Re: Nifi authentication through Kerberos issues

Wed, 31 Mar 2021 15:44:36 -0700 

Correct.

# kinit admin@MY.REALM
Password for admin@MY.REALM:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@MY.REALM

Valid starting       Expires              Service principal
03/31/2021 22:42:10  04/01/2021 22:42:10  krbtgt/MY.REALM@MY.REALM

On Wed, Mar 31, 2021, 1:13 PM Bryan Bende <bbe...@gmail.com> wrote:

> So from a terminal on the nifi server, you can run "kinit
> admin@MY.REALM" and enter the password and it works, and this same
> principal and password entered into NiFi's login screen does not work?
>
> On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson <djr...@gmail.com> wrote:
> >
> > I'm working on transitioning a nifi instance we deploy with Kerberos and
> > I'm having some trouble authenticating. Everything looks correct, but
> when
> > I try to log in with any of my created users, I get an error message:
> >
> > The supplied username and password are not valid.
> >
> > Everything on nifi without https was working, and everything I've created
> > on the Kerberos side looks and works as expected, I just haven't been
> able
> > to get a user to log in to the Nifi UI.
> >
> > Here are some of my config files, is there anything I'm missing or have
> > incorrect?
> >
> > ---------------------------
> >
> > Authorizers.xml:
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <authorizers>
> >     <userGroupProvider>
> >         <identifier>file-user-group-provider</identifier>
> >
>  <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
> >         <property name="Users File">./conf/users.xml</property>
> >         <property name="Legacy Authorized Users File"></property>
> >
> >         <property name="Initial User Identity 1"></property>
> >     </userGroupProvider>
> >
> >     <accessPolicyProvider>
> >         <identifier>file-access-policy-provider</identifier>
> >
> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> >         <property name="User Group
> > Provider">file-user-group-provider</property>
> >         <property name="Authorizations
> > File">./conf/authorizations.xml</property>
> >         <property name="Initial Admin Identity">admin@MY.REALM
> </property>
> >         <property name="Legacy Authorized Users File"></property>
> >         <property name="Node Identity 1"></property>
> >         <property name="Node Group"></property>
> >     </accessPolicyProvider>
> >
> >     <authorizer>
> >         <identifier>managed-authorizer</identifier>
> >
> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
> >         <property name="Access Policy
> > Provider">file-access-policy-provider</property>
> >     </authorizer>
> >
> >     <authorizer>
> >         <identifier>file-provider</identifier>
> >         <class>org.apache.nifi.authorization.FileAuthorizer</class>
> >         <property name="Authorizations
> > File">./conf/authorizations.xml</property>
> >         <property name="Users File">./conf/users.xml</property>
> >         <property name="Initial Admin Identity">admin@MY.REALM
> </property>
> >         <property name="Legacy Authorized Users File"></property>
> >
> >         <property name="Node Identity 1"></property>
> >     </authorizer>
> > </authorizers>
> >
> > -------------------------------------
> >
> > Relevant nifi.properties:
> > nifi.security.user.authorizer=file-provider
> > nifi.security.user.login.identity.provider=kerberos-provider
> > # kerberos #
> > nifi.kerberos.krb5.file= /etc/krb5.conf
> > nifi.kerberos.service.principal=admin@MY.REALM
> > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab
> >
> > -------------------------------------
> >
> > Login-identity-provider.xml
> > <loginIdentityProviders>
> >     <provider>
> >         <identifier>kerberos-provider</identifier>
> >         <class>org.apache.nifi.kerberos.KerberosProvider</class>
> >         <property name="Default Realm">MY.REALM</property>
> >         <property name="Authentication Expiration">12 hours</property>
> >     </provider>
> > </loginIdentityProviders>
> >
> > ---------------------------------------
> >
> > /etc/krb5.conf:
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> >  ticket_lifetime = 24h
> >  renew_lifetime = 7d
> >  forwardable = true
> >  default_realm = MY.REALM
> >
> > [realms]
> >  RO.INTERNAL = {
> >   kdc = nifi-djr5.ro.internal:88
> >   admin_server = nifi-djr5.my.realm:749
> >   default_domain = my.realm
> >  }
> >
> > [domain_realm]
> >  .my.realm = MY.REALM
> >  my.realm = MY.REALM
> >
> > [kdc]
> >  profile = /var/kerberos/krb5kdc/kdc.conf
> >
> > -------------------------------------------
> >
> > Any help would be greatly appreciated!
>

Reply via email to