Thanks Andy. It did resolve my issue. I got it working. Thanks again for all the links. Very helpful.
Cheers Anil On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <alopre...@apache.org> wrote: > Hi Anil, > > In addition to Bryan’s explanation, there are a number of blog posts and > articles covering this topic: > > * Authorization and Multi-Tenancy by Bryan Bende [1] > * Secured Cluster Setup by Pierre Villard [2] > * TLS Generation Toolkit section of Apache NiFi Admin Guide [3] > * Initial Admin Identity section of Apache NiFi Admin Guide [4] > * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5] > * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan > Rosander [6] > > The sequence “dc=example,dc=com” in your current user DN (Distinguished > Name) is incorrect and not present in the DN of the certificate. I imagine > you copied this from an example posted online. “dc=“ is a sequence used in > DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is > the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” > would be the parent DN. But when you generated the certificate, you did not > provide this information, so the DNs do not match, and NiFi correctly > asserts that this is not a valid certificate identifying the user DN you > specified in your XML files. Removing “dc=example,dc=com” from that > definition as Bryan suggested will resolve your issue. > > [1] https://bryanbende.com/development/2016/08/17/apache- > nifi-1-0-0-authorization-and-multi-tenancy > [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0- > secured-cluster-setup/ > [3] https://nifi.apache.org/docs/nifi-docs/html/ > administration-guide.html#tls-generation-toolkit > [4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html# > initial-admin-identity > [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/ > 09/19/tls-toolkit-intro.html > [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/ > 09/20/tls-toolkit-standalone-multi.html > [7] https://en.wikipedia.org/wiki/Lightweight_Directory_ > Access_Protocol#Directory_structure > > Andy LoPresto > alopre...@apache.org > *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>* > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Jan 31, 2018, at 7:32 PM, Bryan Bende <bbe...@gmail.com> wrote: > > It’s the same problem, your initial admin should be: > > CN=TC, OU=NIFI > > Not > > CN=TC,OU=NIFI,dc=example,dc=com > > The first one is the DN of your client cert, the second one is not. > > On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <anilrain...@gmail.com> wrote: > > Hi Bryan, > > Thanks for the quick reply. I did followed your steps. But I am seeing the > same error. > Now the entry looks like > <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example, > dc=com</property> > > Also what does dc stand for after CN and OU. Is that a problem. > Is there a blog that talks about installing and making it https using > toolkit?. I did not find any good post that talks end to end from > installing to making it secure using tls toolkit. > > Any help is appreciated. > > Thanks > Anil > > > > On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <bbe...@gmail.com> wrote: > > Hello, > > The identity in authorizers.xml for your initial admin does not match the > identity of your client cert. > > You should be putting “CN=TC, OU=NIFI” as the initial admin because that > > is > > the DN of your client cert. > > You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and > authorizations.xml, and start back up. > > Thanks, > > Bryan > > On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <anilrain...@gmail.com> wrote: > > All, > > I am trying to install nifi 1.5 and making it https. Below is the steps > followed and the error i am getting. Below is the config and log files > content. Please help > > 1. Installed nifi 1.5 > 2. Installed nifi toolkit 1.5 > 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C > 'CN=TC,OU=NIFI' -O -o ../security_output > 4. Copied generated keystore, truststore and nifi properties to > > nifi/config > > folder > 5. Imported the generated certificate to chrome browser > 6. Modified authorizers.xml as attached. > 7. With required restarts. Now when i enter the below url in the > > browser, I > > see the below error. > > https://localhost:9443/nifi/ > > Insufficient Permissions > > - home > > Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system > administrator. > > > authorizers.xml > -------------------- > <userGroupProvider> > <identifier>file-user-group-provider</identifier> > <class>org.apache.nifi.authorization. > > FileUserGroupProvider</class> > > <property name="Users File">./conf/users.xml</property> > <property name="Legacy Authorized Users File"></property> > > <property name="Initial User Identity > 1">cn=TC,ou=NIFI,dc=example,dc=com</property> > </userGroupProvider> > > <accessPolicyProvider> > <identifier>file-access-policy-provider</identifier> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > <property name="User Group > Provider">file-user-group-provider</property> > <property name="Authorizations > File">./conf/authorizations.xml</property> > <property name="Initial Admin > Identity">cn=TC,ou=NIFI,dc=example,dc=com</property> > <property name="Legacy Authorized Users File"></property> > > <property name="Node Identity 1"></property> > </accessPolicyProvider> > ------------------------ > > nifi-user.log > ----------------------- > 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider > > Creating > > new users file at > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml > 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider > Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018 > 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider > Creating new authorizations file at > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/ > > authorizations.xml > > 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider > Populating authorizations for Initial Admin: > cn=TC,ou=NIFI,dc=example,dc=com > 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider > Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018 > 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28] > o.a.n.w.a.c.IllegalStateExceptionMapper > > java.lang.IllegalStateException: > > Kerberos ticket login not supported by this NiFi.. Returning Conflict > response. > 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67] > o.a.n.w.a.c.IllegalStateExceptionMapper > > java.lang.IllegalStateException: > > OpenId Connect is not configured.. Returning Conflict response. > 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27] > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, > > OU=NIFI) > > GET https://localhost:9443/nifi-api/flow/current-user (source ip: > 127.0.0.1) > 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27] > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC, > OU=NIFI > 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27] > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], > > groups[] > > does not have permission to access the requested resource. Unknown user > with identity 'CN=TC, OU=NIFI'. Returning Forbidden response. > ------------------------------ > > Generated users.xml > -------------------------------- > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <tenants> > <groups/> > <users> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4" > identity="cn=TC,ou=NIFI,dc=example,dc=com"/> > </users> > </tenants> > -------------------------------- > > Generated authorizations.xml > -------------------------- > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <authorizations> > <policies> > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" > resource="/flow" action="R"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847" > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" > action="R"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66" > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" > action="W"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc" > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" > > action="R"> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23" > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" > > action="W"> > > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" > resource="/restricted-components" action="W"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" > resource="/tenants" action="R"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" > resource="/tenants" action="W"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" > resource="/policies" action="R"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" > resource="/policies" action="W"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" > resource="/controller" action="R"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" > resource="/controller" action="W"> > <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/> > </policy> > </policies> > </authorizations> > ------------------------------------ > > nifi.properties > ---------------------------- > # web properties # > nifi.web.war.directory=./lib > nifi.web.http.host= > nifi.web.http.port= > nifi.web.http.network.interface.default= > nifi.web.https.host=localhost > nifi.web.https.port=9443 > nifi.web.https.network.interface.default= > nifi.web.jetty.working.directory=./work/jetty > nifi.web.jetty.threads=200 > nifi.web.max.header.size=16 KB > nifi.web.proxy.context.path= > > # security properties # > nifi.sensitive.props.key= > nifi.sensitive.props.key.protected= > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL > nifi.sensitive.props.provider=BC > nifi.sensitive.props.additional.keys= > > nifi.security.keystore=./conf/keystore.jks > nifi.security.keystoreType=jks > > nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI > > nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI > nifi.security.truststore=./conf/truststore.jks > nifi.security.truststoreType=jks > nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3 > > ZHZyqI4 > > nifi.security.needClientAuth= > nifi.security.user.authorizer=managed-authorizer > nifi.security.user.login.identity.provider= > nifi.security.ocsp.responder.url= > nifi.security.ocsp.responder.certificate= > ---------------------- > > > > Please help. > > Regards > Anil > > -- > Sent from Gmail Mobile > > > -- > Sent from Gmail Mobile > > >