>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>>>> </users>
>>>> </tenants>
>>>> --------------------------------
>>>>
>>>> Generated authorizations.xml
>>>> --------------------------
>>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>> <authorizations>
>>>> <policies>
>>>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>>>> resource="/flow" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
>>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>> action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
>>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>> action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
>>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
>>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>>>> resource="/restricted-components" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>>>> resource="/tenants" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>>>> resource="/tenants" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>>>> resource="/policies" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>>>> resource="/policies" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>>>> resource="/controller" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>>>> resource="/controller" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> </policies>
>>>> </authorizations>
>>>> ------------------------------------
>>>>
>>>> nifi.properties
>>>> ----------------------------
>>>> # web properties #
>>>> nifi.web.war.directory=./lib
>>>> nifi.web.http.host=
>>>> nifi.web.http.port=
>>>> nifi.web.http.network.interface.default=
>>>> nifi.web.https.host=localhost
>>>> nifi.web.https.port=9443
>>>> nifi.web.https.network.interface.default=
>>>> nifi.web.jetty.working.directory=./work/jetty
>>>> nifi.web.jetty.threads=200
>>>> nifi.web.max.header.size=16 KB
>>>> nifi.web.proxy.context.path=
>>>>
>>>> # security properties #
>>>> nifi.sensitive.props.key=
>>>> nifi.sensitive.props.key.protected=
>>>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
>>>> nifi.sensitive.props.provider=BC
>>>> nifi.sensitive.props.additional.keys=
>>>>
>>>> nifi.security.keystore=./conf/keystore.jks
>>>> nifi.security.keystoreType=jks
>>>>
>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>> nifi.security.truststore=./conf/truststore.jks
>>>> nifi.security.truststoreType=jks
>>>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>>> ZHZyqI4
>>>> nifi.security.needClientAuth=
>>>> nifi.security.user.authorizer=managed-authorizer
>>>> nifi.security.user.login.identity.provider=
>>>> nifi.security.ocsp.responder.url=
>>>> nifi.security.ocsp.responder.certificate=
>>>> ----------------------
>>>>
>>>>
>>>>
>>>> Please help.
>>>>
>>>> Regards
>>>> Anil
>>>>
>>> --
>>> Sent from Gmail Mobile
>>>
>>
> --
> Sent from Gmail Mobile
Re: setting up secure nifi
Posted by Matt Burgess <ma...@apache.org>.
They work for me, perhaps there was a connectivity issue or something?
On Thu, Feb 1, 2018 at 10:56 AM, Anil Rai <an...@gmail.com> wrote:
> The below links does not work. Have they moved somewhere else?
>
> https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
> https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html
> https://blog.rosander.ninja/nifi/toolkit/tls/2016/
> 09/20/tls-toolkit-standalone-multi.html
>
> Thanks
> Anil
>
> On Thu, Feb 1, 2018 at 10:35 AM, Anil Rai <an...@gmail.com> wrote:
>
>> Thanks Andy. It did resolve my issue. I got it working.
>> Thanks again for all the links. Very helpful.
>>
>> Cheers
>> Anil
>>
>>
>> On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <al...@apache.org>
>> wrote:
>>
>>> Hi Anil,
>>>
>>> In addition to Bryan’s explanation, there are a number of blog posts and
>>> articles covering this topic:
>>>
>>> * Authorization and Multi-Tenancy by Bryan Bende [1]
>>> * Secured Cluster Setup by Pierre Villard [2]
>>> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
>>> * Initial Admin Identity section of Apache NiFi Admin Guide [4]
>>> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
>>> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan
>>> Rosander [6]
>>>
>>> The sequence “dc=example,dc=com” in your current user DN (Distinguished
>>> Name) is incorrect and not present in the DN of the certificate. I imagine
>>> you copied this from an example posted online. “dc=“ is a sequence used in
>>> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is
>>> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com”
>>> would be the parent DN. But when you generated the certificate, you did not
>>> provide this information, so the DNs do not match, and NiFi correctly
>>> asserts that this is not a valid certificate identifying the user DN you
>>> specified in your XML files. Removing “dc=example,dc=com” from that
>>> definition as Bryan suggested will resolve your issue.
>>>
>>> [1] https://bryanbende.com/development/2016/08/17/apache-nif
>>> i-1-0-0-authorization-and-multi-tenancy
>>> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-s
>>> ecured-cluster-setup/
>>> [3] https://nifi.apache.org/docs/nifi-docs/html/administrati
>>> on-guide.html#tls-generation-toolkit
>>> [4] https://nifi.apache.org/docs/nifi-docs/html/administrati
>>> on-guide.html#initial-admin-identity
>>> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/
>>> tls-toolkit-intro.html
>>> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/
>>> tls-toolkit-standalone-multi.html
>>> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_Acce
>>> ss_Protocol#Directory_structure
>>>
>>> Andy LoPresto
>>> alopresto@apache.org
>>> *alopresto.apache@gmail.com <al...@gmail.com>*
>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>>
>>> On Jan 31, 2018, at 7:32 PM, Bryan Bende <bb...@gmail.com> wrote:
>>>
>>> It’s the same problem, your initial admin should be:
>>>
>>> CN=TC, OU=NIFI
>>>
>>> Not
>>>
>>> CN=TC,OU=NIFI,dc=example,dc=com
>>>
>>> The first one is the DN of your client cert, the second one is not.
>>>
>>> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <an...@gmail.com> wrote:
>>>
>>> Hi Bryan,
>>>
>>> Thanks for the quick reply. I did followed your steps. But I am seeing the
>>> same error.
>>> Now the entry looks like
>>> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
>>> dc=com</property>
>>>
>>> Also what does dc stand for after CN and OU. Is that a problem.
>>> Is there a blog that talks about installing and making it https using
>>> toolkit?. I did not find any good post that talks end to end from
>>> installing to making it secure using tls toolkit.
>>>
>>> Any help is appreciated.
>>>
>>> Thanks
>>> Anil
>>>
>>>
>>>
>>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bb...@gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> The identity in authorizers.xml for your initial admin does not match the
>>> identity of your client cert.
>>>
>>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>>>
>>> is
>>>
>>> the DN of your client cert.
>>>
>>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
>>> authorizations.xml, and start back up.
>>>
>>> Thanks,
>>>
>>> Bryan
>>>
>>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <an...@gmail.com> wrote:
>>>
>>> All,
>>>
>>> I am trying to install nifi 1.5 and making it https. Below is the steps
>>> followed and the error i am getting. Below is the config and log files
>>> content. Please help
>>>
>>> 1. Installed nifi 1.5
>>> 2. Installed nifi toolkit 1.5
>>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
>>> 'CN=TC,OU=NIFI' -O -o ../security_output
>>> 4. Copied generated keystore, truststore and nifi properties to
>>>
>>> nifi/config
>>>
>>> folder
>>> 5. Imported the generated certificate to chrome browser
>>> 6. Modified authorizers.xml as attached.
>>> 7. With required restarts. Now when i enter the below url in the
>>>
>>> browser, I
>>>
>>> see the below error.
>>>
>>> https://localhost:9443/nifi/
>>>
>>> Insufficient Permissions
>>>
>>> - home
>>>
>>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
>>> administrator.
>>>
>>>
>>> authorizers.xml
>>> --------------------
>>> <userGroupProvider>
>>> <identifier>file-user-group-provider</identifier>
>>> <class>org.apache.nifi.authorization.
>>>
>>> FileUserGroupProvider</class>
>>>
>>> <property name="Users File">./conf/users.xml</property>
>>> <property name="Legacy Authorized Users File"></property>
>>>
>>> <property name="Initial User Identity
>>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>> </userGroupProvider>
>>>
>>> <accessPolicyProvider>
>>> <identifier>file-access-policy-provider</identifier>
>>>
>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>> <property name="User Group
>>> Provider">file-user-group-provider</property>
>>> <property name="Authorizations
>>> File">./conf/authorizations.xml</property>
>>> <property name="Initial Admin
>>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>> <property name="Legacy Authorized Users File"></property>
>>>
>>> <property name="Node Identity 1"></property>
>>> </accessPolicyProvider>
>>> ------------------------
>>>
>>> nifi-user.log
>>> -----------------------
>>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>>>
>>> Creating
>>>
>>> new users file at
>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
>>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
>>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
>>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>> Creating new authorizations file at
>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>>>
>>> authorizations.xml
>>>
>>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>> Populating authorizations for Initial Admin:
>>> cn=TC,ou=NIFI,dc=example,dc=com
>>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
>>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>>>
>>> java.lang.IllegalStateException:
>>>
>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>>> response.
>>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>>>
>>> java.lang.IllegalStateException:
>>>
>>> OpenId Connect is not configured.. Returning Conflict response.
>>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
>>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>>>
>>> OU=NIFI)
>>>
>>> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
>>> 127.0.0.1)
>>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
>>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
>>> OU=NIFI
>>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>>>
>>> groups[]
>>>
>>> does not have permission to access the requested resource. Unknown user
>>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
>>> ------------------------------
>>>
>>> Generated users.xml
>>> --------------------------------
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>> <tenants>
>>> <groups/>
>>> <users>
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
>>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>>> </users>
>>> </tenants>
>>> --------------------------------
>>>
>>> Generated authorizations.xml
>>> --------------------------
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>> <authorizations>
>>> <policies>
>>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>>> resource="/flow" action="R">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="R">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="W">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>
>>> action="R">
>>>
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>
>>> action="W">
>>>
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>>> resource="/restricted-components" action="W">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>>> resource="/tenants" action="R">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>>> resource="/tenants" action="W">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>>> resource="/policies" action="R">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>>> resource="/policies" action="W">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>>> resource="/controller" action="R">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>>> resource="/controller" action="W">
>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>> </policy>
>>> </policies>
>>> </authorizations>
>>> ------------------------------------
>>>
>>> nifi.properties
>>> ----------------------------
>>> # web properties #
>>> nifi.web.war.directory=./lib
>>> nifi.web.http.host=
>>> nifi.web.http.port=
>>> nifi.web.http.network.interface.default=
>>> nifi.web.https.host=localhost
>>> nifi.web.https.port=9443
>>> nifi.web.https.network.interface.default=
>>> nifi.web.jetty.working.directory=./work/jetty
>>> nifi.web.jetty.threads=200
>>> nifi.web.max.header.size=16 KB
>>> nifi.web.proxy.context.path=
>>>
>>> # security properties #
>>> nifi.sensitive.props.key=
>>> nifi.sensitive.props.key.protected=
>>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
>>> nifi.sensitive.props.provider=BC
>>> nifi.sensitive.props.additional.keys=
>>>
>>> nifi.security.keystore=./conf/keystore.jks
>>> nifi.security.keystoreType=jks
>>>
>>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>
>>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>> nifi.security.truststore=./conf/truststore.jks
>>> nifi.security.truststoreType=jks
>>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>>>
>>> ZHZyqI4
>>>
>>> nifi.security.needClientAuth=
>>> nifi.security.user.authorizer=managed-authorizer
>>> nifi.security.user.login.identity.provider=
>>> nifi.security.ocsp.responder.url=
>>> nifi.security.ocsp.responder.certificate=
>>> ----------------------
>>>
>>>
>>>
>>> Please help.
>>>
>>> Regards
>>> Anil
>>>
>>> --
>>> Sent from Gmail Mobile
>>>
>>>
>>> --
>>> Sent from Gmail Mobile
>>>
>>>
>>>
>>
Re: setting up secure nifi
Posted by Anil Rai <an...@gmail.com>.
The below links does not work. Have they moved somewhere else?
https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html
https://blog.rosander.ninja/nifi/toolkit/tls/2016/
09/20/tls-toolkit-standalone-multi.html
Thanks
Anil
On Thu, Feb 1, 2018 at 10:35 AM, Anil Rai <an...@gmail.com> wrote:
> Thanks Andy. It did resolve my issue. I got it working.
> Thanks again for all the links. Very helpful.
>
> Cheers
> Anil
>
>
> On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <al...@apache.org>
> wrote:
>
>> Hi Anil,
>>
>> In addition to Bryan’s explanation, there are a number of blog posts and
>> articles covering this topic:
>>
>> * Authorization and Multi-Tenancy by Bryan Bende [1]
>> * Secured Cluster Setup by Pierre Villard [2]
>> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
>> * Initial Admin Identity section of Apache NiFi Admin Guide [4]
>> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
>> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan
>> Rosander [6]
>>
>> The sequence “dc=example,dc=com” in your current user DN (Distinguished
>> Name) is incorrect and not present in the DN of the certificate. I imagine
>> you copied this from an example posted online. “dc=“ is a sequence used in
>> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is
>> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com”
>> would be the parent DN. But when you generated the certificate, you did not
>> provide this information, so the DNs do not match, and NiFi correctly
>> asserts that this is not a valid certificate identifying the user DN you
>> specified in your XML files. Removing “dc=example,dc=com” from that
>> definition as Bryan suggested will resolve your issue.
>>
>> [1] https://bryanbende.com/development/2016/08/17/apache-nif
>> i-1-0-0-authorization-and-multi-tenancy
>> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-s
>> ecured-cluster-setup/
>> [3] https://nifi.apache.org/docs/nifi-docs/html/administrati
>> on-guide.html#tls-generation-toolkit
>> [4] https://nifi.apache.org/docs/nifi-docs/html/administrati
>> on-guide.html#initial-admin-identity
>> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/
>> tls-toolkit-intro.html
>> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/
>> tls-toolkit-standalone-multi.html
>> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_Acce
>> ss_Protocol#Directory_structure
>>
>> Andy LoPresto
>> alopresto@apache.org
>> *alopresto.apache@gmail.com <al...@gmail.com>*
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>> On Jan 31, 2018, at 7:32 PM, Bryan Bende <bb...@gmail.com> wrote:
>>
>> It’s the same problem, your initial admin should be:
>>
>> CN=TC, OU=NIFI
>>
>> Not
>>
>> CN=TC,OU=NIFI,dc=example,dc=com
>>
>> The first one is the DN of your client cert, the second one is not.
>>
>> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <an...@gmail.com> wrote:
>>
>> Hi Bryan,
>>
>> Thanks for the quick reply. I did followed your steps. But I am seeing the
>> same error.
>> Now the entry looks like
>> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
>> dc=com</property>
>>
>> Also what does dc stand for after CN and OU. Is that a problem.
>> Is there a blog that talks about installing and making it https using
>> toolkit?. I did not find any good post that talks end to end from
>> installing to making it secure using tls toolkit.
>>
>> Any help is appreciated.
>>
>> Thanks
>> Anil
>>
>>
>>
>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bb...@gmail.com> wrote:
>>
>> Hello,
>>
>> The identity in authorizers.xml for your initial admin does not match the
>> identity of your client cert.
>>
>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>>
>> is
>>
>> the DN of your client cert.
>>
>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
>> authorizations.xml, and start back up.
>>
>> Thanks,
>>
>> Bryan
>>
>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <an...@gmail.com> wrote:
>>
>> All,
>>
>> I am trying to install nifi 1.5 and making it https. Below is the steps
>> followed and the error i am getting. Below is the config and log files
>> content. Please help
>>
>> 1. Installed nifi 1.5
>> 2. Installed nifi toolkit 1.5
>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
>> 'CN=TC,OU=NIFI' -O -o ../security_output
>> 4. Copied generated keystore, truststore and nifi properties to
>>
>> nifi/config
>>
>> folder
>> 5. Imported the generated certificate to chrome browser
>> 6. Modified authorizers.xml as attached.
>> 7. With required restarts. Now when i enter the below url in the
>>
>> browser, I
>>
>> see the below error.
>>
>> https://localhost:9443/nifi/
>>
>> Insufficient Permissions
>>
>> - home
>>
>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
>> administrator.
>>
>>
>> authorizers.xml
>> --------------------
>> <userGroupProvider>
>> <identifier>file-user-group-provider</identifier>
>> <class>org.apache.nifi.authorization.
>>
>> FileUserGroupProvider</class>
>>
>> <property name="Users File">./conf/users.xml</property>
>> <property name="Legacy Authorized Users File"></property>
>>
>> <property name="Initial User Identity
>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>> </userGroupProvider>
>>
>> <accessPolicyProvider>
>> <identifier>file-access-policy-provider</identifier>
>>
>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>> <property name="User Group
>> Provider">file-user-group-provider</property>
>> <property name="Authorizations
>> File">./conf/authorizations.xml</property>
>> <property name="Initial Admin
>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>> <property name="Legacy Authorized Users File"></property>
>>
>> <property name="Node Identity 1"></property>
>> </accessPolicyProvider>
>> ------------------------
>>
>> nifi-user.log
>> -----------------------
>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>>
>> Creating
>>
>> new users file at
>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
>> Creating new authorizations file at
>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>>
>> authorizations.xml
>>
>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
>> Populating authorizations for Initial Admin:
>> cn=TC,ou=NIFI,dc=example,dc=com
>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
>> o.a.n.w.a.c.IllegalStateExceptionMapper
>>
>> java.lang.IllegalStateException:
>>
>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>> response.
>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
>> o.a.n.w.a.c.IllegalStateExceptionMapper
>>
>> java.lang.IllegalStateException:
>>
>> OpenId Connect is not configured.. Returning Conflict response.
>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>>
>> OU=NIFI)
>>
>> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
>> 127.0.0.1)
>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
>> OU=NIFI
>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>>
>> groups[]
>>
>> does not have permission to access the requested resource. Unknown user
>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
>> ------------------------------
>>
>> Generated users.xml
>> --------------------------------
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <tenants>
>> <groups/>
>> <users>
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>> </users>
>> </tenants>
>> --------------------------------
>>
>> Generated authorizations.xml
>> --------------------------
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <authorizations>
>> <policies>
>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>> resource="/flow" action="R">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>> action="R">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>> action="W">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>
>> action="R">
>>
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>
>> action="W">
>>
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>> resource="/restricted-components" action="W">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>> resource="/tenants" action="R">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>> resource="/tenants" action="W">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>> resource="/policies" action="R">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>> resource="/policies" action="W">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>> resource="/controller" action="R">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>> resource="/controller" action="W">
>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>> </policy>
>> </policies>
>> </authorizations>
>> ------------------------------------
>>
>> nifi.properties
>> ----------------------------
>> # web properties #
>> nifi.web.war.directory=./lib
>> nifi.web.http.host=
>> nifi.web.http.port=
>> nifi.web.http.network.interface.default=
>> nifi.web.https.host=localhost
>> nifi.web.https.port=9443
>> nifi.web.https.network.interface.default=
>> nifi.web.jetty.working.directory=./work/jetty
>> nifi.web.jetty.threads=200
>> nifi.web.max.header.size=16 KB
>> nifi.web.proxy.context.path=
>>
>> # security properties #
>> nifi.sensitive.props.key=
>> nifi.sensitive.props.key.protected=
>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
>> nifi.sensitive.props.provider=BC
>> nifi.sensitive.props.additional.keys=
>>
>> nifi.security.keystore=./conf/keystore.jks
>> nifi.security.keystoreType=jks
>>
>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>
>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>> nifi.security.truststore=./conf/truststore.jks
>> nifi.security.truststoreType=jks
>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>>
>> ZHZyqI4
>>
>> nifi.security.needClientAuth=
>> nifi.security.user.authorizer=managed-authorizer
>> nifi.security.user.login.identity.provider=
>> nifi.security.ocsp.responder.url=
>> nifi.security.ocsp.responder.certificate=
>> ----------------------
>>
>>
>>
>> Please help.
>>
>> Regards
>> Anil
>>
>> --
>> Sent from Gmail Mobile
>>
>>
>> --
>> Sent from Gmail Mobile
>>
>>
>>
>
Re: setting up secure nifi
Posted by Anil Rai <an...@gmail.com>.
Thanks Andy. It did resolve my issue. I got it working.
Thanks again for all the links. Very helpful.
Cheers
Anil
On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <al...@apache.org> wrote:
> Hi Anil,
>
> In addition to Bryan’s explanation, there are a number of blog posts and
> articles covering this topic:
>
> * Authorization and Multi-Tenancy by Bryan Bende [1]
> * Secured Cluster Setup by Pierre Villard [2]
> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
> * Initial Admin Identity section of Apache NiFi Admin Guide [4]
> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan
> Rosander [6]
>
> The sequence “dc=example,dc=com” in your current user DN (Distinguished
> Name) is incorrect and not present in the DN of the certificate. I imagine
> you copied this from an example posted online. “dc=“ is a sequence used in
> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is
> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com”
> would be the parent DN. But when you generated the certificate, you did not
> provide this information, so the DNs do not match, and NiFi correctly
> asserts that this is not a valid certificate identifying the user DN you
> specified in your XML files. Removing “dc=example,dc=com” from that
> definition as Bryan suggested will resolve your issue.
>
> [1] https://bryanbende.com/development/2016/08/17/apache-
> nifi-1-0-0-authorization-and-multi-tenancy
> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-
> secured-cluster-setup/
> [3] https://nifi.apache.org/docs/nifi-docs/html/
> administration-guide.html#tls-generation-toolkit
> [4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#
> initial-admin-identity
> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/
> 09/19/tls-toolkit-intro.html
> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/
> 09/20/tls-toolkit-standalone-multi.html
> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_
> Access_Protocol#Directory_structure
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <al...@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
> On Jan 31, 2018, at 7:32 PM, Bryan Bende <bb...@gmail.com> wrote:
>
> It’s the same problem, your initial admin should be:
>
> CN=TC, OU=NIFI
>
> Not
>
> CN=TC,OU=NIFI,dc=example,dc=com
>
> The first one is the DN of your client cert, the second one is not.
>
> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <an...@gmail.com> wrote:
>
> Hi Bryan,
>
> Thanks for the quick reply. I did followed your steps. But I am seeing the
> same error.
> Now the entry looks like
> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
> dc=com</property>
>
> Also what does dc stand for after CN and OU. Is that a problem.
> Is there a blog that talks about installing and making it https using
> toolkit?. I did not find any good post that talks end to end from
> installing to making it secure using tls toolkit.
>
> Any help is appreciated.
>
> Thanks
> Anil
>
>
>
> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bb...@gmail.com> wrote:
>
> Hello,
>
> The identity in authorizers.xml for your initial admin does not match the
> identity of your client cert.
>
> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>
> is
>
> the DN of your client cert.
>
> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
> authorizations.xml, and start back up.
>
> Thanks,
>
> Bryan
>
> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <an...@gmail.com> wrote:
>
> All,
>
> I am trying to install nifi 1.5 and making it https. Below is the steps
> followed and the error i am getting. Below is the config and log files
> content. Please help
>
> 1. Installed nifi 1.5
> 2. Installed nifi toolkit 1.5
> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> 'CN=TC,OU=NIFI' -O -o ../security_output
> 4. Copied generated keystore, truststore and nifi properties to
>
> nifi/config
>
> folder
> 5. Imported the generated certificate to chrome browser
> 6. Modified authorizers.xml as attached.
> 7. With required restarts. Now when i enter the below url in the
>
> browser, I
>
> see the below error.
>
> https://localhost:9443/nifi/
>
> Insufficient Permissions
>
> - home
>
> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> administrator.
>
>
> authorizers.xml
> --------------------
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.
>
> FileUserGroupProvider</class>
>
> <property name="Users File">./conf/users.xml</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Initial User Identity
> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
> </userGroupProvider>
>
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">file-user-group-provider</property>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Initial Admin
> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Node Identity 1"></property>
> </accessPolicyProvider>
> ------------------------
>
> nifi-user.log
> -----------------------
> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>
> Creating
>
> new users file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Creating new authorizations file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>
> authorizations.xml
>
> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Populating authorizations for Initial Admin:
> cn=TC,ou=NIFI,dc=example,dc=com
> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> o.a.n.w.a.c.IllegalStateExceptionMapper
>
> java.lang.IllegalStateException:
>
> Kerberos ticket login not supported by this NiFi.. Returning Conflict
> response.
> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> o.a.n.w.a.c.IllegalStateExceptionMapper
>
> java.lang.IllegalStateException:
>
> OpenId Connect is not configured.. Returning Conflict response.
> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>
> OU=NIFI)
>
> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> 127.0.0.1)
> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> OU=NIFI
> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>
> groups[]
>
> does not have permission to access the requested resource. Unknown user
> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> ------------------------------
>
> Generated users.xml
> --------------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
> <groups/>
> <users>
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
> </users>
> </tenants>
> --------------------------------
>
> Generated authorizations.xml
> --------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
> <policies>
> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>
> action="R">
>
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>
> action="W">
>
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> </policies>
> </authorizations>
> ------------------------------------
>
> nifi.properties
> ----------------------------
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=localhost
> nifi.web.https.port=9443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
> nifi.web.max.header.size=16 KB
> nifi.web.proxy.context.path=
>
> # security properties #
> nifi.sensitive.props.key=
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> nifi.sensitive.props.provider=BC
> nifi.sensitive.props.additional.keys=
>
> nifi.security.keystore=./conf/keystore.jks
> nifi.security.keystoreType=jks
>
> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>
> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.truststore=./conf/truststore.jks
> nifi.security.truststoreType=jks
> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>
> ZHZyqI4
>
> nifi.security.needClientAuth=
> nifi.security.user.authorizer=managed-authorizer
> nifi.security.user.login.identity.provider=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
> ----------------------
>
>
>
> Please help.
>
> Regards
> Anil
>
> --
> Sent from Gmail Mobile
>
>
> --
> Sent from Gmail Mobile
>
>
>
Re: setting up secure nifi
Posted by Andy LoPresto <al...@apache.org>.
Hi Anil,
In addition to Bryan’s explanation, there are a number of blog posts and articles covering this topic:
* Authorization and Multi-Tenancy by Bryan Bende [1]
* Secured Cluster Setup by Pierre Villard [2]
* TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
* Initial Admin Identity section of Apache NiFi Admin Guide [4]
* Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
* Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan Rosander [6]
The sequence “dc=example,dc=com” in your current user DN (Distinguished Name) is incorrect and not present in the DN of the certificate. I imagine you copied this from an example posted online. “dc=“ is a sequence used in DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” would be the parent DN. But when you generated the certificate, you did not provide this information, so the DNs do not match, and NiFi correctly asserts that this is not a valid certificate identifying the user DN you specified in your XML files. Removing “dc=example,dc=com” from that definition as Bryan suggested will resolve your issue.
[1] https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy <https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy>
[2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/ <https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/>
[3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit>
[4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity>
[5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html <https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html>
[6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/tls-toolkit-standalone-multi.html <https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/tls-toolkit-standalone-multi.html>
[7] https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure <https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure>
Andy LoPresto
alopresto@apache.org <ma...@apache.org>
alopresto.apache@gmail.com <ma...@gmail.com>
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Jan 31, 2018, at 7:32 PM, Bryan Bende <bbende@gmail.com <ma...@gmail.com>> wrote:
>
> It’s the same problem, your initial admin should be:
>
> CN=TC, OU=NIFI
>
> Not
>
> CN=TC,OU=NIFI,dc=example,dc=com
>
> The first one is the DN of your client cert, the second one is not.
>
> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <anilrainifi@gmail.com <ma...@gmail.com>> wrote:
>
>> Hi Bryan,
>>
>> Thanks for the quick reply. I did followed your steps. But I am seeing the
>> same error.
>> Now the entry looks like
>> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
>> dc=com</property>
>>
>> Also what does dc stand for after CN and OU. Is that a problem.
>> Is there a blog that talks about installing and making it https using
>> toolkit?. I did not find any good post that talks end to end from
>> installing to making it secure using tls toolkit.
>>
>> Any help is appreciated.
>>
>> Thanks
>> Anil
>>
>>
>>
>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bbende@gmail.com <ma...@gmail.com>> wrote:
>>
>>> Hello,
>>>
>>> The identity in authorizers.xml for your initial admin does not match the
>>> identity of your client cert.
>>>
>>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>> is
>>> the DN of your client cert.
>>>
>>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
>>> authorizations.xml, and start back up.
>>>
>>> Thanks,
>>>
>>> Bryan
>>>
>>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <anilrainifi@gmail.com <ma...@gmail.com>> wrote:
>>>
>>>> All,
>>>>
>>>> I am trying to install nifi 1.5 and making it https. Below is the steps
>>>> followed and the error i am getting. Below is the config and log files
>>>> content. Please help
>>>>
>>>> 1. Installed nifi 1.5
>>>> 2. Installed nifi toolkit 1.5
>>>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
>>>> 'CN=TC,OU=NIFI' -O -o ../security_output
>>>> 4. Copied generated keystore, truststore and nifi properties to
>>> nifi/config
>>>> folder
>>>> 5. Imported the generated certificate to chrome browser
>>>> 6. Modified authorizers.xml as attached.
>>>> 7. With required restarts. Now when i enter the below url in the
>>> browser, I
>>>> see the below error.
>>>>
>>>> https://localhost:9443/nifi/ <https://localhost:9443/nifi/>
>>>>
>>>> Insufficient Permissions
>>>>
>>>> - home
>>>>
>>>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
>>>> administrator.
>>>>
>>>>
>>>> authorizers.xml
>>>> --------------------
>>>> <userGroupProvider>
>>>> <identifier>file-user-group-provider</identifier>
>>>> <class>org.apache.nifi.authorization.
>>> FileUserGroupProvider</class>
>>>> <property name="Users File">./conf/users.xml</property>
>>>> <property name="Legacy Authorized Users File"></property>
>>>>
>>>> <property name="Initial User Identity
>>>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>> </userGroupProvider>
>>>>
>>>> <accessPolicyProvider>
>>>> <identifier>file-access-policy-provider</identifier>
>>>>
>>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>>> <property name="User Group
>>>> Provider">file-user-group-provider</property>
>>>> <property name="Authorizations
>>>> File">./conf/authorizations.xml</property>
>>>> <property name="Initial Admin
>>>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>> <property name="Legacy Authorized Users File"></property>
>>>>
>>>> <property name="Node Identity 1"></property>
>>>> </accessPolicyProvider>
>>>> ------------------------
>>>>
>>>> nifi-user.log
>>>> -----------------------
>>>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>>> Creating
>>>> new users file at
>>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
>>>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
>>>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
>>>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Creating new authorizations file at
>>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>>> authorizations.xml
>>>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Populating authorizations for Initial Admin:
>>>> cn=TC,ou=NIFI,dc=example,dc=com
>>>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
>>>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
>>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>> java.lang.IllegalStateException:
>>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>>>> response.
>>>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
>>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>> java.lang.IllegalStateException:
>>>> OpenId Connect is not configured.. Returning Conflict response.
>>>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
>>>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>>> OU=NIFI)
>>>> GET https://localhost:9443/nifi-api/flow/current-user <https://localhost:9443/nifi-api/flow/current-user> (source ip:
>>>> 127.0.0.1)
>>>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
>>>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
>>>> OU=NIFI
>>>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
>>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>>> groups[]
>>>> does not have permission to access the requested resource. Unknown user
>>>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
>>>> ------------------------------
>>>>
>>>> Generated users.xml
>>>> --------------------------------
>>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>> <tenants>
>>>> <groups/>
>>>> <users>
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
>>>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>>>> </users>
>>>> </tenants>
>>>> --------------------------------
>>>>
>>>> Generated authorizations.xml
>>>> --------------------------
>>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>> <authorizations>
>>>> <policies>
>>>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>>>> resource="/flow" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
>>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>> action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
>>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>> action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
>>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
>>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>>>> resource="/restricted-components" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>>>> resource="/tenants" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>>>> resource="/tenants" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>>>> resource="/policies" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>>>> resource="/policies" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>>>> resource="/controller" action="R">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>>>> resource="/controller" action="W">
>>>> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>> </policy>
>>>> </policies>
>>>> </authorizations>
>>>> ------------------------------------
>>>>
>>>> nifi.properties
>>>> ----------------------------
>>>> # web properties #
>>>> nifi.web.war.directory=./lib
>>>> nifi.web.http.host=
>>>> nifi.web.http.port=
>>>> nifi.web.http.network.interface.default=
>>>> nifi.web.https.host=localhost
>>>> nifi.web.https.port=9443
>>>> nifi.web.https.network.interface.default=
>>>> nifi.web.jetty.working.directory=./work/jetty
>>>> nifi.web.jetty.threads=200
>>>> nifi.web.max.header.size=16 KB
>>>> nifi.web.proxy.context.path=
>>>>
>>>> # security properties #
>>>> nifi.sensitive.props.key=
>>>> nifi.sensitive.props.key.protected=
>>>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
>>>> nifi.sensitive.props.provider=BC
>>>> nifi.sensitive.props.additional.keys=
>>>>
>>>> nifi.security.keystore=./conf/keystore.jks
>>>> nifi.security.keystoreType=jks
>>>>
>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>> nifi.security.truststore=./conf/truststore.jks
>>>> nifi.security.truststoreType=jks
>>>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>>> ZHZyqI4
>>>> nifi.security.needClientAuth=
>>>> nifi.security.user.authorizer=managed-authorizer
>>>> nifi.security.user.login.identity.provider=
>>>> nifi.security.ocsp.responder.url=
>>>> nifi.security.ocsp.responder.certificate=
>>>> ----------------------
>>>>
>>>>
>>>>
>>>> Please help.
>>>>
>>>> Regards
>>>> Anil
>>>>
>>> --
>>> Sent from Gmail Mobile
>>>
>>
> --
> Sent from Gmail Mobile
Re: setting up secure nifi
Posted by Bryan Bende <bb...@gmail.com>.
It’s the same problem, your initial admin should be:
CN=TC, OU=NIFI
Not
CN=TC,OU=NIFI,dc=example,dc=com
The first one is the DN of your client cert, the second one is not.
On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <an...@gmail.com> wrote:
> Hi Bryan,
>
> Thanks for the quick reply. I did followed your steps. But I am seeing the
> same error.
> Now the entry looks like
> <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
> dc=com</property>
>
> Also what does dc stand for after CN and OU. Is that a problem.
> Is there a blog that talks about installing and making it https using
> toolkit?. I did not find any good post that talks end to end from
> installing to making it secure using tls toolkit.
>
> Any help is appreciated.
>
> Thanks
> Anil
>
>
>
> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bb...@gmail.com> wrote:
>
> > Hello,
> >
> > The identity in authorizers.xml for your initial admin does not match the
> > identity of your client cert.
> >
> > You should be putting “CN=TC, OU=NIFI” as the initial admin because that
> is
> > the DN of your client cert.
> >
> > You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
> > authorizations.xml, and start back up.
> >
> > Thanks,
> >
> > Bryan
> >
> > On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <an...@gmail.com> wrote:
> >
> > > All,
> > >
> > > I am trying to install nifi 1.5 and making it https. Below is the steps
> > > followed and the error i am getting. Below is the config and log files
> > > content. Please help
> > >
> > > 1. Installed nifi 1.5
> > > 2. Installed nifi toolkit 1.5
> > > 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> > > 'CN=TC,OU=NIFI' -O -o ../security_output
> > > 4. Copied generated keystore, truststore and nifi properties to
> > nifi/config
> > > folder
> > > 5. Imported the generated certificate to chrome browser
> > > 6. Modified authorizers.xml as attached.
> > > 7. With required restarts. Now when i enter the below url in the
> > browser, I
> > > see the below error.
> > >
> > > https://localhost:9443/nifi/
> > >
> > > Insufficient Permissions
> > >
> > > - home
> > >
> > > Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> > > administrator.
> > >
> > >
> > > authorizers.xml
> > > --------------------
> > > <userGroupProvider>
> > > <identifier>file-user-group-provider</identifier>
> > > <class>org.apache.nifi.authorization.
> > FileUserGroupProvider</class>
> > > <property name="Users File">./conf/users.xml</property>
> > > <property name="Legacy Authorized Users File"></property>
> > >
> > > <property name="Initial User Identity
> > > 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
> > > </userGroupProvider>
> > >
> > > <accessPolicyProvider>
> > > <identifier>file-access-policy-provider</identifier>
> > >
> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> > > <property name="User Group
> > > Provider">file-user-group-provider</property>
> > > <property name="Authorizations
> > > File">./conf/authorizations.xml</property>
> > > <property name="Initial Admin
> > > Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
> > > <property name="Legacy Authorized Users File"></property>
> > >
> > > <property name="Node Identity 1"></property>
> > > </accessPolicyProvider>
> > > ------------------------
> > >
> > > nifi-user.log
> > > -----------------------
> > > 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
> > Creating
> > > new users file at
> > > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> > > 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> > > Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> > > 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > > Creating new authorizations file at
> > > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
> > authorizations.xml
> > > 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > > Populating authorizations for Initial Admin:
> > > cn=TC,ou=NIFI,dc=example,dc=com
> > > 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > > Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> > > 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> > > o.a.n.w.a.c.IllegalStateExceptionMapper
> java.lang.IllegalStateException:
> > > Kerberos ticket login not supported by this NiFi.. Returning Conflict
> > > response.
> > > 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> > > o.a.n.w.a.c.IllegalStateExceptionMapper
> java.lang.IllegalStateException:
> > > OpenId Connect is not configured.. Returning Conflict response.
> > > 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> > > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
> > OU=NIFI)
> > > GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> > > 127.0.0.1)
> > > 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> > > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> > > OU=NIFI
> > > 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> > > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
> > groups[]
> > > does not have permission to access the requested resource. Unknown user
> > > with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> > > ------------------------------
> > >
> > > Generated users.xml
> > > --------------------------------
> > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > > <tenants>
> > > <groups/>
> > > <users>
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> > > identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
> > > </users>
> > > </tenants>
> > > --------------------------------
> > >
> > > Generated authorizations.xml
> > > --------------------------
> > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > > <authorizations>
> > > <policies>
> > > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> > > resource="/flow" action="R">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> > > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > > action="R">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> > > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > > action="W">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> > > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="R">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> > > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="W">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> > > resource="/restricted-components" action="W">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> > > resource="/tenants" action="R">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> > > resource="/tenants" action="W">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> > > resource="/policies" action="R">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> > > resource="/policies" action="W">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> > > resource="/controller" action="R">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> > > resource="/controller" action="W">
> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > > </policy>
> > > </policies>
> > > </authorizations>
> > > ------------------------------------
> > >
> > > nifi.properties
> > > ----------------------------
> > > # web properties #
> > > nifi.web.war.directory=./lib
> > > nifi.web.http.host=
> > > nifi.web.http.port=
> > > nifi.web.http.network.interface.default=
> > > nifi.web.https.host=localhost
> > > nifi.web.https.port=9443
> > > nifi.web.https.network.interface.default=
> > > nifi.web.jetty.working.directory=./work/jetty
> > > nifi.web.jetty.threads=200
> > > nifi.web.max.header.size=16 KB
> > > nifi.web.proxy.context.path=
> > >
> > > # security properties #
> > > nifi.sensitive.props.key=
> > > nifi.sensitive.props.key.protected=
> > > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> > > nifi.sensitive.props.provider=BC
> > > nifi.sensitive.props.additional.keys=
> > >
> > > nifi.security.keystore=./conf/keystore.jks
> > > nifi.security.keystoreType=jks
> > >
> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > > nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > > nifi.security.truststore=./conf/truststore.jks
> > > nifi.security.truststoreType=jks
> > > nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
> > ZHZyqI4
> > > nifi.security.needClientAuth=
> > > nifi.security.user.authorizer=managed-authorizer
> > > nifi.security.user.login.identity.provider=
> > > nifi.security.ocsp.responder.url=
> > > nifi.security.ocsp.responder.certificate=
> > > ----------------------
> > >
> > >
> > >
> > > Please help.
> > >
> > > Regards
> > > Anil
> > >
> > --
> > Sent from Gmail Mobile
> >
>
--
Sent from Gmail Mobile
Re: setting up secure nifi
Posted by Anil Rai <an...@gmail.com>.
Hi Bryan,
Thanks for the quick reply. I did followed your steps. But I am seeing the
same error.
Now the entry looks like
<property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
dc=com</property>
Also what does dc stand for after CN and OU. Is that a problem.
Is there a blog that talks about installing and making it https using
toolkit?. I did not find any good post that talks end to end from
installing to making it secure using tls toolkit.
Any help is appreciated.
Thanks
Anil
On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bb...@gmail.com> wrote:
> Hello,
>
> The identity in authorizers.xml for your initial admin does not match the
> identity of your client cert.
>
> You should be putting “CN=TC, OU=NIFI” as the initial admin because that is
> the DN of your client cert.
>
> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
> authorizations.xml, and start back up.
>
> Thanks,
>
> Bryan
>
> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <an...@gmail.com> wrote:
>
> > All,
> >
> > I am trying to install nifi 1.5 and making it https. Below is the steps
> > followed and the error i am getting. Below is the config and log files
> > content. Please help
> >
> > 1. Installed nifi 1.5
> > 2. Installed nifi toolkit 1.5
> > 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> > 'CN=TC,OU=NIFI' -O -o ../security_output
> > 4. Copied generated keystore, truststore and nifi properties to
> nifi/config
> > folder
> > 5. Imported the generated certificate to chrome browser
> > 6. Modified authorizers.xml as attached.
> > 7. With required restarts. Now when i enter the below url in the
> browser, I
> > see the below error.
> >
> > https://localhost:9443/nifi/
> >
> > Insufficient Permissions
> >
> > - home
> >
> > Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> > administrator.
> >
> >
> > authorizers.xml
> > --------------------
> > <userGroupProvider>
> > <identifier>file-user-group-provider</identifier>
> > <class>org.apache.nifi.authorization.
> FileUserGroupProvider</class>
> > <property name="Users File">./conf/users.xml</property>
> > <property name="Legacy Authorized Users File"></property>
> >
> > <property name="Initial User Identity
> > 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
> > </userGroupProvider>
> >
> > <accessPolicyProvider>
> > <identifier>file-access-policy-provider</identifier>
> >
> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> > <property name="User Group
> > Provider">file-user-group-provider</property>
> > <property name="Authorizations
> > File">./conf/authorizations.xml</property>
> > <property name="Initial Admin
> > Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
> > <property name="Legacy Authorized Users File"></property>
> >
> > <property name="Node Identity 1"></property>
> > </accessPolicyProvider>
> > ------------------------
> >
> > nifi-user.log
> > -----------------------
> > 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
> Creating
> > new users file at
> > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> > 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> > Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> > 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Creating new authorizations file at
> > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
> authorizations.xml
> > 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Populating authorizations for Initial Admin:
> > cn=TC,ou=NIFI,dc=example,dc=com
> > 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> > 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> > Kerberos ticket login not supported by this NiFi.. Returning Conflict
> > response.
> > 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> > OpenId Connect is not configured.. Returning Conflict response.
> > 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
> OU=NIFI)
> > GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> > 127.0.0.1)
> > 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> > OU=NIFI
> > 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
> groups[]
> > does not have permission to access the requested resource. Unknown user
> > with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> > ------------------------------
> >
> > Generated users.xml
> > --------------------------------
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <tenants>
> > <groups/>
> > <users>
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> > identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
> > </users>
> > </tenants>
> > --------------------------------
> >
> > Generated authorizations.xml
> > --------------------------
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <authorizations>
> > <policies>
> > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> > resource="/flow" action="R">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="R">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="W">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> > resource="/restricted-components" action="W">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> > resource="/tenants" action="R">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> > resource="/tenants" action="W">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> > resource="/policies" action="R">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> > resource="/policies" action="W">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> > resource="/controller" action="R">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> > resource="/controller" action="W">
> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > </policy>
> > </policies>
> > </authorizations>
> > ------------------------------------
> >
> > nifi.properties
> > ----------------------------
> > # web properties #
> > nifi.web.war.directory=./lib
> > nifi.web.http.host=
> > nifi.web.http.port=
> > nifi.web.http.network.interface.default=
> > nifi.web.https.host=localhost
> > nifi.web.https.port=9443
> > nifi.web.https.network.interface.default=
> > nifi.web.jetty.working.directory=./work/jetty
> > nifi.web.jetty.threads=200
> > nifi.web.max.header.size=16 KB
> > nifi.web.proxy.context.path=
> >
> > # security properties #
> > nifi.sensitive.props.key=
> > nifi.sensitive.props.key.protected=
> > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> > nifi.sensitive.props.provider=BC
> > nifi.sensitive.props.additional.keys=
> >
> > nifi.security.keystore=./conf/keystore.jks
> > nifi.security.keystoreType=jks
> > nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > nifi.security.truststore=./conf/truststore.jks
> > nifi.security.truststoreType=jks
> > nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
> ZHZyqI4
> > nifi.security.needClientAuth=
> > nifi.security.user.authorizer=managed-authorizer
> > nifi.security.user.login.identity.provider=
> > nifi.security.ocsp.responder.url=
> > nifi.security.ocsp.responder.certificate=
> > ----------------------
> >
> >
> >
> > Please help.
> >
> > Regards
> > Anil
> >
> --
> Sent from Gmail Mobile
>
Re: setting up secure nifi
Posted by Bryan Bende <bb...@gmail.com>.
Hello,
The identity in authorizers.xml for your initial admin does not match the
identity of your client cert.
You should be putting “CN=TC, OU=NIFI” as the initial admin because that is
the DN of your client cert.
You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
authorizations.xml, and start back up.
Thanks,
Bryan
On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <an...@gmail.com> wrote:
> All,
>
> I am trying to install nifi 1.5 and making it https. Below is the steps
> followed and the error i am getting. Below is the config and log files
> content. Please help
>
> 1. Installed nifi 1.5
> 2. Installed nifi toolkit 1.5
> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> 'CN=TC,OU=NIFI' -O -o ../security_output
> 4. Copied generated keystore, truststore and nifi properties to nifi/config
> folder
> 5. Imported the generated certificate to chrome browser
> 6. Modified authorizers.xml as attached.
> 7. With required restarts. Now when i enter the below url in the browser, I
> see the below error.
>
> https://localhost:9443/nifi/
>
> Insufficient Permissions
>
> - home
>
> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> administrator.
>
>
> authorizers.xml
> --------------------
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Initial User Identity
> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
> </userGroupProvider>
>
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">file-user-group-provider</property>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Initial Admin
> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Node Identity 1"></property>
> </accessPolicyProvider>
> ------------------------
>
> nifi-user.log
> -----------------------
> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider Creating
> new users file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Creating new authorizations file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/authorizations.xml
> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Populating authorizations for Initial Admin:
> cn=TC,ou=NIFI,dc=example,dc=com
> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos ticket login not supported by this NiFi.. Returning Conflict
> response.
> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> OpenId Connect is not configured.. Returning Conflict response.
> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, OU=NIFI)
> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> 127.0.0.1)
> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> OU=NIFI
> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], groups[]
> does not have permission to access the requested resource. Unknown user
> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> ------------------------------
>
> Generated users.xml
> --------------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
> <groups/>
> <users>
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
> </users>
> </tenants>
> --------------------------------
>
> Generated authorizations.xml
> --------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
> <policies>
> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
> <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> </policy>
> </policies>
> </authorizations>
> ------------------------------------
>
> nifi.properties
> ----------------------------
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=localhost
> nifi.web.https.port=9443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
> nifi.web.max.header.size=16 KB
> nifi.web.proxy.context.path=
>
> # security properties #
> nifi.sensitive.props.key=
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> nifi.sensitive.props.provider=BC
> nifi.sensitive.props.additional.keys=
>
> nifi.security.keystore=./conf/keystore.jks
> nifi.security.keystoreType=jks
> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.truststore=./conf/truststore.jks
> nifi.security.truststoreType=jks
> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3ZHZyqI4
> nifi.security.needClientAuth=
> nifi.security.user.authorizer=managed-authorizer
> nifi.security.user.login.identity.provider=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
> ----------------------
>
>
>
> Please help.
>
> Regards
> Anil
>
--
Sent from Gmail Mobile