You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Etienne Jouvin <la...@gmail.com> on 2020/06/30 08:45:36 UTC
Need help SSL LDAP Nifi Registry
Hello all.
I am trying to setup LDAP authentication on NiFi Registry.
I followed some links, like
https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
But each time, it requires that a certificate is installed on client side.
I had this "problem" for NiFi but because I did not provided
the nifi.security.user.login.identity.provider
But for the registry, I remember that and did it.
For summary, what I have in nifi-registry.properties
nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=password
nifi.registry.security.keyPasswd=password
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=password
(All of those informations were given by the tls-toolkit, when executed for
NiFi)
Then I put this
#nifi.registry.security.identity.provider=
nifi.registry.security.identity.provider=ldap-identity-provider
In the file identity-providers.xml
I setup the LDAP provider
<provider>
<identifier>ldap-identity-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">uid=admin,ou=system</property>
<property name="Manager Password">secret</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://localhost:10389</property>
<property name="User Search Base">ou=users,dc=test,dc=ch</property>
<property name="User Search Filter">uid={0}</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
And finally in authorizers.xml
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">uid=firstuser,
ou=users,dc=test,dc=ch</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group
Provider">file-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity"> uid=firstuser,
ou=users,dc=test,dc=ch </property>
<property name="NiFi Group Name"></property>
<!--<property name="NiFi Identity 1"></property>-->
</accessPolicyProvider>
Starting Registry is OK.
But when I want to access throw Chrome, I have a certificate error
: ERR_BAD_SSL_CLIENT_AUTH_CERT
How can I force the authentication to not request a client side certificate
?
Thanks for any input.
Etienne Jouvin
Re: Need help SSL LDAP Nifi Registry
Posted by Etienne Jouvin <la...@gmail.com>.
Got it thanks to
https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-NiFi-to-Integrate-with-a-Secure-NiFi/ta-p/247765
Next steps would be to have NiFi and Registry on different hosts and see
how connections are made.
Le mar. 30 juin 2020 à 11:43, Etienne Jouvin <la...@gmail.com> a
écrit :
> But now, I have NiFi and Registry with secure access (LDAP + SSL)
>
> I need to find out how to configure the Registry in NiFi, because for now
> I did not have to specify login.
> And even if my first bucket is Public, it is not accessible from NiFi.
>
>
> Le mar. 30 juin 2020 à 11:29, Etienne Jouvin <la...@gmail.com> a
> écrit :
>
>> Hi Josef.
>>
>> No I did not try that.
>> And well done, with that I can access the UI, and can connect with LDAP
>> identity.
>>
>> Thanks a lot.
>>
>> Cheers
>>
>> Etienne
>>
>>
>>
>> Le mar. 30 juin 2020 à 11:15, <Jo...@swisscom.com> a écrit :
>>
>>> Hi Etienne
>>>
>>>
>>>
>>> Did you tried the following in «nifi-registry.properties»:
>>>
>>> nifi.registry.security.needClientAuth=false
>>>
>>>
>>>
>>> Cheers Josef
>>>
>>>
>>>
>>>
>>>
>>> *From: *Etienne Jouvin <la...@gmail.com>
>>> *Reply to: *"users@nifi.apache.org" <us...@nifi.apache.org>
>>> *Date: *Tuesday, 30 June 2020 at 10:46
>>> *To: *"users@nifi.apache.org" <us...@nifi.apache.org>
>>> *Subject: *Need help SSL LDAP Nifi Registry
>>>
>>>
>>>
>>> Hello all.
>>>
>>>
>>>
>>> I am trying to setup LDAP authentication on NiFi Registry.
>>>
>>> I followed some links, like
>>> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
>>>
>>>
>>>
>>> But each time, it requires that a certificate is installed on client
>>> side. I had this "problem" for NiFi but because I did not provided
>>> the nifi.security.user.login.identity.provider
>>>
>>>
>>>
>>> But for the registry, I remember that and did it.
>>>
>>>
>>>
>>> For summary, what I have in nifi-registry.properties
>>>
>>> nifi.registry.security.keystore=./conf/keystore.jks
>>> nifi.registry.security.keystoreType=jks
>>> nifi.registry.security.keystorePasswd=password
>>> nifi.registry.security.keyPasswd=password
>>> nifi.registry.security.truststore=./conf/truststore.jks
>>> nifi.registry.security.truststoreType=jks
>>> nifi.registry.security.truststorePasswd=password
>>>
>>>
>>>
>>> (All of those informations were given by the tls-toolkit, when executed
>>> for NiFi)
>>>
>>> Then I put this
>>>
>>> #nifi.registry.security.identity.provider=
>>> nifi.registry.security.identity.provider=ldap-identity-provider
>>>
>>>
>>>
>>> In the file identity-providers.xml
>>>
>>> I setup the LDAP provider
>>>
>>> <provider>
>>> <identifier>ldap-identity-provider</identifier>
>>>
>>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
>>> <property name="Authentication Strategy">SIMPLE</property>
>>>
>>> <property name="Manager DN">uid=admin,ou=system</property>
>>> <property name="Manager Password">secret</property>
>>>
>>> <property name="TLS - Keystore"></property>
>>> <property name="TLS - Keystore Password"></property>
>>> <property name="TLS - Keystore Type"></property>
>>> <property name="TLS - Truststore"></property>
>>> <property name="TLS - Truststore Password"></property>
>>> <property name="TLS - Truststore Type"></property>
>>> <property name="TLS - Client Auth"></property>
>>> <property name="TLS - Protocol"></property>
>>> <property name="TLS - Shutdown Gracefully"></property>
>>>
>>> <property name="Referral Strategy">FOLLOW</property>
>>> <property name="Connect Timeout">10 secs</property>
>>> <property name="Read Timeout">10 secs</property>
>>>
>>> <property name="Url">ldap://localhost:10389</property>
>>> <property name="User Search
>>> Base">ou=users,dc=test,dc=ch</property>
>>> <property name="User Search Filter">uid={0}</property>
>>>
>>> <property name="Identity Strategy">USE_DN</property>
>>> <property name="Authentication Expiration">12 hours</property>
>>> </provider>
>>>
>>>
>>>
>>> And finally in authorizers.xml
>>>
>>> <userGroupProvider>
>>> <identifier>file-user-group-provider</identifier>
>>>
>>> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
>>> <property name="Users File">./conf/users.xml</property>
>>> <property name="Initial User Identity 1">uid=firstuser,
>>> ou=users,dc=test,dc=ch</property>
>>> </userGroupProvider>
>>>
>>>
>>>
>>> <accessPolicyProvider>
>>> <identifier>file-access-policy-provider</identifier>
>>>
>>> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>>> <property name="User Group
>>> Provider">file-user-group-provider</property>
>>> <property name="Authorizations
>>> File">./conf/authorizations.xml</property>
>>> <property name="Initial Admin Identity"> uid=firstuser,
>>> ou=users,dc=test,dc=ch </property>
>>> <property name="NiFi Group Name"></property>
>>>
>>> <!--<property name="NiFi Identity 1"></property>-->
>>> </accessPolicyProvider>
>>>
>>>
>>>
>>>
>>>
>>> Starting Registry is OK.
>>>
>>>
>>>
>>> But when I want to access throw Chrome, I have a certificate error
>>> : ERR_BAD_SSL_CLIENT_AUTH_CERT
>>>
>>>
>>>
>>> How can I force the authentication to not request a client side
>>> certificate ?
>>>
>>>
>>>
>>> Thanks for any input.
>>>
>>>
>>>
>>> Etienne Jouvin
>>>
>>>
>>>
>>
Re: Need help SSL LDAP Nifi Registry
Posted by Etienne Jouvin <la...@gmail.com>.
But now, I have NiFi and Registry with secure access (LDAP + SSL)
I need to find out how to configure the Registry in NiFi, because for now I
did not have to specify login.
And even if my first bucket is Public, it is not accessible from NiFi.
Le mar. 30 juin 2020 à 11:29, Etienne Jouvin <la...@gmail.com> a
écrit :
> Hi Josef.
>
> No I did not try that.
> And well done, with that I can access the UI, and can connect with LDAP
> identity.
>
> Thanks a lot.
>
> Cheers
>
> Etienne
>
>
>
> Le mar. 30 juin 2020 à 11:15, <Jo...@swisscom.com> a écrit :
>
>> Hi Etienne
>>
>>
>>
>> Did you tried the following in «nifi-registry.properties»:
>>
>> nifi.registry.security.needClientAuth=false
>>
>>
>>
>> Cheers Josef
>>
>>
>>
>>
>>
>> *From: *Etienne Jouvin <la...@gmail.com>
>> *Reply to: *"users@nifi.apache.org" <us...@nifi.apache.org>
>> *Date: *Tuesday, 30 June 2020 at 10:46
>> *To: *"users@nifi.apache.org" <us...@nifi.apache.org>
>> *Subject: *Need help SSL LDAP Nifi Registry
>>
>>
>>
>> Hello all.
>>
>>
>>
>> I am trying to setup LDAP authentication on NiFi Registry.
>>
>> I followed some links, like
>> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
>>
>>
>>
>> But each time, it requires that a certificate is installed on client
>> side. I had this "problem" for NiFi but because I did not provided
>> the nifi.security.user.login.identity.provider
>>
>>
>>
>> But for the registry, I remember that and did it.
>>
>>
>>
>> For summary, what I have in nifi-registry.properties
>>
>> nifi.registry.security.keystore=./conf/keystore.jks
>> nifi.registry.security.keystoreType=jks
>> nifi.registry.security.keystorePasswd=password
>> nifi.registry.security.keyPasswd=password
>> nifi.registry.security.truststore=./conf/truststore.jks
>> nifi.registry.security.truststoreType=jks
>> nifi.registry.security.truststorePasswd=password
>>
>>
>>
>> (All of those informations were given by the tls-toolkit, when executed
>> for NiFi)
>>
>> Then I put this
>>
>> #nifi.registry.security.identity.provider=
>> nifi.registry.security.identity.provider=ldap-identity-provider
>>
>>
>>
>> In the file identity-providers.xml
>>
>> I setup the LDAP provider
>>
>> <provider>
>> <identifier>ldap-identity-provider</identifier>
>>
>> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
>> <property name="Authentication Strategy">SIMPLE</property>
>>
>> <property name="Manager DN">uid=admin,ou=system</property>
>> <property name="Manager Password">secret</property>
>>
>> <property name="TLS - Keystore"></property>
>> <property name="TLS - Keystore Password"></property>
>> <property name="TLS - Keystore Type"></property>
>> <property name="TLS - Truststore"></property>
>> <property name="TLS - Truststore Password"></property>
>> <property name="TLS - Truststore Type"></property>
>> <property name="TLS - Client Auth"></property>
>> <property name="TLS - Protocol"></property>
>> <property name="TLS - Shutdown Gracefully"></property>
>>
>> <property name="Referral Strategy">FOLLOW</property>
>> <property name="Connect Timeout">10 secs</property>
>> <property name="Read Timeout">10 secs</property>
>>
>> <property name="Url">ldap://localhost:10389</property>
>> <property name="User Search
>> Base">ou=users,dc=test,dc=ch</property>
>> <property name="User Search Filter">uid={0}</property>
>>
>> <property name="Identity Strategy">USE_DN</property>
>> <property name="Authentication Expiration">12 hours</property>
>> </provider>
>>
>>
>>
>> And finally in authorizers.xml
>>
>> <userGroupProvider>
>> <identifier>file-user-group-provider</identifier>
>>
>> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
>> <property name="Users File">./conf/users.xml</property>
>> <property name="Initial User Identity 1">uid=firstuser,
>> ou=users,dc=test,dc=ch</property>
>> </userGroupProvider>
>>
>>
>>
>> <accessPolicyProvider>
>> <identifier>file-access-policy-provider</identifier>
>>
>> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
>> <property name="User Group
>> Provider">file-user-group-provider</property>
>> <property name="Authorizations
>> File">./conf/authorizations.xml</property>
>> <property name="Initial Admin Identity"> uid=firstuser,
>> ou=users,dc=test,dc=ch </property>
>> <property name="NiFi Group Name"></property>
>>
>> <!--<property name="NiFi Identity 1"></property>-->
>> </accessPolicyProvider>
>>
>>
>>
>>
>>
>> Starting Registry is OK.
>>
>>
>>
>> But when I want to access throw Chrome, I have a certificate error
>> : ERR_BAD_SSL_CLIENT_AUTH_CERT
>>
>>
>>
>> How can I force the authentication to not request a client side
>> certificate ?
>>
>>
>>
>> Thanks for any input.
>>
>>
>>
>> Etienne Jouvin
>>
>>
>>
>
Re: Need help SSL LDAP Nifi Registry
Posted by Etienne Jouvin <la...@gmail.com>.
Hi Josef.
No I did not try that.
And well done, with that I can access the UI, and can connect with LDAP
identity.
Thanks a lot.
Cheers
Etienne
Le mar. 30 juin 2020 à 11:15, <Jo...@swisscom.com> a écrit :
> Hi Etienne
>
>
>
> Did you tried the following in «nifi-registry.properties»:
>
> nifi.registry.security.needClientAuth=false
>
>
>
> Cheers Josef
>
>
>
>
>
> *From: *Etienne Jouvin <la...@gmail.com>
> *Reply to: *"users@nifi.apache.org" <us...@nifi.apache.org>
> *Date: *Tuesday, 30 June 2020 at 10:46
> *To: *"users@nifi.apache.org" <us...@nifi.apache.org>
> *Subject: *Need help SSL LDAP Nifi Registry
>
>
>
> Hello all.
>
>
>
> I am trying to setup LDAP authentication on NiFi Registry.
>
> I followed some links, like
> https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
>
>
>
> But each time, it requires that a certificate is installed on client side.
> I had this "problem" for NiFi but because I did not provided
> the nifi.security.user.login.identity.provider
>
>
>
> But for the registry, I remember that and did it.
>
>
>
> For summary, what I have in nifi-registry.properties
>
> nifi.registry.security.keystore=./conf/keystore.jks
> nifi.registry.security.keystoreType=jks
> nifi.registry.security.keystorePasswd=password
> nifi.registry.security.keyPasswd=password
> nifi.registry.security.truststore=./conf/truststore.jks
> nifi.registry.security.truststoreType=jks
> nifi.registry.security.truststorePasswd=password
>
>
>
> (All of those informations were given by the tls-toolkit, when executed
> for NiFi)
>
> Then I put this
>
> #nifi.registry.security.identity.provider=
> nifi.registry.security.identity.provider=ldap-identity-provider
>
>
>
> In the file identity-providers.xml
>
> I setup the LDAP provider
>
> <provider>
> <identifier>ldap-identity-provider</identifier>
>
> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
> <property name="Authentication Strategy">SIMPLE</property>
>
> <property name="Manager DN">uid=admin,ou=system</property>
> <property name="Manager Password">secret</property>
>
> <property name="TLS - Keystore"></property>
> <property name="TLS - Keystore Password"></property>
> <property name="TLS - Keystore Type"></property>
> <property name="TLS - Truststore"></property>
> <property name="TLS - Truststore Password"></property>
> <property name="TLS - Truststore Type"></property>
> <property name="TLS - Client Auth"></property>
> <property name="TLS - Protocol"></property>
> <property name="TLS - Shutdown Gracefully"></property>
>
> <property name="Referral Strategy">FOLLOW</property>
> <property name="Connect Timeout">10 secs</property>
> <property name="Read Timeout">10 secs</property>
>
> <property name="Url">ldap://localhost:10389</property>
> <property name="User Search Base">ou=users,dc=test,dc=ch</property>
> <property name="User Search Filter">uid={0}</property>
>
> <property name="Identity Strategy">USE_DN</property>
> <property name="Authentication Expiration">12 hours</property>
> </provider>
>
>
>
> And finally in authorizers.xml
>
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
>
> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> <property name="Initial User Identity 1">uid=firstuser,
> ou=users,dc=test,dc=ch</property>
> </userGroupProvider>
>
>
>
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">file-user-group-provider</property>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Initial Admin Identity"> uid=firstuser,
> ou=users,dc=test,dc=ch </property>
> <property name="NiFi Group Name"></property>
>
> <!--<property name="NiFi Identity 1"></property>-->
> </accessPolicyProvider>
>
>
>
>
>
> Starting Registry is OK.
>
>
>
> But when I want to access throw Chrome, I have a certificate error
> : ERR_BAD_SSL_CLIENT_AUTH_CERT
>
>
>
> How can I force the authentication to not request a client side
> certificate ?
>
>
>
> Thanks for any input.
>
>
>
> Etienne Jouvin
>
>
>
Re: Need help SSL LDAP Nifi Registry
Posted by Jo...@swisscom.com.
Hi Etienne
Did you tried the following in «nifi-registry.properties»:
nifi.registry.security.needClientAuth=false
Cheers Josef
From: Etienne Jouvin <la...@gmail.com>
Reply to: "users@nifi.apache.org" <us...@nifi.apache.org>
Date: Tuesday, 30 June 2020 at 10:46
To: "users@nifi.apache.org" <us...@nifi.apache.org>
Subject: Need help SSL LDAP Nifi Registry
Hello all.
I am trying to setup LDAP authentication on NiFi Registry.
I followed some links, like https://community.cloudera.com/t5/Community-Articles/Setting-Up-a-Secure-Apache-NiFi-Registry/ta-p/247753
But each time, it requires that a certificate is installed on client side. I had this "problem" for NiFi but because I did not provided the nifi.security.user.login.identity.provider
But for the registry, I remember that and did it.
For summary, what I have in nifi-registry.properties
nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=password
nifi.registry.security.keyPasswd=password
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=password
(All of those informations were given by the tls-toolkit, when executed for NiFi)
Then I put this
#nifi.registry.security.identity.provider=
nifi.registry.security.identity.provider=ldap-identity-provider
In the file identity-providers.xml
I setup the LDAP provider
<provider>
<identifier>ldap-identity-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">uid=admin,ou=system</property>
<property name="Manager Password">secret</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://localhost:10389</property>
<property name="User Search Base">ou=users,dc=test,dc=ch</property>
<property name="User Search Filter">uid={0}</property>
<property name="Identity Strategy">USE_DN</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
And finally in authorizers.xml
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">uid=firstuser, ou=users,dc=test,dc=ch</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity"> uid=firstuser, ou=users,dc=test,dc=ch </property>
<property name="NiFi Group Name"></property>
<!--<property name="NiFi Identity 1"></property>-->
</accessPolicyProvider>
Starting Registry is OK.
But when I want to access throw Chrome, I have a certificate error : ERR_BAD_SSL_CLIENT_AUTH_CERT
How can I force the authentication to not request a client side certificate ?
Thanks for any input.
Etienne Jouvin