You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Derek Richardson <dj...@gmail.com> on 2021/03/31 18:19:28 UTC
Nifi authentication through Kerberos issues
I'm working on transitioning a nifi instance we deploy with Kerberos and
I'm having some trouble authenticating. Everything looks correct, but when
I try to log in with any of my created users, I get an error message:
The supplied username and password are not valid.
Everything on nifi without https was working, and everything I've created
on the Kerberos side looks and works as expected, I just haven't been able
to get a user to log in to the Nifi UI.
Here are some of my config files, is there anything I'm missing or have
incorrect?
---------------------------
Authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1"></property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group
Provider">file-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">admin@MY.REALM</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">admin@MY.REALM</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</authorizer>
</authorizers>
-------------------------------------
Relevant nifi.properties:
nifi.security.user.authorizer=file-provider
nifi.security.user.login.identity.provider=kerberos-provider
# kerberos #
nifi.kerberos.krb5.file= /etc/krb5.conf
nifi.kerberos.service.principal=admin@MY.REALM
nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
-------------------------------------
Login-identity-provider.xml
<loginIdentityProviders>
<provider>
<identifier>kerberos-provider</identifier>
<class>org.apache.nifi.kerberos.KerberosProvider</class>
<property name="Default Realm">MY.REALM</property>
<property name="Authentication Expiration">12 hours</property>
</provider>
</loginIdentityProviders>
---------------------------------------
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_realm = MY.REALM
[realms]
RO.INTERNAL = {
kdc = nifi-djr5.ro.internal:88
admin_server = nifi-djr5.my.realm:749
default_domain = my.realm
}
[domain_realm]
.my.realm = MY.REALM
my.realm = MY.REALM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
-------------------------------------------
Any help would be greatly appreciated!
Re: Nifi authentication through Kerberos issues
Posted by Derek Richardson <dj...@gmail.com>.
That was it! I pulled out the line "renew_lifetime = 7d" and it worked!
Thank you so much.
On Thu, Apr 1, 2021 at 7:40 AM Bryan Bende <bb...@gmail.com> wrote:
> The important part is:
>
> Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
> modified (41)
>
> The code that produces this exception looks like this:
>
> // Reply to a renewable request should be renewable, but if request does
> // not contain renewable, KDC is free to issue a renewable ticket (for
> // example, if ticket_lifetime is too big).
> if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&
> !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
> throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
> }
>
> From googling, a possible solution here:
> https://bugs.centos.org/view.php?id=17000
>
> On Wed, Mar 31, 2021 at 6:57 PM Derek Richardson <dj...@gmail.com> wrote:
> >
> > It doesn't look like anything to me, but here's the stacktrace for when
> > logback.xml has all of the user_file stuff in debug mode:
> >
> > 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22]
> > o.a.n.w.a.c.IllegalArgumentExceptionMapper
> > java.lang.IllegalArgumentException: The supplied username and password
> are
> > not valid.. Returning Bad Request response.
> > 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22]
> > o.a.n.w.a.c.IllegalArgumentExceptionMapper
> > java.lang.IllegalArgumentException: The supplied username and password
> are
> > not valid.
> > at
> >
> org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:498)
> > at
> >
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
> > at
> >
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
> > at
> >
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
> > at
> >
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
> > at
> >
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
> > at
> >
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
> > at
> >
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
> > at
> >
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
> > at
> org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
> > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
> > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
> > at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
> > at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
> > at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
> > at
> >
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
> > at
> org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
> > at
> >
> org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
> > at
> >
> org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
> > at
> org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
> > at
> >
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
> > at
> >
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
> > at
> >
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
> > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
> > at
> org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
> > at
> >
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
> > at
> >
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> > at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> > at
> >
> org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)
> > at
> >
> org.apache.nifi.web.security.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> > at
> org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1048)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> > at
> >
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
> > at
> >
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
> > at
> >
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
> > at
> >
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> > at
> >
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
> > at
> >
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
> > at
> >
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
> > at
> >
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)
> > at
> >
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
> > at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
> > at
> >
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
> > at
> >
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
> > at
> >
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)
> > at
> >
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
> > at
> >
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> > at
> >
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:724)
> > at
> org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)
> > at
> >
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> > at org.eclipse.jetty.server.Server.handle(Server.java:531)
> > at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)
> > at
> >
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
> > at
> > org.eclipse.jetty.io
> .AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)
> > at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
> > at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:291)
> > at
> >
> org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:151)
> > at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
> > at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
> > at
> >
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
> > at
> >
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
> > at
> >
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
> > at
> >
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
> > at
> >
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
> > at
> >
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)
> > at
> >
> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by:
> >
> org.apache.nifi.authentication.exception.InvalidLoginCredentialsException:
> > Kerberos authentication failed
> > at
> >
> org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:93)
> > at
> >
> org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:314)
> > at
> >
> org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:728)
> > ... 78 common frames omitted
> > Caused by:
> > org.springframework.security.authentication.BadCredentialsException:
> > Kerberos authentication failed
> > at
> >
> org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:66)
> > at
> >
> org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider.authenticate(KerberosAuthenticationProvider.java:40)
> > at
> >
> org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:87)
> > ... 80 common frames omitted
> > Caused by: javax.security.auth.login.LoginException: Message stream
> > modified (41)
> > at
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
> > at
> >
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:498)
> > at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> > at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> > at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> > at
> >
> org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:59)
> > ... 82 common frames omitted
> > Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
> > modified (41)
> > at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:101)
> > at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
> > at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139)
> > at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
> > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
> > at
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770)
> > ... 95 common frames omitted
> >
> > On Wed, Mar 31, 2021 at 4:44 PM Derek Richardson <dj...@gmail.com>
> wrote:
> >
> > > Correct.
> > >
> > > # kinit admin@MY.REALM
> > > Password for admin@MY.REALM:
> > >
> > > # klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: admin@MY.REALM
> > >
> > > Valid starting Expires Service principal
> > > 03/31/2021 22:42:10 04/01/2021 22:42:10 krbtgt/MY.REALM@MY.REALM
> > >
> > > On Wed, Mar 31, 2021, 1:13 PM Bryan Bende <bb...@gmail.com> wrote:
> > >
> > >> So from a terminal on the nifi server, you can run "kinit
> > >> admin@MY.REALM" and enter the password and it works, and this same
> > >> principal and password entered into NiFi's login screen does not work?
> > >>
> > >> On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson <dj...@gmail.com>
> > >> wrote:
> > >> >
> > >> > I'm working on transitioning a nifi instance we deploy with
> Kerberos and
> > >> > I'm having some trouble authenticating. Everything looks correct,
> but
> > >> when
> > >> > I try to log in with any of my created users, I get an error
> message:
> > >> >
> > >> > The supplied username and password are not valid.
> > >> >
> > >> > Everything on nifi without https was working, and everything I've
> > >> created
> > >> > on the Kerberos side looks and works as expected, I just haven't
> been
> > >> able
> > >> > to get a user to log in to the Nifi UI.
> > >> >
> > >> > Here are some of my config files, is there anything I'm missing or
> have
> > >> > incorrect?
> > >> >
> > >> > ---------------------------
> > >> >
> > >> > Authorizers.xml:
> > >> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > >> > <authorizers>
> > >> > <userGroupProvider>
> > >> > <identifier>file-user-group-provider</identifier>
> > >> >
> > >> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> > >> > <property name="Users File">./conf/users.xml</property>
> > >> > <property name="Legacy Authorized Users File"></property>
> > >> >
> > >> > <property name="Initial User Identity 1"></property>
> > >> > </userGroupProvider>
> > >> >
> > >> > <accessPolicyProvider>
> > >> > <identifier>file-access-policy-provider</identifier>
> > >> >
> > >> >
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> > >> > <property name="User Group
> > >> > Provider">file-user-group-provider</property>
> > >> > <property name="Authorizations
> > >> > File">./conf/authorizations.xml</property>
> > >> > <property name="Initial Admin Identity">admin@MY.REALM
> > >> </property>
> > >> > <property name="Legacy Authorized Users File"></property>
> > >> > <property name="Node Identity 1"></property>
> > >> > <property name="Node Group"></property>
> > >> > </accessPolicyProvider>
> > >> >
> > >> > <authorizer>
> > >> > <identifier>managed-authorizer</identifier>
> > >> >
> > >> >
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> > >> > <property name="Access Policy
> > >> > Provider">file-access-policy-provider</property>
> > >> > </authorizer>
> > >> >
> > >> > <authorizer>
> > >> > <identifier>file-provider</identifier>
> > >> > <class>org.apache.nifi.authorization.FileAuthorizer</class>
> > >> > <property name="Authorizations
> > >> > File">./conf/authorizations.xml</property>
> > >> > <property name="Users File">./conf/users.xml</property>
> > >> > <property name="Initial Admin Identity">admin@MY.REALM
> > >> </property>
> > >> > <property name="Legacy Authorized Users File"></property>
> > >> >
> > >> > <property name="Node Identity 1"></property>
> > >> > </authorizer>
> > >> > </authorizers>
> > >> >
> > >> > -------------------------------------
> > >> >
> > >> > Relevant nifi.properties:
> > >> > nifi.security.user.authorizer=file-provider
> > >> > nifi.security.user.login.identity.provider=kerberos-provider
> > >> > # kerberos #
> > >> > nifi.kerberos.krb5.file= /etc/krb5.conf
> > >> > nifi.kerberos.service.principal=admin@MY.REALM
> > >> > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
> > >> >
> > >> > -------------------------------------
> > >> >
> > >> > Login-identity-provider.xml
> > >> > <loginIdentityProviders>
> > >> > <provider>
> > >> > <identifier>kerberos-provider</identifier>
> > >> > <class>org.apache.nifi.kerberos.KerberosProvider</class>
> > >> > <property name="Default Realm">MY.REALM</property>
> > >> > <property name="Authentication Expiration">12
> hours</property>
> > >> > </provider>
> > >> > </loginIdentityProviders>
> > >> >
> > >> > ---------------------------------------
> > >> >
> > >> > /etc/krb5.conf:
> > >> > [logging]
> > >> > default = FILE:/var/log/krb5libs.log
> > >> > kdc = FILE:/var/log/krb5kdc.log
> > >> > admin_server = FILE:/var/log/kadmind.log
> > >> >
> > >> > [libdefaults]
> > >> > ticket_lifetime = 24h
> > >> > renew_lifetime = 7d
> > >> > forwardable = true
> > >> > default_realm = MY.REALM
> > >> >
> > >> > [realms]
> > >> > RO.INTERNAL = {
> > >> > kdc = nifi-djr5.ro.internal:88
> > >> > admin_server = nifi-djr5.my.realm:749
> > >> > default_domain = my.realm
> > >> > }
> > >> >
> > >> > [domain_realm]
> > >> > .my.realm = MY.REALM
> > >> > my.realm = MY.REALM
> > >> >
> > >> > [kdc]
> > >> > profile = /var/kerberos/krb5kdc/kdc.conf
> > >> >
> > >> > -------------------------------------------
> > >> >
> > >> > Any help would be greatly appreciated!
> > >>
> > >
>
Re: Nifi authentication through Kerberos issues
Posted by Bryan Bende <bb...@gmail.com>.
The important part is:
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
modified (41)
The code that produces this exception looks like this:
// Reply to a renewable request should be renewable, but if request does
// not contain renewable, KDC is free to issue a renewable ticket (for
// example, if ticket_lifetime is too big).
if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&
!rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
}
From googling, a possible solution here:
https://bugs.centos.org/view.php?id=17000
On Wed, Mar 31, 2021 at 6:57 PM Derek Richardson <dj...@gmail.com> wrote:
>
> It doesn't look like anything to me, but here's the stacktrace for when
> logback.xml has all of the user_file stuff in debug mode:
>
> 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22]
> o.a.n.w.a.c.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: The supplied username and password are
> not valid.. Returning Bad Request response.
> 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22]
> o.a.n.w.a.c.IllegalArgumentExceptionMapper
> java.lang.IllegalArgumentException: The supplied username and password are
> not valid.
> at
> org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
> at
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
> at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
> at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
> at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
> at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
> at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
> at
> org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
> at
> org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
> at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
> at
> org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
> at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
> at
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at
> org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)
> at
> org.apache.nifi.web.security.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1048)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
> at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:724)
> at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> at org.eclipse.jetty.server.Server.handle(Server.java:531)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
> at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:291)
> at
> org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:151)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
> at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)
> at java.lang.Thread.run(Thread.java:748)
> Caused by:
> org.apache.nifi.authentication.exception.InvalidLoginCredentialsException:
> Kerberos authentication failed
> at
> org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:93)
> at
> org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:314)
> at
> org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:728)
> ... 78 common frames omitted
> Caused by:
> org.springframework.security.authentication.BadCredentialsException:
> Kerberos authentication failed
> at
> org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:66)
> at
> org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider.authenticate(KerberosAuthenticationProvider.java:40)
> at
> org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:87)
> ... 80 common frames omitted
> Caused by: javax.security.auth.login.LoginException: Message stream
> modified (41)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
> at
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> at
> org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:59)
> ... 82 common frames omitted
> Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
> modified (41)
> at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:101)
> at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
> at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139)
> at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770)
> ... 95 common frames omitted
>
> On Wed, Mar 31, 2021 at 4:44 PM Derek Richardson <dj...@gmail.com> wrote:
>
> > Correct.
> >
> > # kinit admin@MY.REALM
> > Password for admin@MY.REALM:
> >
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin@MY.REALM
> >
> > Valid starting Expires Service principal
> > 03/31/2021 22:42:10 04/01/2021 22:42:10 krbtgt/MY.REALM@MY.REALM
> >
> > On Wed, Mar 31, 2021, 1:13 PM Bryan Bende <bb...@gmail.com> wrote:
> >
> >> So from a terminal on the nifi server, you can run "kinit
> >> admin@MY.REALM" and enter the password and it works, and this same
> >> principal and password entered into NiFi's login screen does not work?
> >>
> >> On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson <dj...@gmail.com>
> >> wrote:
> >> >
> >> > I'm working on transitioning a nifi instance we deploy with Kerberos and
> >> > I'm having some trouble authenticating. Everything looks correct, but
> >> when
> >> > I try to log in with any of my created users, I get an error message:
> >> >
> >> > The supplied username and password are not valid.
> >> >
> >> > Everything on nifi without https was working, and everything I've
> >> created
> >> > on the Kerberos side looks and works as expected, I just haven't been
> >> able
> >> > to get a user to log in to the Nifi UI.
> >> >
> >> > Here are some of my config files, is there anything I'm missing or have
> >> > incorrect?
> >> >
> >> > ---------------------------
> >> >
> >> > Authorizers.xml:
> >> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> >> > <authorizers>
> >> > <userGroupProvider>
> >> > <identifier>file-user-group-provider</identifier>
> >> >
> >> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> >> > <property name="Users File">./conf/users.xml</property>
> >> > <property name="Legacy Authorized Users File"></property>
> >> >
> >> > <property name="Initial User Identity 1"></property>
> >> > </userGroupProvider>
> >> >
> >> > <accessPolicyProvider>
> >> > <identifier>file-access-policy-provider</identifier>
> >> >
> >> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> >> > <property name="User Group
> >> > Provider">file-user-group-provider</property>
> >> > <property name="Authorizations
> >> > File">./conf/authorizations.xml</property>
> >> > <property name="Initial Admin Identity">admin@MY.REALM
> >> </property>
> >> > <property name="Legacy Authorized Users File"></property>
> >> > <property name="Node Identity 1"></property>
> >> > <property name="Node Group"></property>
> >> > </accessPolicyProvider>
> >> >
> >> > <authorizer>
> >> > <identifier>managed-authorizer</identifier>
> >> >
> >> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> >> > <property name="Access Policy
> >> > Provider">file-access-policy-provider</property>
> >> > </authorizer>
> >> >
> >> > <authorizer>
> >> > <identifier>file-provider</identifier>
> >> > <class>org.apache.nifi.authorization.FileAuthorizer</class>
> >> > <property name="Authorizations
> >> > File">./conf/authorizations.xml</property>
> >> > <property name="Users File">./conf/users.xml</property>
> >> > <property name="Initial Admin Identity">admin@MY.REALM
> >> </property>
> >> > <property name="Legacy Authorized Users File"></property>
> >> >
> >> > <property name="Node Identity 1"></property>
> >> > </authorizer>
> >> > </authorizers>
> >> >
> >> > -------------------------------------
> >> >
> >> > Relevant nifi.properties:
> >> > nifi.security.user.authorizer=file-provider
> >> > nifi.security.user.login.identity.provider=kerberos-provider
> >> > # kerberos #
> >> > nifi.kerberos.krb5.file= /etc/krb5.conf
> >> > nifi.kerberos.service.principal=admin@MY.REALM
> >> > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
> >> >
> >> > -------------------------------------
> >> >
> >> > Login-identity-provider.xml
> >> > <loginIdentityProviders>
> >> > <provider>
> >> > <identifier>kerberos-provider</identifier>
> >> > <class>org.apache.nifi.kerberos.KerberosProvider</class>
> >> > <property name="Default Realm">MY.REALM</property>
> >> > <property name="Authentication Expiration">12 hours</property>
> >> > </provider>
> >> > </loginIdentityProviders>
> >> >
> >> > ---------------------------------------
> >> >
> >> > /etc/krb5.conf:
> >> > [logging]
> >> > default = FILE:/var/log/krb5libs.log
> >> > kdc = FILE:/var/log/krb5kdc.log
> >> > admin_server = FILE:/var/log/kadmind.log
> >> >
> >> > [libdefaults]
> >> > ticket_lifetime = 24h
> >> > renew_lifetime = 7d
> >> > forwardable = true
> >> > default_realm = MY.REALM
> >> >
> >> > [realms]
> >> > RO.INTERNAL = {
> >> > kdc = nifi-djr5.ro.internal:88
> >> > admin_server = nifi-djr5.my.realm:749
> >> > default_domain = my.realm
> >> > }
> >> >
> >> > [domain_realm]
> >> > .my.realm = MY.REALM
> >> > my.realm = MY.REALM
> >> >
> >> > [kdc]
> >> > profile = /var/kerberos/krb5kdc/kdc.conf
> >> >
> >> > -------------------------------------------
> >> >
> >> > Any help would be greatly appreciated!
> >>
> >
Re: Nifi authentication through Kerberos issues
Posted by Derek Richardson <dj...@gmail.com>.
It doesn't look like anything to me, but here's the stacktrace for when
logback.xml has all of the user_file stuff in debug mode:
2021-03-31 22:54:13,670 INFO [NiFi Web Server-22]
o.a.n.w.a.c.IllegalArgumentExceptionMapper
java.lang.IllegalArgumentException: The supplied username and password are
not valid.. Returning Bad Request response.
2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22]
o.a.n.w.a.c.IllegalArgumentExceptionMapper
java.lang.IllegalArgumentException: The supplied username and password are
not valid.
at
org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
at
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
at
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634)
at
org.apache.nifi.web.security.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1048)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at
org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:724)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:531)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:291)
at
org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:151)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)
at java.lang.Thread.run(Thread.java:748)
Caused by:
org.apache.nifi.authentication.exception.InvalidLoginCredentialsException:
Kerberos authentication failed
at
org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:93)
at
org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:314)
at
org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:728)
... 78 common frames omitted
Caused by:
org.springframework.security.authentication.BadCredentialsException:
Kerberos authentication failed
at
org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:66)
at
org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider.authenticate(KerberosAuthenticationProvider.java:40)
at
org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:87)
... 80 common frames omitted
Caused by: javax.security.auth.login.LoginException: Message stream
modified (41)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:59)
... 82 common frames omitted
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream
modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:101)
at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139)
at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770)
... 95 common frames omitted
On Wed, Mar 31, 2021 at 4:44 PM Derek Richardson <dj...@gmail.com> wrote:
> Correct.
>
> # kinit admin@MY.REALM
> Password for admin@MY.REALM:
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin@MY.REALM
>
> Valid starting Expires Service principal
> 03/31/2021 22:42:10 04/01/2021 22:42:10 krbtgt/MY.REALM@MY.REALM
>
> On Wed, Mar 31, 2021, 1:13 PM Bryan Bende <bb...@gmail.com> wrote:
>
>> So from a terminal on the nifi server, you can run "kinit
>> admin@MY.REALM" and enter the password and it works, and this same
>> principal and password entered into NiFi's login screen does not work?
>>
>> On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson <dj...@gmail.com>
>> wrote:
>> >
>> > I'm working on transitioning a nifi instance we deploy with Kerberos and
>> > I'm having some trouble authenticating. Everything looks correct, but
>> when
>> > I try to log in with any of my created users, I get an error message:
>> >
>> > The supplied username and password are not valid.
>> >
>> > Everything on nifi without https was working, and everything I've
>> created
>> > on the Kerberos side looks and works as expected, I just haven't been
>> able
>> > to get a user to log in to the Nifi UI.
>> >
>> > Here are some of my config files, is there anything I'm missing or have
>> > incorrect?
>> >
>> > ---------------------------
>> >
>> > Authorizers.xml:
>> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> > <authorizers>
>> > <userGroupProvider>
>> > <identifier>file-user-group-provider</identifier>
>> >
>> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>> > <property name="Users File">./conf/users.xml</property>
>> > <property name="Legacy Authorized Users File"></property>
>> >
>> > <property name="Initial User Identity 1"></property>
>> > </userGroupProvider>
>> >
>> > <accessPolicyProvider>
>> > <identifier>file-access-policy-provider</identifier>
>> >
>> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>> > <property name="User Group
>> > Provider">file-user-group-provider</property>
>> > <property name="Authorizations
>> > File">./conf/authorizations.xml</property>
>> > <property name="Initial Admin Identity">admin@MY.REALM
>> </property>
>> > <property name="Legacy Authorized Users File"></property>
>> > <property name="Node Identity 1"></property>
>> > <property name="Node Group"></property>
>> > </accessPolicyProvider>
>> >
>> > <authorizer>
>> > <identifier>managed-authorizer</identifier>
>> >
>> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>> > <property name="Access Policy
>> > Provider">file-access-policy-provider</property>
>> > </authorizer>
>> >
>> > <authorizer>
>> > <identifier>file-provider</identifier>
>> > <class>org.apache.nifi.authorization.FileAuthorizer</class>
>> > <property name="Authorizations
>> > File">./conf/authorizations.xml</property>
>> > <property name="Users File">./conf/users.xml</property>
>> > <property name="Initial Admin Identity">admin@MY.REALM
>> </property>
>> > <property name="Legacy Authorized Users File"></property>
>> >
>> > <property name="Node Identity 1"></property>
>> > </authorizer>
>> > </authorizers>
>> >
>> > -------------------------------------
>> >
>> > Relevant nifi.properties:
>> > nifi.security.user.authorizer=file-provider
>> > nifi.security.user.login.identity.provider=kerberos-provider
>> > # kerberos #
>> > nifi.kerberos.krb5.file= /etc/krb5.conf
>> > nifi.kerberos.service.principal=admin@MY.REALM
>> > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
>> >
>> > -------------------------------------
>> >
>> > Login-identity-provider.xml
>> > <loginIdentityProviders>
>> > <provider>
>> > <identifier>kerberos-provider</identifier>
>> > <class>org.apache.nifi.kerberos.KerberosProvider</class>
>> > <property name="Default Realm">MY.REALM</property>
>> > <property name="Authentication Expiration">12 hours</property>
>> > </provider>
>> > </loginIdentityProviders>
>> >
>> > ---------------------------------------
>> >
>> > /etc/krb5.conf:
>> > [logging]
>> > default = FILE:/var/log/krb5libs.log
>> > kdc = FILE:/var/log/krb5kdc.log
>> > admin_server = FILE:/var/log/kadmind.log
>> >
>> > [libdefaults]
>> > ticket_lifetime = 24h
>> > renew_lifetime = 7d
>> > forwardable = true
>> > default_realm = MY.REALM
>> >
>> > [realms]
>> > RO.INTERNAL = {
>> > kdc = nifi-djr5.ro.internal:88
>> > admin_server = nifi-djr5.my.realm:749
>> > default_domain = my.realm
>> > }
>> >
>> > [domain_realm]
>> > .my.realm = MY.REALM
>> > my.realm = MY.REALM
>> >
>> > [kdc]
>> > profile = /var/kerberos/krb5kdc/kdc.conf
>> >
>> > -------------------------------------------
>> >
>> > Any help would be greatly appreciated!
>>
>
Re: Nifi authentication through Kerberos issues
Posted by Derek Richardson <dj...@gmail.com>.
Correct.
# kinit admin@MY.REALM
Password for admin@MY.REALM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@MY.REALM
Valid starting Expires Service principal
03/31/2021 22:42:10 04/01/2021 22:42:10 krbtgt/MY.REALM@MY.REALM
On Wed, Mar 31, 2021, 1:13 PM Bryan Bende <bb...@gmail.com> wrote:
> So from a terminal on the nifi server, you can run "kinit
> admin@MY.REALM" and enter the password and it works, and this same
> principal and password entered into NiFi's login screen does not work?
>
> On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson <dj...@gmail.com> wrote:
> >
> > I'm working on transitioning a nifi instance we deploy with Kerberos and
> > I'm having some trouble authenticating. Everything looks correct, but
> when
> > I try to log in with any of my created users, I get an error message:
> >
> > The supplied username and password are not valid.
> >
> > Everything on nifi without https was working, and everything I've created
> > on the Kerberos side looks and works as expected, I just haven't been
> able
> > to get a user to log in to the Nifi UI.
> >
> > Here are some of my config files, is there anything I'm missing or have
> > incorrect?
> >
> > ---------------------------
> >
> > Authorizers.xml:
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <authorizers>
> > <userGroupProvider>
> > <identifier>file-user-group-provider</identifier>
> >
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> > <property name="Users File">./conf/users.xml</property>
> > <property name="Legacy Authorized Users File"></property>
> >
> > <property name="Initial User Identity 1"></property>
> > </userGroupProvider>
> >
> > <accessPolicyProvider>
> > <identifier>file-access-policy-provider</identifier>
> >
> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> > <property name="User Group
> > Provider">file-user-group-provider</property>
> > <property name="Authorizations
> > File">./conf/authorizations.xml</property>
> > <property name="Initial Admin Identity">admin@MY.REALM
> </property>
> > <property name="Legacy Authorized Users File"></property>
> > <property name="Node Identity 1"></property>
> > <property name="Node Group"></property>
> > </accessPolicyProvider>
> >
> > <authorizer>
> > <identifier>managed-authorizer</identifier>
> >
> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> > <property name="Access Policy
> > Provider">file-access-policy-provider</property>
> > </authorizer>
> >
> > <authorizer>
> > <identifier>file-provider</identifier>
> > <class>org.apache.nifi.authorization.FileAuthorizer</class>
> > <property name="Authorizations
> > File">./conf/authorizations.xml</property>
> > <property name="Users File">./conf/users.xml</property>
> > <property name="Initial Admin Identity">admin@MY.REALM
> </property>
> > <property name="Legacy Authorized Users File"></property>
> >
> > <property name="Node Identity 1"></property>
> > </authorizer>
> > </authorizers>
> >
> > -------------------------------------
> >
> > Relevant nifi.properties:
> > nifi.security.user.authorizer=file-provider
> > nifi.security.user.login.identity.provider=kerberos-provider
> > # kerberos #
> > nifi.kerberos.krb5.file= /etc/krb5.conf
> > nifi.kerberos.service.principal=admin@MY.REALM
> > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
> >
> > -------------------------------------
> >
> > Login-identity-provider.xml
> > <loginIdentityProviders>
> > <provider>
> > <identifier>kerberos-provider</identifier>
> > <class>org.apache.nifi.kerberos.KerberosProvider</class>
> > <property name="Default Realm">MY.REALM</property>
> > <property name="Authentication Expiration">12 hours</property>
> > </provider>
> > </loginIdentityProviders>
> >
> > ---------------------------------------
> >
> > /etc/krb5.conf:
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> > default_realm = MY.REALM
> >
> > [realms]
> > RO.INTERNAL = {
> > kdc = nifi-djr5.ro.internal:88
> > admin_server = nifi-djr5.my.realm:749
> > default_domain = my.realm
> > }
> >
> > [domain_realm]
> > .my.realm = MY.REALM
> > my.realm = MY.REALM
> >
> > [kdc]
> > profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > -------------------------------------------
> >
> > Any help would be greatly appreciated!
>
Re: Nifi authentication through Kerberos issues
Posted by Bryan Bende <bb...@gmail.com>.
So from a terminal on the nifi server, you can run "kinit
admin@MY.REALM" and enter the password and it works, and this same
principal and password entered into NiFi's login screen does not work?
On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson <dj...@gmail.com> wrote:
>
> I'm working on transitioning a nifi instance we deploy with Kerberos and
> I'm having some trouble authenticating. Everything looks correct, but when
> I try to log in with any of my created users, I get an error message:
>
> The supplied username and password are not valid.
>
> Everything on nifi without https was working, and everything I've created
> on the Kerberos side looks and works as expected, I just haven't been able
> to get a user to log in to the Nifi UI.
>
> Here are some of my config files, is there anything I'm missing or have
> incorrect?
>
> ---------------------------
>
> Authorizers.xml:
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers>
> <userGroupProvider>
> <identifier>file-user-group-provider</identifier>
> <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> <property name="Users File">./conf/users.xml</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Initial User Identity 1"></property>
> </userGroupProvider>
>
> <accessPolicyProvider>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> <property name="User Group
> Provider">file-user-group-provider</property>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Initial Admin Identity">admin@MY.REALM</property>
> <property name="Legacy Authorized Users File"></property>
> <property name="Node Identity 1"></property>
> <property name="Node Group"></property>
> </accessPolicyProvider>
>
> <authorizer>
> <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> <property name="Access Policy
> Provider">file-access-policy-provider</property>
> </authorizer>
>
> <authorizer>
> <identifier>file-provider</identifier>
> <class>org.apache.nifi.authorization.FileAuthorizer</class>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
> <property name="Users File">./conf/users.xml</property>
> <property name="Initial Admin Identity">admin@MY.REALM</property>
> <property name="Legacy Authorized Users File"></property>
>
> <property name="Node Identity 1"></property>
> </authorizer>
> </authorizers>
>
> -------------------------------------
>
> Relevant nifi.properties:
> nifi.security.user.authorizer=file-provider
> nifi.security.user.login.identity.provider=kerberos-provider
> # kerberos #
> nifi.kerberos.krb5.file= /etc/krb5.conf
> nifi.kerberos.service.principal=admin@MY.REALM
> nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
>
> -------------------------------------
>
> Login-identity-provider.xml
> <loginIdentityProviders>
> <provider>
> <identifier>kerberos-provider</identifier>
> <class>org.apache.nifi.kerberos.KerberosProvider</class>
> <property name="Default Realm">MY.REALM</property>
> <property name="Authentication Expiration">12 hours</property>
> </provider>
> </loginIdentityProviders>
>
> ---------------------------------------
>
> /etc/krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> default_realm = MY.REALM
>
> [realms]
> RO.INTERNAL = {
> kdc = nifi-djr5.ro.internal:88
> admin_server = nifi-djr5.my.realm:749
> default_domain = my.realm
> }
>
> [domain_realm]
> .my.realm = MY.REALM
> my.realm = MY.REALM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> -------------------------------------------
>
> Any help would be greatly appreciated!