nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: Issue with AWS ELB on secure nifi-registry
Date Mon, 19 Mar 2018 15:13:45 GMT
I'm not sure you are even making it as far as authorization because I
think you would see unauthorized messages in the logs if that were the
case.

If you request the UI from your browser using the ELB URL, what page
is displayed? If you do the same thing using the direct URL to the
registry, is it any different?

Also, what values do you have set for nifi.registry.web.https.host=
and nifi.registry.security.needClientAuth=  ?

On Mon, Mar 19, 2018 at 10:50 AM, Scott Howell <scotthowell@mobilgov.com> wrote:
> Thanks Kevin,
>
> I am just using the ELB to go from the public subnet to the private subnet. I will not
have multiple instances running of registry.
>
> I will say on my authorizers.xml there is one difference between my nifi instance. On
my nifi instance I am using file-provider for nifi.security.user.authorizer in my nifi.properties.
I don’t think from reading the documents for nifi-registry that I can use that. If there
is a way that might be my problem. I was running into some issues with my nifi instance when
I was using managed-authorizers instead of file-provider.
>
>
>
>> On Mar 19, 2018, at 9:35 AM, Kevin Doran <kdoran@apache.org> wrote:
>>
>> Hey Scott,
>>
>> Assuming you are using two-way TLS with client certificates for authentication, I
recommend configuring your ELB for TCP passthrough so that the TLS handshake is between the
end-client and the NiFi Registry Server (in other words, no decryption/termination of the
TLS connection happens in the ELB). If you are using some other form of authentication (e.g.,
LDAP), you will need to configure your ELB to trust the self-signed key NiFi Registry is using.
I'm not sure how to do that as I've never run an ELB with that configuration before.
>>
>> Also, just a note about using an ELB with NiFi Registry:
>>
>> NiFi Registry is currently only supports single-instance use as persisted data and
in-memory state is not synced between multiple instances. Are you hoping to use the ELB for
actual load balancing, or is it just to take advantage of other ELB features, such as forwarding
and security group rules? If the plan is to load balance multiple Registry instances, just
be aware that you will probably run into some unexpected behavior. (As you mentioned using
authorization, that is one case where I know the in-memory cache of the persisted data will
not refresh across instances, so even if you were using some sort of shared network file system
attached to multiple Registry instances, such as EFS, it would not work the way you hope.)
>>
>> Hope this helps,
>> Kevin
>>
>> On 3/19/18, 10:20, "Scott Howell" <scotthowell@mobilgov.com> wrote:
>>
>>    Thanks for the quick response.
>>
>>    A couple of things I am seeing.
>>
>>    1. There is no error, I don’t see anything in the logs once the service comes
up. This is because the health check is not even hitting the instance when secure.
>>
>>    2. Nothing interesting in the nifi-registry-app.logs. That was my concern because
on my nifi instance I can see the health check hitting the instance from the ELB. This does
not happen on the nifi-registry instance.  I see the service startup and it tells me what
domain and port I can access the UI but nothing else after that.
>>
>>    3. When I am on an instances in the same private subnet I am able to curl to the
instance I get the TLS SSL which tells me the keystore is on the server. I am using a JKS
keystore that is self-signed by the company I work for.
>>
>>> On Mar 19, 2018, at 9:10 AM, Bryan Bende <bbende@gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> What error are you getting when you cannot access the UI?
>>>
>>> Is there anything interesting in nifi-registry-app.log regarding
>>> authentication/authorization when this happens?
>>>
>>> Can you access the UI securely without going through the ELB?
>>>
>>> Thanks,
>>>
>>> Bryan
>>>
>>>
>>> On Mon, Mar 19, 2018 at 10:05 AM, Scott Howell <scotthowell@mobilgov.com>
wrote:
>>>> I was able to stand up nifi-registry behind an AWS ELB non-secure. Everything
was working great and was able to access the UI anonymously. I set up the authorization just
like on my nifi instances along with the authorizers and identity-provider. The service comes
up without errors and everything looks good but the health check does not pass and I cannot
access the UI to login. I was wondering if anyone else has ran into this issue using nifi-registry.
>>
>>
>>
>>
>

Mime
View raw message