nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ricky Saltzer <ri...@cloudera.com>
Subject Re: Trouble with the LDAP Authentication Provider
Date Mon, 16 May 2016 22:30:11 GMT
Ah I believe I've figured it out. It appears I was getting confused by the
difference between authority-providers and the login-identity-providers as
they have identical stanzas. The solution was to add the provider to the
login-identity-providers.xml.

Thanks so much for your sample configs, Andy!

On Sun, May 15, 2016 at 7:43 PM, Andy LoPresto <alopresto@apache.org> wrote:

> Hi Ricky,
>
> I checked out nifi-0.6.1 and built on my system, then deployed with a
> Kerberos configuration and a KDC running in Vagrant and everything worked
> fine. Was able to run kinit on the command line of the client machine, and
> then opening Safari established a session using my Kerberos principal
> immediately. I looked at your app log, and it appears it might be a file
> permission/existence issue. I admit the error could be more helpful — it’s
> unclear as to whether it’s an IO problem or an XML problem or a Spring
> problem. Can you please verify that the authority-providers.xml file exists
> in the correct location, has the correct access permissions, and is
> well-formed XML? I’ve published my nifi.properties [1],
> authority-providers.xml [2], authorized-users.xml [3], and
> login-identity-provider.xml [4] files as gists as well for comparison.
>
> In the nifi.properties, note lines 142 & 143, as they define the
> references to the authority and login identity providers, and lines 187 &
> 189, as they define the Kerberos properties.
>
> From your nifi-app.log:
>
> 2016-05-12 14:14:04,468 ERROR [main] o.s.web.context.ContextLoader Context
> initialization failed
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'niFiWebApiSecurityConfiguration': Injection of autowired
> dependencies failed; nested exception is
> org.springframework.beans.factory.BeanCreationException: Could not autowire
> method: public void
> org.apache.nifi.web.NiFiWebApiSecurityConfiguration.setUserDetailsService(org.springframework.security.core.userdetails.AuthenticationUserDetailsService);
> nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'userDetailsService' defined in class path resource
> [nifi-web-security-context.xml]: Cannot resolve reference to bean
> 'userService' while setting bean property 'userService'; nested exception
> is org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'userService' defined in class path resource
> [nifi-administration-context.xml]: Cannot resolve reference to bean
> 'userTransactionBuilder' while setting bean property 'transactionBuilder';
> nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'userTransactionBuilder' defined in class path resource
> [nifi-administration-context.xml]: Cannot resolve reference to bean
> 'authorityProvider' while setting bean property 'authorityProvider'; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'authorityProvider': FactoryBean threw exception on
> object creation; *nested exception is java.lang.Exception: Unable to load
> the authority provider configuration file at:
> /private/tmp/nifi-0.6.1/./conf/authority-providers.xml*
>
> [1] https://gist.github.com/alopresto/dfad48f55780fee3d0d62b7a0169f2d7
> [2] https://gist.github.com/alopresto/b3bd36676ff72351e641df6869bc1b84
> [3] https://gist.github.com/alopresto/e6bca539876fe4324f49e4996f41c91a
> [4] https://gist.github.com/alopresto/06938e4d0ccdf2168fe0fc6158780a56
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <alopresto.apache@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On May 13, 2016, at 4:05 PM, Ricky Saltzer <ricky@cloudera.com> wrote:
>
> Right on! I appreciate you helping out. Have a good weekend!
>
> On Fri, May 13, 2016 at 3:59 PM, Andy LoPresto <alopresto@apache.org>
> wrote:
>
> Thanks Ricky. I’ll set up a demo environment with 0.6.1 and LDAP/Kerberos
> authentication
> locally and see if I can reproduce. Probably get back to you Monday?
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <alopresto.apache@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On May 13, 2016, at 1:47 PM, Ricky Saltzer <ricky@cloudera.com> wrote:
>
> Hey Andy -
>
> The full log file, nifi.properties, and authority-providers in the
> following gists. Obviously I've replaced some values in the
> authority-providers with fake data for security reasons.
>
> *Log:*
>
>
> https://gist.githubusercontent.com/rickysaltzer/a645f18a4b3d8bacd16d57cd093f8997/raw/08f78789b66a4d7094629699af7f408870b2c0da/gistfile1.txt
>
> *Authority: *
>
>
> https://gist.githubusercontent.com/rickysaltzer/b6db60311ea9e3abb94ac183e1c02a59/raw/a75b348ea9515acf0d7bbe0a936972c9b6cb38fe/gistfile1.txt
>
> *Properties:*
>
>
> https://gist.githubusercontent.com/rickysaltzer/3b29f430d0d1b6361a7ff097e8fcea6a/raw/28bb328fc01ed5256b41bfb324341c083f6fa354/gistfile1.txt
>
> On Fri, May 13, 2016 at 10:55 AM, Andy LoPresto <alopresto@apache.org>
> wrote:
>
> Hi Ricky,
>
> Can you provide the contents of logs/nifi-app.log as well to see if there
> is anything relevant to this exception? The code where this is failing
> attempts to deserialize the XML into one of a number of classes
> implementing the AuthorityProvider interface via the factory. Are you sure
> the XML is valid and complete, and that the provider identifier is also
> specified in nifi.properties?
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <alopresto.apache@gmail.com>*
>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On May 12, 2016, at 2:26 PM, Ricky Saltzer <ricky@cloudera.com> wrote:
>
> Using the following provider on 0.6.1, I'm faced with a ClassCastException.
> It might also be worth noting that I face the same exception when
> attempting to us the KerberosProvider option.
>
> *Provider:*
> <provider>
>  <identifier>ldap-provider</identifier>
>  <class>org.apache.nifi.ldap.LdapProvider</class>
>  <property name="Authentication Strategy">SIMPLE</property>
>
>  <property name="Manager DN">dethklok\toki</property>
>  <property name="Manager Password">bananasticker</property>
>
>  <property name="TLS - Keystore"></property>
>  <property name="TLS - Keystore Password"></property>
>  <property name="TLS - Keystore Type"></property>
>  <property name="TLS - Truststore"></property>
>  <property name="TLS - Truststore Password"></property>
>  <property name="TLS - Truststore Type"></property>
>  <property name="TLS - Client Auth"></property>
>  <property name="TLS - Protocol"></property>
>  <property name="TLS - Shutdown Gracefully"></property>
>
>  <property name="Referral Strategy">FOLLOW</property>
>  <property name="Connect Timeout">10 secs</property>
>  <property name="Read Timeout">10 secs</property>
>
>  <property name="Url">ldap://ldap.metalocalypse.com</property>
>  <property name="User Search
> Base">CN=Users,DC=metalocalypse,DC=local</property>
>  <property name="User Search Filter">foo</property>
>
>  <property name="Authentication Expiration">12 hours</property>
> </provider>
>
> *Exception:*
> Caused by: java.lang.ClassCastException: class
> org.apache.nifi.ldap.LdapProvider
>      at java.lang.Class.asSubclass(Class.java:3208) ~[na:1.7.0_79]
>      at
>
>
>
> org.apache.nifi.authorization.AuthorityProviderFactoryBean.createAuthorityProvider(AuthorityProviderFactoryBean.java:173)
> ~[na:na]
>      at
>
>
>
> org.apache.nifi.authorization.AuthorityProviderFactoryBean.getObject(AuthorityProviderFactoryBean.java:111)
> ~[na:na]
>      at
>
>
>
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
> ~[na:na]
>      ... 75 common frames omitted
>
>
>
>
>
> --
> Ricky Saltzer
> http://www.cloudera.com
>
>
>
>
>
> --
> Ricky Saltzer
> http://www.cloudera.com
>
>
>


-- 
Ricky Saltzer
http://www.cloudera.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message