You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Nathan Gough (Jira)" <ji...@apache.org> on 2022/03/04 03:40:00 UTC

[jira] [Commented] (NIFI-9665) can't use cli.sh (nifi toolkit) for connect with certificats

    [ https://issues.apache.org/jira/browse/NIFI-9665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17501131#comment-17501131 ] 

Nathan Gough commented on NIFI-9665:
------------------------------------

I don't appear to be having this issue when I use the same command. What authentication method do you have enabled on the NiFi host? It sounds like it may just be X509, and I can see in the log:

{quote}
2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
{quote}

It sounds like the keystore you're using does not contain a client certificate to authenticate with NiFi.

> can't use cli.sh (nifi toolkit) for connect with certificats
> ------------------------------------------------------------
>
>                 Key: NIFI-9665
>                 URL: https://issues.apache.org/jira/browse/NIFI-9665
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Tools and Build
>    Affects Versions: 1.15.3
>            Reporter: moustafa
>            Assignee: Nathan Gough
>            Priority: Blocker
>
> I can't connect to nifi with toolkit cli using certificate. 
> Command used
> /opt/nifi-toolkit/nifi-toolkit-current/bin/cli.sh nifi get-root-id --baseUrl https://nifi-cia.training.XXX.com:8443 -ks /opt/certs/nifi_training_XX.jks -kst JKS -ksp xxx-xxx -kp xxxx-xxx --truststore /opt/certs/nifi_training_xxxtruststore.jks --truststoreType JKS --truststorePasswd -xxxxxxx --verbose
> I see this logs :
> ___________________________________________________________________________
> ERROR: Error executing command 'get-root-id' : Error retrieving process group flow: Anonymous authentication has not been configured.
>  
> org.apache.nifi.toolkit.cli.api.CommandException: Error executing command 'get-root-id' : Error retrieving process group flow: Anonymous authentication has not been configured.
>         at org.apache.nifi.toolkit.cli.impl.command.nifi.AbstractNiFiCommand.doExecute(AbstractNiFiCommand.java:65)
>         at org.apache.nifi.toolkit.cli.impl.command.AbstractPropertyCommand.execute(AbstractPropertyCommand.java:74)
>         at org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.processCommand(CommandProcessor.java:252)
>         at org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.processGroupCommand(CommandProcessor.java:233)
>         at org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.process(CommandProcessor.java:188)
>         at org.apache.nifi.toolkit.cli.CLIMain.runSingleCommand(CLIMain.java:145)
>         at org.apache.nifi.toolkit.cli.CLIMain.main(CLIMain.java:72)
> Caused by: org.apache.nifi.toolkit.cli.impl.client.nifi.NiFiClientException: Error retrieving process group flow: Anonymous authentication has not been configured.
>         at org.apache.nifi.toolkit.cli.impl.client.nifi.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:90)
>         at org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyFlowClient.getProcessGroup(JerseyFlowClient.java:87)
>         at org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyFlowClient.getRootGroupId(JerseyFlowClient.java:77)
>         at org.apache.nifi.toolkit.cli.impl.command.nifi.flow.GetRootId.doExecute(GetRootId.java:46)
>         at org.apache.nifi.toolkit.cli.impl.command.nifi.flow.GetRootId.doExecute(GetRootId.java:31)
>         at org.apache.nifi.toolkit.cli.impl.command.nifi.AbstractNiFiCommand.doExecute(AbstractNiFiCommand.java:63)
>         ... 6 more
> Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
>         at org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:910)
>         at org.glassfish.jersey.client.JerseyInvocation.translate(JerseyInvocation.java:723)
>         at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:643)
>         at org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:665)
>         at org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:659)
>         at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
>         at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
>         at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
>         at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390)
>         at org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:659)
>         at org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:642)
>         at org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:417)
>         at org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:313)
>         at org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyFlowClient.lambda$getProcessGroup$1(JerseyFlowClient.java:92)
>         at org.apache.nifi.toolkit.cli.impl.client.nifi.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:76)
>         ... 11 more
> __________________________________________________________________________
> I see also on nifi-user.log ( DEBUG)
> --------------------------------------------------------------------------------------
> 2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
> 2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
> 2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
> 2022-02-09 18:30:30,638 DEBUG [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
> 2022-02-09 18:30:30,639 INFO [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.23.91.86 [<anonymous>] GET https://nifi-cia.training.xxxxx.com:8443/nifi-api/flow/process-groups/root
> 2022-02-09 18:30:30,639 WARN [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.23.91.86 GET https://nifi-cia.training.xxxxx.com:8443/nifi-api/flow/process-groups/root [Anonymous authentication has not been configured.]
> 2022-02-09 18:30:30,639 DEBUG [NiFi Web Server-26] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed
> org.apache.nifi.web.security.InvalidAuthenticationException: Anonymous authentication has not been configured.
>         at org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationProvider.authenticate(NiFiAnonymousAuthenticationProvider.java:46)
>         at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
>         at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:73)
>         at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
>         at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
>         at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
>         at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
>         at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
>         at org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:121)
>         at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
>         at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
>         at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
> ----------------------------------------------------------------------------------
>  
> I tested with sample curl ( using cert/key used for create jks) and it works :
>  
> curl -k --cert /opt/certs/nifi-cia_training_xxxxxx_com.pem --key /opt/certs/nifi-cia_training_xxxxx_com.key https://nifi-cia.training.xxxxxx.com:8443/nifi-api/flow/process-groups/root
> {"permissions":\{"canRead":false,"canWrite":false},"processGroupFlow":\{"id":"dd746fc4-017e-1000-5591-6ff67d62a0e1","uri":"https://nifi-cia.training.xxxxxx.com:8443/nifi-api/flow/process-groups/dd746fc4-017e-1000-5591-6ff67d62a0e1","breadcrumb":{"id":"dd746fc4-017e-1000-5591-6ff67d62a0e1","permissions":{"canRead":false,"canWrite":false}},"flow":\{"processGroups":[],"remoteProcessGroups":[],"processors":[],"inputPorts":[],"outputPorts":[],"connections":[],"labels":[],"funnels":[]},"lastRefreshed":"18:34:43 CET"}}
>  
> the same jks is working with nifi/nifi toolkit 1.12.1



--
This message was sent by Atlassian Jira
(v8.20.1#820001)