You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Scott Howell <sc...@mobilgov.com> on 2018/03/30 14:15:14 UTC
Getting Untrusted Proxy when logging into cluster
I am nearing the finish line of setting up a cluster using a self-signed cert.
When trying to login to the cluster after the cluster comes up I am able to see in the logs that my initial admin user is able to login.
Once that takes place I get an “Untrusted proxy” error on both the UI and in the nifi-user.log.
This is what I see in the UI: Untrusted proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi”
In my authorizers.xml I have this:
<authorizers>
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">/opt/config/authorizations.xml</property>
<property name="Users File">/opt/config/users.xml</property>
<property name="Initial Admin Identity">uid=scott,ou=users,dc={redacted},dc=com</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com, OU=Nifi</property>
<property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com, OU=Nifi</property>
<property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com, OU=Nifi</property>
</authorizer>
</authorizers>
On the nodes I am seeing this in my user.xml
<tenants>
<groups/>
<users>
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53" identity="uid=scott,ou=users,dc={redacted},dc=com"/>
<user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425" identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
<user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9" identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
<user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe" identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
</users>
</tenants>
I believe the issue is with where the “ is in my error "Untrusted proxy CN="nifi-2.dev.mobilgov.com, OU=Nifi”” but I am not able to figure out where that quotation is coming from because I can’t find it in anywhere.
Was wondering if anyone has had issues with this before.
Scott
Re: Getting Untrusted Proxy when logging into cluster
Posted by Bryan Bende <bb...@gmail.com>.
Standalone mode does not need the proxy permission so it is likely
that the certificate of the standalone node also has the
double-quotes, but it just doesn't matter.
If you use keytool to list the contents of the keystore.jks, does it
show the Owner with the double quotes?
keytool --list -v -keystore /path/to/keystore.jks
On Fri, Mar 30, 2018 at 12:11 PM, Scott Howell <sc...@mobilgov.com> wrote:
> So that’s the even stranger part. I have a single node running that uses the
> exact same script to generate the certificate and private-key and it does
> not create certs with the double quote in the wrong place.
>
> I had a java keystore script that I was using and had the double quote in
> the wrong place but I have not used that script to generate the keystores
> for this certificate.
>
>
> #!/bin/bash
>
> dir=${1:-$(pwd -P)}
> if [ ! -f "$dir"/openssl.cnf ]; then
> echo "Please pass a directory with an openssl.cnf"
> exit 1
> fi
>
> conf="$dir"/openssl.cnf
> ca_key="$dir"/ca-key.pem
> ca_pem="$dir"/ca.pem
> node_key="$dir"/node-key.pem
> node_csr="$dir"/node-csr.csr
> node_pem="$dir"/node.pem
> cn_name=nifi-2.dev.{redacted}.com
>
> openssl genrsa -out "$node_key" 2048
> HOSTNAME="$(hostname)" openssl req -new -key "$node_key" -out "$node_csr"
> -subj "/CN=$cn_name, OU=Nifi" -config "$conf"
> HOSTNAME="$(hostname)" openssl x509 -req -in "$node_csr" -CA "$ca_pem"
> -CAkey "$ca_key" -CAcreateserial -out "$node_pem" -days 365 -extensions
> v3_req -extfile "$conf"
>
> rm -f "$dir"/*.csr "$dir"/*.srl "$ca_key" "$conf"
> chmod -R 600 "$dir"/*.pem
> chown -R root:root "$dir”
>
> This is mindboggling why its happening on my cluster nodes but not on the
> single node instance I am running separate to the cluster.
>
>
> On Mar 30, 2018, at 10:43 AM, Pierre Villard <pi...@gmail.com>
> wrote:
>
> Oh ok now I see what you mean with the double quotes... didn't notice in the
> first place =/
> How did you generate the certificates for the nodes? probably something
> wrong here that introduced the double quotes in the certificates.
>
> 2018-03-30 17:34 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
>>
>> 2018-03-30 15:32:42,268 INFO [NiFi Web Server-21]
>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET
>> https://localhost:8443/nifi-api/flow/current-user (source ip: 10.10.2.214)
>> 2018-03-30 15:32:42,270 INFO [NiFi Web Server-21]
>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
>> uid=scott,ou=users,dc={redacted},dc=com
>> 2018-03-30 15:32:42,325 INFO [NiFi Web Server-18]
>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for
>> (<uid=scott,ou=users,dc={redacted},dc=com><CN="nifi-2.dev.{redacted}.com,
>> OU=Nifi">) GET
>> https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user (source ip:
>> 10.10.20.32)
>> 2018-03-30 15:32:42,325 WARN [NiFi Web Server-18]
>> o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted
>> proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi"
>>
>> On Mar 30, 2018, at 10:06 AM, Pierre Villard <pi...@gmail.com>
>> wrote:
>>
>> Can you copy/paste what you exactly have in the nifi-users.log when you
>> face this error?
>> Just want to double check there is not some typo somewhere.
>>
>> 2018-03-30 16:50 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
>>>
>>> Here is my authorizations.xml
>>>
>>> <authorizations>
>>> <policies>
>>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>>> resource="/flow" action="R">
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>>> </policy>
>>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>>> resource="/restricted-components" action="W">
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>>> </policy>
>>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>>> resource="/tenants" action="R">
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>>> </policy>
>>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>>> resource="/tenants" action="W">
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>>> </policy>
>>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>>> resource="/policies" action="R">
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>>> </policy>
>>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>>> resource="/policies" action="W">
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>>> </policy>
>>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>>> resource="/controller" action="R">
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>>> </policy>
>>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>>> resource="/controller" action="W">
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>>> </policy>
>>> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270"
>>> resource="/proxy" action="W">
>>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/>
>>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/>
>>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/>
>>> </policy>
>>> </policies>
>>> </authorizations>
>>>
>>> On Mar 30, 2018, at 9:48 AM, Pierre Villard <pi...@gmail.com>
>>> wrote:
>>>
>>> Hi Scott,
>>>
>>> Can you have a look at the authorizations.xml file? (and share the
>>> content of it to confirm that node users are given the proxy
>>> authorizations?)
>>>
>>> Thanks!
>>>
>>> 2018-03-30 16:15 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
>>>>
>>>> I am nearing the finish line of setting up a cluster using a self-signed
>>>> cert.
>>>>
>>>> When trying to login to the cluster after the cluster comes up I am able
>>>> to see in the logs that my initial admin user is able to login.
>>>>
>>>> Once that takes place I get an “Untrusted proxy” error on both the UI
>>>> and in the nifi-user.log.
>>>>
>>>> This is what I see in the UI: Untrusted proxy
>>>> CN="nifi-2.dev.{redacted}.com, OU=Nifi”
>>>>
>>>> In my authorizers.xml I have this:
>>>> <authorizers>
>>>> <authorizer>
>>>> <identifier>file-provider</identifier>
>>>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>>>> <property name="Authorizations
>>>> File">/opt/config/authorizations.xml</property>
>>>> <property name="Users File">/opt/config/users.xml</property>
>>>> <property name="Initial Admin
>>>> Identity">uid=scott,ou=users,dc={redacted},dc=com</property>
>>>> <property name="Legacy Authorized Users File"></property>
>>>>
>>>> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com,
>>>> OU=Nifi</property>
>>>> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com,
>>>> OU=Nifi</property>
>>>> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com,
>>>> OU=Nifi</property>
>>>> </authorizer>
>>>> </authorizers>
>>>>
>>>> On the nodes I am seeing this in my user.xml
>>>> <tenants>
>>>> <groups/>
>>>> <users>
>>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"
>>>> identity="uid=scott,ou=users,dc={redacted},dc=com"/>
>>>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"
>>>> identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
>>>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"
>>>> identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
>>>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"
>>>> identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
>>>> </users>
>>>> </tenants>
>>>>
>>>> I believe the issue is with where the “ is in my error "Untrusted proxy
>>>> CN="nifi-2.dev.mobilgov.com, OU=Nifi”” but I am not able to figure out where
>>>> that quotation is coming from because I can’t find it in anywhere.
>>>>
>>>> Was wondering if anyone has had issues with this before.
>>>>
>>>> Scott
>>>
>>>
>>>
>>
>>
>
>
Re: Getting Untrusted Proxy when logging into cluster
Posted by Scott Howell <sc...@mobilgov.com>.
So that’s the even stranger part. I have a single node running that uses the exact same script to generate the certificate and private-key and it does not create certs with the double quote in the wrong place.
I had a java keystore script that I was using and had the double quote in the wrong place but I have not used that script to generate the keystores for this certificate.
#!/bin/bash
dir=${1:-$(pwd -P)}
if [ ! -f "$dir"/openssl.cnf ]; then
echo "Please pass a directory with an openssl.cnf"
exit 1
fi
conf="$dir"/openssl.cnf
ca_key="$dir"/ca-key.pem
ca_pem="$dir"/ca.pem
node_key="$dir"/node-key.pem
node_csr="$dir"/node-csr.csr
node_pem="$dir"/node.pem
cn_name=nifi-2.dev.{redacted}.com
openssl genrsa -out "$node_key" 2048
HOSTNAME="$(hostname)" openssl req -new -key "$node_key" -out "$node_csr" -subj "/CN=$cn_name, OU=Nifi" -config "$conf"
HOSTNAME="$(hostname)" openssl x509 -req -in "$node_csr" -CA "$ca_pem" -CAkey "$ca_key" -CAcreateserial -out "$node_pem" -days 365 -extensions v3_req -extfile "$conf"
rm -f "$dir"/*.csr "$dir"/*.srl "$ca_key" "$conf"
chmod -R 600 "$dir"/*.pem
chown -R root:root "$dir”
This is mindboggling why its happening on my cluster nodes but not on the single node instance I am running separate to the cluster.
> On Mar 30, 2018, at 10:43 AM, Pierre Villard <pi...@gmail.com> wrote:
>
> Oh ok now I see what you mean with the double quotes... didn't notice in the first place =/
> How did you generate the certificates for the nodes? probably something wrong here that introduced the double quotes in the certificates.
>
> 2018-03-30 17:34 GMT+02:00 Scott Howell <scotthowell@mobilgov.com <ma...@mobilgov.com>>:
> 2018-03-30 15:32:42,268 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://localhost:8443/nifi-api/flow/current-user <https://localhost:8443/nifi-api/flow/current-user> (source ip: 10.10.2.214)
> 2018-03-30 15:32:42,270 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for uid=scott,ou=users,dc={redacted},dc=com
> 2018-03-30 15:32:42,325 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<uid=scott,ou=users,dc={redacted},dc=com><CN="nifi-2.dev.{redacted}.com, OU=Nifi">) GET https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user <https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user> (source ip: 10.10.20.32)
> 2018-03-30 15:32:42,325 WARN [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi"
>
>> On Mar 30, 2018, at 10:06 AM, Pierre Villard <pierre.villard.fr@gmail.com <ma...@gmail.com>> wrote:
>>
>> Can you copy/paste what you exactly have in the nifi-users.log when you face this error?
>> Just want to double check there is not some typo somewhere.
>>
>> 2018-03-30 16:50 GMT+02:00 Scott Howell <scotthowell@mobilgov.com <ma...@mobilgov.com>>:
>> Here is my authorizations.xml
>>
>> <authorizations>
>> <policies>
>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/>
>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/>
>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/>
>> </policy>
>> </policies>
>> </authorizations>
>>
>>> On Mar 30, 2018, at 9:48 AM, Pierre Villard <pierre.villard.fr@gmail.com <ma...@gmail.com>> wrote:
>>>
>>> Hi Scott,
>>>
>>> Can you have a look at the authorizations.xml file? (and share the content of it to confirm that node users are given the proxy authorizations?)
>>>
>>> Thanks!
>>>
>>> 2018-03-30 16:15 GMT+02:00 Scott Howell <scotthowell@mobilgov.com <ma...@mobilgov.com>>:
>>> I am nearing the finish line of setting up a cluster using a self-signed cert.
>>>
>>> When trying to login to the cluster after the cluster comes up I am able to see in the logs that my initial admin user is able to login.
>>>
>>> Once that takes place I get an “Untrusted proxy” error on both the UI and in the nifi-user.log.
>>>
>>> This is what I see in the UI: Untrusted proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi”
>>>
>>> In my authorizers.xml I have this:
>>> <authorizers>
>>> <authorizer>
>>> <identifier>file-provider</identifier>
>>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>>> <property name="Authorizations File">/opt/config/authorizations.xml</property>
>>> <property name="Users File">/opt/config/users.xml</property>
>>> <property name="Initial Admin Identity">uid=scott,ou=users,dc={redacted},dc=com</property>
>>> <property name="Legacy Authorized Users File"></property>
>>>
>>> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com, OU=Nifi</property>
>>> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com, OU=Nifi</property>
>>> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com, OU=Nifi</property>
>>> </authorizer>
>>> </authorizers>
>>>
>>> On the nodes I am seeing this in my user.xml
>>> <tenants>
>>> <groups/>
>>> <users>
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53" identity="uid=scott,ou=users,dc={redacted},dc=com"/>
>>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425" identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
>>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9" identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
>>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe" identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
>>> </users>
>>> </tenants>
>>>
>>> I believe the issue is with where the “ is in my error "Untrusted proxy CN="nifi-2.dev.mobilgov.com <http://nifi-2.dev.mobilgov.com/>, OU=Nifi”” but I am not able to figure out where that quotation is coming from because I can’t find it in anywhere.
>>>
>>> Was wondering if anyone has had issues with this before.
>>>
>>> Scott
>>>
>>
>>
>
>
Re: Getting Untrusted Proxy when logging into cluster
Posted by Pierre Villard <pi...@gmail.com>.
Oh ok now I see what you mean with the double quotes... didn't notice in
the first place =/
How did you generate the certificates for the nodes? probably something
wrong here that introduced the double quotes in the certificates.
2018-03-30 17:34 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
> 2018-03-30 15:32:42,268 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter
> Attempting request for (<JWT token>) GET https://localhost:8443/nifi-
> api/flow/current-user (source ip: 10.10.2.214)
> 2018-03-30 15:32:42,270 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter
> Authentication success for uid=scott,ou=users,dc={redacted},dc=com
> 2018-03-30 15:32:42,325 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter
> Attempting request for (<uid=scott,ou=users,dc={
> redacted},dc=com><CN="nifi-2.dev.{redacted}.com, OU=Nifi">) GET
> https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user (source
> ip: 10.10.20.32)
> 2018-03-30 15:32:42,325 WARN [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter
> Rejecting access to web api: Untrusted proxy CN="nifi-2.dev.{redacted}.com,
> OU=Nifi"
>
> On Mar 30, 2018, at 10:06 AM, Pierre Villard <pi...@gmail.com>
> wrote:
>
> Can you copy/paste what you exactly have in the nifi-users.log when you
> face this error?
> Just want to double check there is not some typo somewhere.
>
> 2018-03-30 16:50 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
>
>> Here is my authorizations.xml
>>
>> <authorizations>
>> <policies>
>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>> resource="/flow" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>> resource="/restricted-components" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>> resource="/tenants" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>> resource="/tenants" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>> resource="/policies" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>> resource="/policies" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>> resource="/controller" action="R">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>> resource="/controller" action="W">
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
>> </policy>
>> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270"
>> resource="/proxy" action="W">
>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/>
>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/>
>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/>
>> </policy>
>> </policies>
>> </authorizations>
>>
>> On Mar 30, 2018, at 9:48 AM, Pierre Villard <pi...@gmail.com>
>> wrote:
>>
>> Hi Scott,
>>
>> Can you have a look at the authorizations.xml file? (and share the
>> content of it to confirm that node users are given the proxy
>> authorizations?)
>>
>> Thanks!
>>
>> 2018-03-30 16:15 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
>>
>>> I am nearing the finish line of setting up a cluster using a self-signed
>>> cert.
>>>
>>> When trying to login to the cluster after the cluster comes up I am able
>>> to see in the logs that my initial admin user is able to login.
>>>
>>> Once that takes place I get an “Untrusted proxy” error on both the UI
>>> and in the nifi-user.log.
>>>
>>> This is what I see in the UI: Untrusted proxy
>>> CN="nifi-2.dev.{redacted}.com, OU=Nifi”
>>>
>>> In my authorizers.xml I have this:
>>> <authorizers>
>>> <authorizer>
>>> <identifier>file-provider</identifier>
>>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>>> <property name="Authorizations File">/opt/config/authorizatio
>>> ns.xml</property>
>>> <property name="Users File">/opt/config/users.xml</property>
>>> <property name="Initial Admin Identity">uid=scott,ou=users,d
>>> c={redacted},dc=com</property>
>>> <property name="Legacy Authorized Users File"></property>
>>>
>>> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com,
>>> OU=Nifi</property>
>>> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com,
>>> OU=Nifi</property>
>>> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com,
>>> OU=Nifi</property>
>>> </authorizer>
>>> </authorizers>
>>>
>>> On the nodes I am seeing this in my user.xml
>>> <tenants>
>>> <groups/>
>>> <users>
>>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"
>>> identity="uid=scott,ou=users,dc={redacted},dc=com"/>
>>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"
>>> identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
>>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"
>>> identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
>>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"
>>> identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
>>> </users>
>>> </tenants>
>>>
>>> I believe the issue is with where the “ is in my error "Untrusted proxy
>>> CN="nifi-2.dev.mobilgov.com, OU=Nifi”” but I am not able to figure out
>>> where that quotation is coming from because I can’t find it in anywhere.
>>>
>>> Was wondering if anyone has had issues with this before.
>>>
>>> Scott
>>>
>>
>>
>>
>
>
Re: Getting Untrusted Proxy when logging into cluster
Posted by Scott Howell <sc...@mobilgov.com>.
2018-03-30 15:32:42,268 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://localhost:8443/nifi-api/flow/current-user (source ip: 10.10.2.214)
2018-03-30 15:32:42,270 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for uid=scott,ou=users,dc={redacted},dc=com
2018-03-30 15:32:42,325 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<uid=scott,ou=users,dc={redacted},dc=com><CN="nifi-2.dev.{redacted}.com, OU=Nifi">) GET https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user (source ip: 10.10.20.32)
2018-03-30 15:32:42,325 WARN [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi"
> On Mar 30, 2018, at 10:06 AM, Pierre Villard <pi...@gmail.com> wrote:
>
> Can you copy/paste what you exactly have in the nifi-users.log when you face this error?
> Just want to double check there is not some typo somewhere.
>
> 2018-03-30 16:50 GMT+02:00 Scott Howell <scotthowell@mobilgov.com <ma...@mobilgov.com>>:
> Here is my authorizations.xml
>
> <authorizations>
> <policies>
> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/>
> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/>
> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/>
> </policy>
> </policies>
> </authorizations>
>
>> On Mar 30, 2018, at 9:48 AM, Pierre Villard <pierre.villard.fr@gmail.com <ma...@gmail.com>> wrote:
>>
>> Hi Scott,
>>
>> Can you have a look at the authorizations.xml file? (and share the content of it to confirm that node users are given the proxy authorizations?)
>>
>> Thanks!
>>
>> 2018-03-30 16:15 GMT+02:00 Scott Howell <scotthowell@mobilgov.com <ma...@mobilgov.com>>:
>> I am nearing the finish line of setting up a cluster using a self-signed cert.
>>
>> When trying to login to the cluster after the cluster comes up I am able to see in the logs that my initial admin user is able to login.
>>
>> Once that takes place I get an “Untrusted proxy” error on both the UI and in the nifi-user.log.
>>
>> This is what I see in the UI: Untrusted proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi”
>>
>> In my authorizers.xml I have this:
>> <authorizers>
>> <authorizer>
>> <identifier>file-provider</identifier>
>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>> <property name="Authorizations File">/opt/config/authorizations.xml</property>
>> <property name="Users File">/opt/config/users.xml</property>
>> <property name="Initial Admin Identity">uid=scott,ou=users,dc={redacted},dc=com</property>
>> <property name="Legacy Authorized Users File"></property>
>>
>> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com, OU=Nifi</property>
>> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com, OU=Nifi</property>
>> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com, OU=Nifi</property>
>> </authorizer>
>> </authorizers>
>>
>> On the nodes I am seeing this in my user.xml
>> <tenants>
>> <groups/>
>> <users>
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53" identity="uid=scott,ou=users,dc={redacted},dc=com"/>
>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425" identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9" identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe" identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
>> </users>
>> </tenants>
>>
>> I believe the issue is with where the “ is in my error "Untrusted proxy CN="nifi-2.dev.mobilgov.com <http://nifi-2.dev.mobilgov.com/>, OU=Nifi”” but I am not able to figure out where that quotation is coming from because I can’t find it in anywhere.
>>
>> Was wondering if anyone has had issues with this before.
>>
>> Scott
>>
>
>
Re: Getting Untrusted Proxy when logging into cluster
Posted by Pierre Villard <pi...@gmail.com>.
Can you copy/paste what you exactly have in the nifi-users.log when you
face this error?
Just want to double check there is not some typo somewhere.
2018-03-30 16:50 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
> Here is my authorizations.xml
>
> <authorizations>
> <policies>
> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
> </policy>
> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270"
> resource="/proxy" action="W">
> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/>
> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/>
> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/>
> </policy>
> </policies>
> </authorizations>
>
> On Mar 30, 2018, at 9:48 AM, Pierre Villard <pi...@gmail.com>
> wrote:
>
> Hi Scott,
>
> Can you have a look at the authorizations.xml file? (and share the content
> of it to confirm that node users are given the proxy authorizations?)
>
> Thanks!
>
> 2018-03-30 16:15 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
>
>> I am nearing the finish line of setting up a cluster using a self-signed
>> cert.
>>
>> When trying to login to the cluster after the cluster comes up I am able
>> to see in the logs that my initial admin user is able to login.
>>
>> Once that takes place I get an “Untrusted proxy” error on both the UI and
>> in the nifi-user.log.
>>
>> This is what I see in the UI: Untrusted proxy
>> CN="nifi-2.dev.{redacted}.com, OU=Nifi”
>>
>> In my authorizers.xml I have this:
>> <authorizers>
>> <authorizer>
>> <identifier>file-provider</identifier>
>> <class>org.apache.nifi.authorization.FileAuthorizer</class>
>> <property name="Authorizations File">/opt/config/authorizatio
>> ns.xml</property>
>> <property name="Users File">/opt/config/users.xml</property>
>> <property name="Initial Admin Identity">uid=scott,ou=users,d
>> c={redacted},dc=com</property>
>> <property name="Legacy Authorized Users File"></property>
>>
>> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com,
>> OU=Nifi</property>
>> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com,
>> OU=Nifi</property>
>> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com,
>> OU=Nifi</property>
>> </authorizer>
>> </authorizers>
>>
>> On the nodes I am seeing this in my user.xml
>> <tenants>
>> <groups/>
>> <users>
>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"
>> identity="uid=scott,ou=users,dc={redacted},dc=com"/>
>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"
>> identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"
>> identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"
>> identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
>> </users>
>> </tenants>
>>
>> I believe the issue is with where the “ is in my error "Untrusted proxy
>> CN="nifi-2.dev.mobilgov.com, OU=Nifi”” but I am not able to figure out
>> where that quotation is coming from because I can’t find it in anywhere.
>>
>> Was wondering if anyone has had issues with this before.
>>
>> Scott
>>
>
>
>
Re: Getting Untrusted Proxy when logging into cluster
Posted by Scott Howell <sc...@mobilgov.com>.
Here is my authorizations.xml
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/>
</policy>
<policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
<user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/>
<user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/>
<user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/>
</policy>
</policies>
</authorizations>
> On Mar 30, 2018, at 9:48 AM, Pierre Villard <pi...@gmail.com> wrote:
>
> Hi Scott,
>
> Can you have a look at the authorizations.xml file? (and share the content of it to confirm that node users are given the proxy authorizations?)
>
> Thanks!
>
> 2018-03-30 16:15 GMT+02:00 Scott Howell <scotthowell@mobilgov.com <ma...@mobilgov.com>>:
> I am nearing the finish line of setting up a cluster using a self-signed cert.
>
> When trying to login to the cluster after the cluster comes up I am able to see in the logs that my initial admin user is able to login.
>
> Once that takes place I get an “Untrusted proxy” error on both the UI and in the nifi-user.log.
>
> This is what I see in the UI: Untrusted proxy CN="nifi-2.dev.{redacted}.com, OU=Nifi”
>
> In my authorizers.xml I have this:
> <authorizers>
> <authorizer>
> <identifier>file-provider</identifier>
> <class>org.apache.nifi.authorization.FileAuthorizer</class>
> <property name="Authorizations File">/opt/config/authorizations.xml</property>
> <property name="Users File">/opt/config/users.xml</property>
> <property name="Initial Admin Identity">uid=scott,ou=users,dc={redacted},dc=com</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com, OU=Nifi</property>
> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com, OU=Nifi</property>
> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com, OU=Nifi</property>
> </authorizer>
> </authorizers>
>
> On the nodes I am seeing this in my user.xml
> <tenants>
> <groups/>
> <users>
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53" identity="uid=scott,ou=users,dc={redacted},dc=com"/>
> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425" identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9" identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe" identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
> </users>
> </tenants>
>
> I believe the issue is with where the “ is in my error "Untrusted proxy CN="nifi-2.dev.mobilgov.com <http://nifi-2.dev.mobilgov.com/>, OU=Nifi”” but I am not able to figure out where that quotation is coming from because I can’t find it in anywhere.
>
> Was wondering if anyone has had issues with this before.
>
> Scott
>
Re: Getting Untrusted Proxy when logging into cluster
Posted by Pierre Villard <pi...@gmail.com>.
Hi Scott,
Can you have a look at the authorizations.xml file? (and share the content
of it to confirm that node users are given the proxy authorizations?)
Thanks!
2018-03-30 16:15 GMT+02:00 Scott Howell <sc...@mobilgov.com>:
> I am nearing the finish line of setting up a cluster using a self-signed
> cert.
>
> When trying to login to the cluster after the cluster comes up I am able
> to see in the logs that my initial admin user is able to login.
>
> Once that takes place I get an “Untrusted proxy” error on both the UI and
> in the nifi-user.log.
>
> This is what I see in the UI: Untrusted proxy
> CN="nifi-2.dev.{redacted}.com, OU=Nifi”
>
> In my authorizers.xml I have this:
> <authorizers>
> <authorizer>
> <identifier>file-provider</identifier>
> <class>org.apache.nifi.authorization.FileAuthorizer</class>
> <property name="Authorizations File">/opt/config/
> authorizations.xml</property>
> <property name="Users File">/opt/config/users.xml</property>
> <property name="Initial Admin Identity">uid=scott,ou=users,
> dc={redacted},dc=com</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com,
> OU=Nifi</property>
> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com,
> OU=Nifi</property>
> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com,
> OU=Nifi</property>
> </authorizer>
> </authorizers>
>
> On the nodes I am seeing this in my user.xml
> <tenants>
> <groups/>
> <users>
> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"
> identity="uid=scott,ou=users,dc={redacted},dc=com"/>
> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"
> identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/>
> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"
> identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/>
> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"
> identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/>
> </users>
> </tenants>
>
> I believe the issue is with where the “ is in my error "Untrusted proxy
> CN="nifi-2.dev.mobilgov.com, OU=Nifi”” but I am not able to figure out
> where that quotation is coming from because I can’t find it in anywhere.
>
> Was wondering if anyone has had issues with this before.
>
> Scott
>