You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Misha Wakerman (JIRA)" <ji...@apache.org> on 2017/04/04 08:30:41 UTC
[jira] [Comment Edited] (NIFI-3480) Fix incorrect Admin Guide
documentation regarding anonymous access
[ https://issues.apache.org/jira/browse/NIFI-3480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954806#comment-15954806 ]
Misha Wakerman edited comment on NIFI-3480 at 4/4/17 8:29 AM:
--------------------------------------------------------------
Hey folks, possibly not the right place to raise this but I just spent the good part of two days trying to get nifi v1.1.1 running secured with anonymous user access. The docs were criminally misleading prior to the change involved in this ticket but are still dangerously misleading and it was only this ticket and the line "The only way to configure a secured instance with anonymous access is via LDAP or Kerberos and configuration of the authorizer to explicitly allow anonymous access" that made me realise I was chasing a wild goose.
Specifically (not all from the nifi docs):
* -{{nifi.security.truststore}} - Filename of the Truststore that will be used to authorize those connecting to NiFi. If not set, all who attempt to connect will be provided access as the Anonymous user.- Now fixed.
* `nifi.security.needClientAuth` | Specifies whether or not connecting clients must authenticate themselves. Specifically this property is used by the NiFi cluster protocol. If the Truststore properties are not set, this must be false. Otherwise, a value of true indicates that nodes in the cluster will be authenticated and must have certificates that are trusted by the Truststores.
* Mentioned in https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_AdminGuide/content/system_properties.html and https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_AdminGuide/content/security-configuration.html but not in NiFi admin guide: {{nifi.security.anonymous.authorities}} | This indicates what roles to grant to anonymous users accessing NiFi over HTTPS. It is blank by default, but could be set to any combination of ROLE_MONITOR, ROLE_DFM, ROLE_ADMIN, ROLE_PROVENANCE, ROLE_NIFI. Leaving this property blank will require that users accessing NiFi over HTTPS be authenticated either using a client certificate or their credentials against the configured log identity provider.
Anyway, if the docs simply had the line quoted above in them then it would be much more obvious that Anonymous SSL access is not possible with a FileAuthorizer (aware that this might not always be the case NIFI-2730)
was (Author: misha.wakerman@brightsparklabs.com):
Hey folks, possibly not the right place to raise this but I just spent the good part of two days trying to get nifi v1.1.1 running secured with anonymous user access. The docs were criminally misleading prior to the change involved in this ticket but are still dangerously misleading and it was only this ticket and the line "The only way to configure a secured instance with anonymous access is via LDAP or Kerberos and configuration of the authorizer to explicitly allow anonymous access" that made me realise I was chasing a wild goose.
Specifically (not all from the nifi docs):
* -{{nifi.security.truststore}} - Filename of the Truststore that will be used to authorize those connecting to NiFi. If not set, all who attempt to connect will be provided access as the Anonymous user.- Now fixed.
* `nifi.security.needClientAuth` | Specifies whether or not connecting clients must authenticate themselves. Specifically this property is used by the NiFi cluster protocol. If the Truststore properties are not set, this must be false. Otherwise, a value of true indicates that nodes in the cluster will be authenticated and must have certificates that are trusted by the Truststores.
* Mentioned in https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_AdminGuide/content/system_properties.html and https://docs.hortonworks.com/HDPDocuments/HDF1/HDF-1.2/bk_AdminGuide/content/security-configuration.html but not in NiFi admin guide: {{nifi.security.anonymous.authorities}} | This indicates what roles to grant to anonymous users accessing NiFi over HTTPS. It is blank by default, but could be set to any combination of ROLE_MONITOR, ROLE_DFM, ROLE_ADMIN, ROLE_PROVENANCE, ROLE_NIFI. Leaving this property blank will require that users accessing NiFi over HTTPS be authenticated either using a client certificate or their credentials against the configured log identity provider.
Anyway, if the docs simply had the line quoted above in them then it would be much more obvious that Anonymous SSL access is not possible with a FileAuthorizer.
> Fix incorrect Admin Guide documentation regarding anonymous access
> ------------------------------------------------------------------
>
> Key: NIFI-3480
> URL: https://issues.apache.org/jira/browse/NIFI-3480
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Documentation & Website
> Affects Versions: 1.1.1
> Reporter: Andy LoPresto
> Assignee: Andrew Lim
> Priority: Trivial
> Labels: documentation, security
>
> The Admin Guide *Security Configuration* section states
> {quote}
> {{nifi.security.truststore}}
> Filename of the Truststore that will be used to authorize those connecting to NiFi. If not set, all who attempt to connect will be provided access as the *Anonymous* user.
> {quote}
> This is incorrect and misleading. The only way to configure a secured instance with anonymous access is via LDAP or Kerberos and configuration of the authorizer to explicitly allow anonymous access. Configuring a secured instance with no truststore will simply refuse all incoming connections.
> With {{nifi.security.needClientAuth}} set to {{true}} or empty (default):
> {code}
> 2017-02-14 12:03:05,546 WARN [Thread-1] org.apache.nifi.web.server.JettyServer Failed to stop web server
> org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowService': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.framework.security.util.SslContextCreationException: Need client auth is set to 'true', but no truststore properties are configured.
> at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) ~[na:na]
> at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) ~[na:na]
> at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585) ~[na:na]
> at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254) ~[na:na]
> at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[na:na]
> at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060) ~[na:na]
> at org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextDestroyed(ApplicationStartupContextListener.java:103) ~[na:na]
> at org.eclipse.jetty.server.handler.ContextHandler.callContextDestroyed(ContextHandler.java:845) ~[na:na]
> at org.eclipse.jetty.servlet.ServletContextHandler.callContextDestroyed(ServletContextHandler.java:546) ~[na:na]
> at org.eclipse.jetty.server.handler.ContextHandler.stopContext(ContextHandler.java:826) ~[na:na]
> at org.eclipse.jetty.servlet.ServletContextHandler.stopContext(ServletContextHandler.java:356) ~[na:na]
> at org.eclipse.jetty.webapp.WebAppContext.stopWebapp(WebAppContext.java:1410) ~[na:na]
> at org.eclipse.jetty.webapp.WebAppContext.stopContext(WebAppContext.java:1374) ~[na:na]
> at org.eclipse.jetty.server.handler.ContextHandler.doStop(ContextHandler.java:874) ~[na:na]
> at org.eclipse.jetty.servlet.ServletContextHandler.doStop(ServletContextHandler.java:272) ~[na:na]
> at org.eclipse.jetty.webapp.WebAppContext.doStop(WebAppContext.java:544) ~[na:na]
> at org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89) ~[na:na]
> at org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143) ~[na:na]
> at org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161) ~[na:na]
> at org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73) ~[na:na]
> at org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89) ~[na:na]
> at org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143) ~[na:na]
> at org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161) ~[na:na]
> at org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73) ~[na:na]
> at org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89) ~[na:na]
> at org.eclipse.jetty.util.component.ContainerLifeCycle.stop(ContainerLifeCycle.java:143) ~[na:na]
> at org.eclipse.jetty.util.component.ContainerLifeCycle.doStop(ContainerLifeCycle.java:161) ~[na:na]
> at org.eclipse.jetty.server.handler.AbstractHandler.doStop(AbstractHandler.java:73) ~[na:na]
> at org.eclipse.jetty.server.Server.doStop(Server.java:482) ~[na:na]
> at org.eclipse.jetty.util.component.AbstractLifeCycle.stop(AbstractLifeCycle.java:89) ~[na:na]
> at org.apache.nifi.web.server.JettyServer.stop(JettyServer.java:854) ~[na:na]
> at org.apache.nifi.NiFi.shutdownHook(NiFi.java:188) [nifi-runtime-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
> at org.apache.nifi.NiFi$2.run(NiFi.java:89) [nifi-runtime-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
> Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.framework.security.util.SslContextCreationException: Need client auth is set to 'true', but no truststore properties are configured.
> at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) ~[na:na]
> at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) ~[na:na]
> at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585) ~[na:na]
> at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:254) ~[na:na]
> at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[na:na]
> at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060) ~[na:na]
> at org.apache.nifi.spring.StandardFlowServiceFactoryBean.getObject(StandardFlowServiceFactoryBean.java:48) ~[na:na]
> at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[na:na]
> ... 33 common frames omitted
> Caused by: org.apache.nifi.framework.security.util.SslContextCreationException: Need client auth is set to 'true', but no truststore properties are configured.
> at org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:66) ~[na:na]
> at org.apache.nifi.controller.FlowController.<init>(FlowController.java:440) ~[na:na]
> at org.apache.nifi.controller.FlowController.createStandaloneInstance(FlowController.java:375) ~[na:na]
> at org.apache.nifi.spring.FlowControllerFactoryBean.getObject(FlowControllerFactoryBean.java:74) ~[na:na]
> at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[na:na]
> ... 40 common frames omitted
> 2017-02-14 12:03:05,547 INFO [Thread-1] org.apache.nifi.NiFi Jetty web server shutdown completed (nicely or otherwise).
> {code}
> With {{nifi.security.needClientAuth}} explicitly set to {{false}}: no errors in {{logs/nifi-app.log}} but the browser will not be able to make a connection and will get the {{ERR_CONNECTION_REFUSED}} response.
> The Admin Guide should be updated to reflect the correct information.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)