Problem setting up secure cluster

[Joe Skora <js...@gmail.com>]

I'm trying to setup a small ncm+2 node cluster all running locally.  I'm
replicating a configuration I setup on another system, but I don't have
access to the working original at the moment.

The NCM and node1 come up without any noticeable problems, but when I try
to access the NCM web UI I get this exception and the GUI says no nodes
were available to process the request.

2016-07-01 16:53:37,436 WARN [NiFi Web Server-58]
> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
> [id=632514f6-036f-4025-8775-819ed5210804, apiAddress=localhost,
> apiPort=8180, socketAddress=localhost, socketPort=8198,
> siteToSiteAddress=localhost, siteToSitePort=8190] encountered exception:
> java.util.concurrent.ExecutionException:
> com.sun.jersey.api.client.ClientHandlerException: java.io.IOException:
> HTTPS hostname wrong:  should be <localhost>


The NCM appears to be receiving heartbeats from the clients.

Any idea what I might have configured wrong from that?

Re: Problem setting up secure cluster

[Joe Skora <js...@gmail.com>]

Lol, I'm a recent 0.x checkout, so that is probably the problem.

On the upside, I'll be able to help test the patch.   ;-)

On Jul 2, 2016 2:30 PM, "Matt Gilman" <ma...@gmail.com> wrote:

> No worries, you shouldn't need to add the NCM as a proxy. The issue you're
> describing is one of the bugs identified in the 0.7.0 RC1 [1]. By chance,
> are you running that version?
>
> [1] https://issues.apache.org/jira/browse/NIFI-2119
>
> On Fri, Jul 1, 2016 at 10:29 PM, Joe Skora <js...@gmail.com> wrote:
>
>> Matt,
>>
>> I saw this in the nifi-user log on the nodes, not the NCM.
>> *... INFO [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter
>> Attempting request for (<CN=localhost, C=US>) GET
>> https://localhost:8080/nifi-api/controller/config
>> <https://localhost:8080/nifi-api/controller/config> (source ip: 127.0.0.1)*
>> *... INFO [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter
>> Rejecting access to web api: Unable to verify access for CN=localhost,
>> C=US.*
>>
>> Based on that, I got it working by adding the server DN to the NCM
>> conf/authorized-users.xml with ROLE_PROXY.  I'm pretty sure I did not have
>> to do that on the other box where setup a local test cluster, but I can't
>> check that for a couple days.
>>
>> Thanks for your help!
>>
>> Joe
>>
>>
>>
>> On Fri, Jul 1, 2016 at 6:19 PM, Matt Gilman <ma...@gmail.com>
>> wrote:
>>
>>> Joe,
>>>
>>> Can you provide any more details? The logs/nifi-user.log should be
>>> logging each request. Are they any additional details in there?
>>>
>>> Matt
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 1, 2016, at 5:43 PM, Joe Skora <js...@gmail.com> wrote:
>>>
>>> Ok, that was a certificate hostname problem.
>>>
>>> Now, when I connect to the NCM login page it says "Your account is
>>> active and you are already logged in." but hitting the web UI give "Not
>>> authorized."
>>>
>>> On Fri, Jul 1, 2016 at 4:59 PM, Joe Skora <js...@gmail.com> wrote:
>>>
>>>> I'm trying to setup a small ncm+2 node cluster all running locally.
>>>> I'm replicating a configuration I setup on another system, but I don't have
>>>> access to the working original at the moment.
>>>>
>>>> The NCM and node1 come up without any noticeable problems, but when I
>>>> try to access the NCM web UI I get this exception and the GUI says no nodes
>>>> were available to process the request.
>>>>
>>>> 2016-07-01 16:53:37,436 WARN [NiFi Web Server-58]
>>>>> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
>>>>> [id=632514f6-036f-4025-8775-819ed5210804, apiAddress=localhost,
>>>>> apiPort=8180, socketAddress=localhost, socketPort=8198,
>>>>> siteToSiteAddress=localhost, siteToSitePort=8190] encountered exception:
>>>>> java.util.concurrent.ExecutionException:
>>>>> com.sun.jersey.api.client.ClientHandlerException: java.io.IOException:
>>>>> HTTPS hostname wrong:  should be <localhost>
>>>>
>>>>
>>>> The NCM appears to be receiving heartbeats from the clients.
>>>>
>>>> Any idea what I might have configured wrong from that?
>>>>
>>>
>>>
>>
>

Re: Problem setting up secure cluster

[Matt Gilman <ma...@gmail.com>]

No worries, you shouldn't need to add the NCM as a proxy. The issue you're
describing is one of the bugs identified in the 0.7.0 RC1 [1]. By chance,
are you running that version?

[1] https://issues.apache.org/jira/browse/NIFI-2119

On Fri, Jul 1, 2016 at 10:29 PM, Joe Skora <js...@gmail.com> wrote:

> Matt,
>
> I saw this in the nifi-user log on the nodes, not the NCM.
> *... INFO [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter
> Attempting request for (<CN=localhost, C=US>) GET
> https://localhost:8080/nifi-api/controller/config
> <https://localhost:8080/nifi-api/controller/config> (source ip: 127.0.0.1)*
> *... INFO [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter
> Rejecting access to web api: Unable to verify access for CN=localhost,
> C=US.*
>
> Based on that, I got it working by adding the server DN to the NCM
> conf/authorized-users.xml with ROLE_PROXY.  I'm pretty sure I did not have
> to do that on the other box where setup a local test cluster, but I can't
> check that for a couple days.
>
> Thanks for your help!
>
> Joe
>
>
>
> On Fri, Jul 1, 2016 at 6:19 PM, Matt Gilman <ma...@gmail.com>
> wrote:
>
>> Joe,
>>
>> Can you provide any more details? The logs/nifi-user.log should be
>> logging each request. Are they any additional details in there?
>>
>> Matt
>>
>> Sent from my iPhone
>>
>> On Jul 1, 2016, at 5:43 PM, Joe Skora <js...@gmail.com> wrote:
>>
>> Ok, that was a certificate hostname problem.
>>
>> Now, when I connect to the NCM login page it says "Your account is active
>> and you are already logged in." but hitting the web UI give "Not
>> authorized."
>>
>> On Fri, Jul 1, 2016 at 4:59 PM, Joe Skora <js...@gmail.com> wrote:
>>
>>> I'm trying to setup a small ncm+2 node cluster all running locally.  I'm
>>> replicating a configuration I setup on another system, but I don't have
>>> access to the working original at the moment.
>>>
>>> The NCM and node1 come up without any noticeable problems, but when I
>>> try to access the NCM web UI I get this exception and the GUI says no nodes
>>> were available to process the request.
>>>
>>> 2016-07-01 16:53:37,436 WARN [NiFi Web Server-58]
>>>> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
>>>> [id=632514f6-036f-4025-8775-819ed5210804, apiAddress=localhost,
>>>> apiPort=8180, socketAddress=localhost, socketPort=8198,
>>>> siteToSiteAddress=localhost, siteToSitePort=8190] encountered exception:
>>>> java.util.concurrent.ExecutionException:
>>>> com.sun.jersey.api.client.ClientHandlerException: java.io.IOException:
>>>> HTTPS hostname wrong:  should be <localhost>
>>>
>>>
>>> The NCM appears to be receiving heartbeats from the clients.
>>>
>>> Any idea what I might have configured wrong from that?
>>>
>>
>>
>

Re: Problem setting up secure cluster

[Joe Skora <js...@gmail.com>]

Matt,

I saw this in the nifi-user log on the nodes, not the NCM.
*... INFO [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter
Attempting request for (<CN=localhost, C=US>) GET
https://localhost:8080/nifi-api/controller/config
<https://localhost:8080/nifi-api/controller/config> (source ip: 127.0.0.1)*
*... INFO [NiFi Web Server-23] o.a.n.w.s.NiFiAuthenticationFilter Rejecting
access to web api: Unable to verify access for CN=localhost, C=US.*

Based on that, I got it working by adding the server DN to the NCM
conf/authorized-users.xml with ROLE_PROXY.  I'm pretty sure I did not have
to do that on the other box where setup a local test cluster, but I can't
check that for a couple days.

Thanks for your help!

Joe



On Fri, Jul 1, 2016 at 6:19 PM, Matt Gilman <ma...@gmail.com> wrote:

> Joe,
>
> Can you provide any more details? The logs/nifi-user.log should be logging
> each request. Are they any additional details in there?
>
> Matt
>
> Sent from my iPhone
>
> On Jul 1, 2016, at 5:43 PM, Joe Skora <js...@gmail.com> wrote:
>
> Ok, that was a certificate hostname problem.
>
> Now, when I connect to the NCM login page it says "Your account is active
> and you are already logged in." but hitting the web UI give "Not
> authorized."
>
> On Fri, Jul 1, 2016 at 4:59 PM, Joe Skora <js...@gmail.com> wrote:
>
>> I'm trying to setup a small ncm+2 node cluster all running locally.  I'm
>> replicating a configuration I setup on another system, but I don't have
>> access to the working original at the moment.
>>
>> The NCM and node1 come up without any noticeable problems, but when I try
>> to access the NCM web UI I get this exception and the GUI says no nodes
>> were available to process the request.
>>
>> 2016-07-01 16:53:37,436 WARN [NiFi Web Server-58]
>>> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
>>> [id=632514f6-036f-4025-8775-819ed5210804, apiAddress=localhost,
>>> apiPort=8180, socketAddress=localhost, socketPort=8198,
>>> siteToSiteAddress=localhost, siteToSitePort=8190] encountered exception:
>>> java.util.concurrent.ExecutionException:
>>> com.sun.jersey.api.client.ClientHandlerException: java.io.IOException:
>>> HTTPS hostname wrong:  should be <localhost>
>>
>>
>> The NCM appears to be receiving heartbeats from the clients.
>>
>> Any idea what I might have configured wrong from that?
>>
>
>

Re: Problem setting up secure cluster

[Matt Gilman <ma...@gmail.com>]

Joe,

Can you provide any more details? The logs/nifi-user.log should be logging each request. Are they any additional details in there?

Matt

Sent from my iPhone

> On Jul 1, 2016, at 5:43 PM, Joe Skora <js...@gmail.com> wrote:
> 
> Ok, that was a certificate hostname problem.
> 
> Now, when I connect to the NCM login page it says "Your account is active and you are already logged in." but hitting the web UI give "Not authorized."
> 
>> On Fri, Jul 1, 2016 at 4:59 PM, Joe Skora <js...@gmail.com> wrote:
>> I'm trying to setup a small ncm+2 node cluster all running locally.  I'm replicating a configuration I setup on another system, but I don't have access to the working original at the moment.
>> 
>> The NCM and node1 come up without any noticeable problems, but when I try to access the NCM web UI I get this exception and the GUI says no nodes were available to process the request.
>> 
>>> 2016-07-01 16:53:37,436 WARN [NiFi Web Server-58] o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for [id=632514f6-036f-4025-8775-819ed5210804, apiAddress=localhost, apiPort=8180, socketAddress=localhost, socketPort=8198, siteToSiteAddress=localhost, siteToSitePort=8190] encountered exception: java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: java.io.IOException: HTTPS hostname wrong:  should be <localhost>
>> 
>> 
>> The NCM appears to be receiving heartbeats from the clients.
>> 
>> Any idea what I might have configured wrong from that?
> 

Re: Problem setting up secure cluster

[Joe Skora <js...@gmail.com>]

Ok, that was a certificate hostname problem.

Now, when I connect to the NCM login page it says "Your account is active
and you are already logged in." but hitting the web UI give "Not
authorized."

On Fri, Jul 1, 2016 at 4:59 PM, Joe Skora <js...@gmail.com> wrote:

> I'm trying to setup a small ncm+2 node cluster all running locally.  I'm
> replicating a configuration I setup on another system, but I don't have
> access to the working original at the moment.
>
> The NCM and node1 come up without any noticeable problems, but when I try
> to access the NCM web UI I get this exception and the GUI says no nodes
> were available to process the request.
>
> 2016-07-01 16:53:37,436 WARN [NiFi Web Server-58]
>> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
>> [id=632514f6-036f-4025-8775-819ed5210804, apiAddress=localhost,
>> apiPort=8180, socketAddress=localhost, socketPort=8198,
>> siteToSiteAddress=localhost, siteToSitePort=8190] encountered exception:
>> java.util.concurrent.ExecutionException:
>> com.sun.jersey.api.client.ClientHandlerException: java.io.IOException:
>> HTTPS hostname wrong:  should be <localhost>
>
>
> The NCM appears to be receiving heartbeats from the clients.
>
> Any idea what I might have configured wrong from that?
>