nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopre...@apache.org>
Subject Re: setting up secure nifi
Date Thu, 01 Feb 2018 15:14:09 GMT
Hi Anil,

In addition to Bryan’s explanation, there are a number of blog posts and articles covering
this topic:

* Authorization and Multi-Tenancy by Bryan Bende [1]
* Secured Cluster Setup by Pierre Villard [2]
* TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
* Initial Admin Identity section of Apache NiFi Admin Guide [4]
* Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
* Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan Rosander [6]

The sequence “dc=example,dc=com” in your current user DN (Distinguished Name) is incorrect
and not present in the DN of the certificate. I imagine you copied this from an example posted
online. “dc=“ is a sequence used in DNS to indicate “Domain Component” [7]. In your
case, “CN=TC,OU=NIFI” is the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com”
would be the parent DN. But when you generated the certificate, you did not provide this information,
so the DNs do not match, and NiFi correctly asserts that this is not a valid certificate identifying
the user DN you specified in your XML files. Removing “dc=example,dc=com” from that definition
as Bryan suggested will resolve your issue.

[1] https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
<https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy>
[2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/ <https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/>
[3] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit
<https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#tls-generation-toolkit>
[4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity
<https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity>
[5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html <https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html>
[6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/tls-toolkit-standalone-multi.html
<https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/tls-toolkit-standalone-multi.html>
[7] https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure
<https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Directory_structure>

Andy LoPresto
alopresto@apache.org <mailto:alopresto@apache.org>
alopresto.apache@gmail.com <mailto:alopresto.apache@gmail.com>
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Jan 31, 2018, at 7:32 PM, Bryan Bende <bbende@gmail.com <mailto:bbende@gmail.com>>
wrote:
> 
> It’s the same problem, your initial admin should be:
> 
> CN=TC, OU=NIFI
> 
> Not
> 
> CN=TC,OU=NIFI,dc=example,dc=com
> 
> The first one is the DN of your client cert, the second one is not.
> 
> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <anilrainifi@gmail.com <mailto:anilrainifi@gmail.com>>
wrote:
> 
>> Hi Bryan,
>> 
>> Thanks for the quick reply. I did followed your steps. But I am seeing the
>> same error.
>> Now the entry looks like
>>        <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
>> dc=com</property>
>> 
>> Also what does dc stand for after CN and OU. Is that a problem.
>> Is there a blog that talks about installing and making it https using
>> toolkit?. I did not find any good post that talks end to end from
>> installing to making it secure using tls toolkit.
>> 
>> Any help is appreciated.
>> 
>> Thanks
>> Anil
>> 
>> 
>> 
>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bbende@gmail.com <mailto:bbende@gmail.com>>
wrote:
>> 
>>> Hello,
>>> 
>>> The identity in authorizers.xml for your initial admin does not match the
>>> identity of your client cert.
>>> 
>>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>> is
>>> the DN of your client cert.
>>> 
>>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
>>> authorizations.xml, and start back up.
>>> 
>>> Thanks,
>>> 
>>> Bryan
>>> 
>>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <anilrainifi@gmail.com <mailto:anilrainifi@gmail.com>>
wrote:
>>> 
>>>> All,
>>>> 
>>>> I am trying to install nifi 1.5 and making it https. Below is the steps
>>>> followed and the error i am getting. Below is the config and log files
>>>> content. Please help
>>>> 
>>>> 1. Installed nifi 1.5
>>>> 2. Installed nifi toolkit 1.5
>>>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
>>>> 'CN=TC,OU=NIFI' -O -o ../security_output
>>>> 4. Copied generated keystore, truststore and nifi properties to
>>> nifi/config
>>>> folder
>>>> 5. Imported the generated certificate to chrome browser
>>>> 6. Modified authorizers.xml as attached.
>>>> 7. With required restarts. Now when i enter the below url in the
>>> browser, I
>>>> see the below error.
>>>> 
>>>> https://localhost:9443/nifi/ <https://localhost:9443/nifi/>
>>>> 
>>>> Insufficient Permissions
>>>> 
>>>>   - home
>>>> 
>>>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
>>>> administrator.
>>>> 
>>>> 
>>>> authorizers.xml
>>>> --------------------
>>>>    <userGroupProvider>
>>>>        <identifier>file-user-group-provider</identifier>
>>>>        <class>org.apache.nifi.authorization.
>>> FileUserGroupProvider</class>
>>>>        <property name="Users File">./conf/users.xml</property>
>>>>        <property name="Legacy Authorized Users File"></property>
>>>> 
>>>>        <property name="Initial User Identity
>>>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>>    </userGroupProvider>
>>>> 
>>>>    <accessPolicyProvider>
>>>>        <identifier>file-access-policy-provider</identifier>
>>>> 
>>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>>>        <property name="User Group
>>>> Provider">file-user-group-provider</property>
>>>>        <property name="Authorizations
>>>> File">./conf/authorizations.xml</property>
>>>>        <property name="Initial Admin
>>>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>>        <property name="Legacy Authorized Users File"></property>
>>>> 
>>>>        <property name="Node Identity 1"></property>
>>>>    </accessPolicyProvider>
>>>> ------------------------
>>>> 
>>>> nifi-user.log
>>>> -----------------------
>>>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>>> Creating
>>>> new users file at
>>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
>>>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
>>>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
>>>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Creating new authorizations file at
>>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>>> authorizations.xml
>>>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Populating authorizations for Initial Admin:
>>>> cn=TC,ou=NIFI,dc=example,dc=com
>>>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
>>>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
>>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>> java.lang.IllegalStateException:
>>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>>>> response.
>>>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
>>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>> java.lang.IllegalStateException:
>>>> OpenId Connect is not configured.. Returning Conflict response.
>>>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
>>>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>>> OU=NIFI)
>>>> GET https://localhost:9443/nifi-api/flow/current-user <https://localhost:9443/nifi-api/flow/current-user>
(source ip:
>>>> 127.0.0.1)
>>>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
>>>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
>>>> OU=NIFI
>>>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
>>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>>> groups[]
>>>> does not have permission to access the requested resource. Unknown user
>>>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
>>>> ------------------------------
>>>> 
>>>> Generated users.xml
>>>> --------------------------------
>>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>> <tenants>
>>>>    <groups/>
>>>>    <users>
>>>>        <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
>>>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>>>>    </users>
>>>> </tenants>
>>>> --------------------------------
>>>> 
>>>> Generated authorizations.xml
>>>> --------------------------
>>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>> <authorizations>
>>>>    <policies>
>>>>        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>>>> resource="/flow" action="R">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
>>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>> action="R">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
>>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>> action="W">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
>>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="R">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
>>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="W">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>>>> resource="/restricted-components" action="W">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>>>> resource="/tenants" action="R">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>>>> resource="/tenants" action="W">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>>>> resource="/policies" action="R">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>>>> resource="/policies" action="W">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>>>> resource="/controller" action="R">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>>>> resource="/controller" action="W">
>>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>>        </policy>
>>>>    </policies>
>>>> </authorizations>
>>>> ------------------------------------
>>>> 
>>>> nifi.properties
>>>> ----------------------------
>>>> # web properties #
>>>> nifi.web.war.directory=./lib
>>>> nifi.web.http.host=
>>>> nifi.web.http.port=
>>>> nifi.web.http.network.interface.default=
>>>> nifi.web.https.host=localhost
>>>> nifi.web.https.port=9443
>>>> nifi.web.https.network.interface.default=
>>>> nifi.web.jetty.working.directory=./work/jetty
>>>> nifi.web.jetty.threads=200
>>>> nifi.web.max.header.size=16 KB
>>>> nifi.web.proxy.context.path=
>>>> 
>>>> # security properties #
>>>> nifi.sensitive.props.key=
>>>> nifi.sensitive.props.key.protected=
>>>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
>>>> nifi.sensitive.props.provider=BC
>>>> nifi.sensitive.props.additional.keys=
>>>> 
>>>> nifi.security.keystore=./conf/keystore.jks
>>>> nifi.security.keystoreType=jks
>>>> 
>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>> nifi.security.truststore=./conf/truststore.jks
>>>> nifi.security.truststoreType=jks
>>>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>>> ZHZyqI4
>>>> nifi.security.needClientAuth=
>>>> nifi.security.user.authorizer=managed-authorizer
>>>> nifi.security.user.login.identity.provider=
>>>> nifi.security.ocsp.responder.url=
>>>> nifi.security.ocsp.responder.certificate=
>>>> ----------------------
>>>> 
>>>> 
>>>> 
>>>> Please help.
>>>> 
>>>> Regards
>>>> Anil
>>>> 
>>> --
>>> Sent from Gmail Mobile
>>> 
>> 
> --
> Sent from Gmail Mobile


Mime
View raw message