Secure Mode & Kerberos
Hi, I want to test the HDFS processors using Kerberos, but they trigger a warning saying Nifi is not running in secure mode, so it ignores kerberos. In order to get Nifi into secure mode I had to enable SPNEGO which it seems to want a kerberos header to allow me into the app now. Is there a way to allow processors to run securely with kerberos without having to auth myself into the app via kerberos? Which I'm not sure how to do. Darren PS. I do have a Apache Kerby KDC running locally if that can help me auth into Nifi.
Re: Secure Mode & Kerberos
You don't need to have NiFi secured with Kerberos in order to use HDFS processors talking to kerberized HDFS. You just need to specify the krb5.conf in nifi.properties, and you need to provide the HDFS processors with a core-site.xml that has security set to kerberos. On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni wrote: > > Hi, > I want to test the HDFS processors using Kerberos, but they trigger a > warning saying Nifi is not running in secure mode, so it ignores kerberos. > > In order to get Nifi into secure mode I had to enable SPNEGO which it seems > to want a kerberos header to allow me into the app now. > > Is there a way to allow processors to run securely with kerberos without > having to auth myself into the app via kerberos? Which I'm not sure how to do. > > Darren > > PS. I do have a Apache Kerby KDC running locally if that can help me auth > into Nifi.
Re: Secure Mode & Kerberos
Hi Bryan I did do that but still got the warning/error. But I will go back and verify this. Darren Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/ghei36> From: Bryan Bende Sent: Monday, December 14, 2020 9:37:33 AM To: users@nifi.apache.org Subject: Re: Secure Mode & Kerberos You don't need to have NiFi secured with Kerberos in order to use HDFS processors talking to kerberized HDFS. You just need to specify the krb5.conf in nifi.properties, and you need to provide the HDFS processors with a core-site.xml that has security set to kerberos. On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni wrote: > > Hi, > I want to test the HDFS processors using Kerberos, but they trigger a > warning saying Nifi is not running in secure mode, so it ignores kerberos. > > In order to get Nifi into secure mode I had to enable SPNEGO which it seems > to want a kerberos header to allow me into the app now. > > Is there a way to allow processors to run securely with kerberos without > having to auth myself into the app via kerberos? Which I'm not sure how to do. > > Darren > > PS. I do have a Apache Kerby KDC running locally if that can help me auth > into Nifi.
Re: Secure Mode & Kerberos
When I remove the SPNEGO properties and set the krb5 file # kerberos # nifi.kerberos.krb5.file=/etc/krb5.conf 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response. java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi. Also threw exception about OpenID Connect not configured. Nifi 1.11.4 From: Darren Govoni Sent: Monday, December 14, 2020 10:00 AM To: users@nifi.apache.org Subject: Re: Secure Mode & Kerberos Hi Bryan I did do that but still got the warning/error. But I will go back and verify this. Darren Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/ghei36> From: Bryan Bende Sent: Monday, December 14, 2020 9:37:33 AM To: users@nifi.apache.org Subject: Re: Secure Mode & Kerberos You don't need to have NiFi secured with Kerberos in order to use HDFS processors talking to kerberized HDFS. You just need to specify the krb5.conf in nifi.properties, and you need to provide the HDFS processors with a core-site.xml that has security set to kerberos. On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni wrote: > > Hi, > I want to test the HDFS processors using Kerberos, but they trigger a > warning saying Nifi is not running in secure mode, so it ignores kerberos. > > In order to get Nifi into secure mode I had to enable SPNEGO which it seems > to want a kerberos header to allow me into the app now. > > Is there a way to allow processors to run securely with kerberos without > having to auth myself into the app via kerberos? Which I'm not sure how to do. > > Darren > > PS. I do have a Apache Kerby KDC running locally if that can help me auth > into Nifi.
Re: Secure Mode & Kerberos
That is just a warning that prints every time you refresh the UI, the UI makes a call to see if SPNEGO is enabled, it shouldn't impact anything, same case for OIDC. On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni wrote: > > When I remove the SPNEGO properties and set the krb5 file > > # kerberos # > nifi.kerberos.krb5.file=/etc/krb5.conf > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > Kerberos ticket login not supported by this NiFi.. Returning Conflict > response. > java.lang.IllegalStateException: Kerberos ticket login not supported by this > NiFi. > > Also threw exception about OpenID Connect not configured. > > Nifi 1.11.4 > > > From: Darren Govoni > Sent: Monday, December 14, 2020 10:00 AM > To: users@nifi.apache.org > Subject: Re: Secure Mode & Kerberos > > Hi Bryan > > I did do that but still got the warning/error. But I will go back and verify > this. > > Darren > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android > > ____ > From: Bryan Bende > Sent: Monday, December 14, 2020 9:37:33 AM > To: users@nifi.apache.org > Subject: Re: Secure Mode & Kerberos > > You don't need to have NiFi secured with Kerberos in order to use HDFS > processors talking to kerberized HDFS. > > You just need to specify the krb5.conf in nifi.properties, and you > need to provide the HDFS processors with a core-site.xml that has > security set to kerberos. > > On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni wrote: > > > > Hi, > > I want to test the HDFS processors using Kerberos, but they trigger a > > warning saying Nifi is not running in secure mode, so it ignores kerberos. > > > > In order to get Nifi into secure mode I had to enable SPNEGO which it seems > > to want a kerberos header to allow me into the app now. > > > > Is there a way to allow processors to run securely with kerberos without > > having to auth myself into the app via kerberos? Which I'm not sure how to > > do. > > > > Darren > > > > PS. I do have a Apache Kerby KDC running locally if that can help me auth > > into Nifi.
Re: Secure Mode & Kerberos
Thanks Bryan. I'm seeing in AccessResource.java that it will throw this exception if spnego is not configured or keberosService is null, which it is in my nifi. Doing a quick search for setKeberosService callers doesnt turn anything up in the code. And this exception prevents me accessing the app. Do i need to configure anything in authorizers.xml or users.xml? I set the krb file in nifi.properties already. Darren Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/ghei36> From: Bryan Bende Sent: Monday, December 14, 2020 11:19:28 AM To: users@nifi.apache.org Subject: Re: Secure Mode & Kerberos That is just a warning that prints every time you refresh the UI, the UI makes a call to see if SPNEGO is enabled, it shouldn't impact anything, same case for OIDC. On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni wrote: > > When I remove the SPNEGO properties and set the krb5 file > > # kerberos # > nifi.kerberos.krb5.file=/etc/krb5.conf > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > Kerberos ticket login not supported by this NiFi.. Returning Conflict > response. > java.lang.IllegalStateException: Kerberos ticket login not supported by this > NiFi. > > Also threw exception about OpenID Connect not configured. > > Nifi 1.11.4 > > > From: Darren Govoni > Sent: Monday, December 14, 2020 10:00 AM > To: users@nifi.apache.org > Subject: Re: Secure Mode & Kerberos > > Hi Bryan > > I did do that but still got the warning/error. But I will go back and verify > this. > > Darren > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android > > ________ > From: Bryan Bende > Sent: Monday, December 14, 2020 9:37:33 AM > To: users@nifi.apache.org > Subject: Re: Secure Mode & Kerberos > > You don't need to have NiFi secured with Kerberos in order to use HDFS > processors talking to kerberized HDFS. > > You just need to specify the krb5.conf in nifi.properties, and you > need to provide the HDFS processors with a core-site.xml that has > security set to kerberos. > > On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni wrote: > > > > Hi, > > I want to test the HDFS processors using Kerberos, but they trigger a > > warning saying Nifi is not running in secure mode, so it ignores kerberos. > > > > In order to get Nifi into secure mode I had to enable SPNEGO which it seems > > to want a kerberos header to allow me into the app now. > > > > Is there a way to allow processors to run securely with kerberos without > > having to auth myself into the app via kerberos? Which I'm not sure how to > > do. > > > > Darren > > > > PS. I do have a Apache Kerby KDC running locally if that can help me auth > > into Nifi.
Re: Secure Mode & Kerberos
I'm confused, how are you trying to authenticate to nifi and what is the error your are getting in the nifi UI when you attempt to access it? You said you didn't want to authenticate via kerberos, so the warning should not matter. On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni wrote: > > Thanks Bryan. > > I'm seeing in AccessResource.java that it will throw this exception if spnego > is not configured or keberosService is null, which it is in my nifi. > > Doing a quick search for setKeberosService callers doesnt turn anything up in > the code. And this exception prevents me accessing the app. > > Do i need to configure anything in authorizers.xml or users.xml? > > I set the krb file in nifi.properties already. > > Darren > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android > > > From: Bryan Bende > Sent: Monday, December 14, 2020 11:19:28 AM > To: users@nifi.apache.org > Subject: Re: Secure Mode & Kerberos > > That is just a warning that prints every time you refresh the UI, the > UI makes a call to see if SPNEGO is enabled, it shouldn't impact > anything, same case for OIDC. > > On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni wrote: > > > > When I remove the SPNEGO properties and set the krb5 file > > > > # kerberos # > > nifi.kerberos.krb5.file=/etc/krb5.conf > > > > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > > Kerberos ticket login not supported by this NiFi.. Returning Conflict > > response. > > java.lang.IllegalStateException: Kerberos ticket login not supported by > > this NiFi. > > > > Also threw exception about OpenID Connect not configured. > > > > Nifi 1.11.4 > > > > > > From: Darren Govoni > > Sent: Monday, December 14, 2020 10:00 AM > > To: users@nifi.apache.org > > Subject: Re: Secure Mode & Kerberos > > > > Hi Bryan > > > > I did do that but still got the warning/error. But I will go back and > > verify this. > > > > Darren > > > > Sent from my Verizon, Samsung Galaxy smartphone > > Get Outlook for Android > > > > > > From: Bryan Bende > > Sent: Monday, December 14, 2020 9:37:33 AM > > To: users@nifi.apache.org > > Subject: Re: Secure Mode & Kerberos > > > > You don't need to have NiFi secured with Kerberos in order to use HDFS > > processors talking to kerberized HDFS. > > > > You just need to specify the krb5.conf in nifi.properties, and you > > need to provide the HDFS processors with a core-site.xml that has > > security set to kerberos. > > > > On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni wrote: > > > > > > Hi, > > > I want to test the HDFS processors using Kerberos, but they trigger a > > > warning saying Nifi is not running in secure mode, so it ignores kerberos. > > > > > > In order to get Nifi into secure mode I had to enable SPNEGO which it > > > seems to want a kerberos header to allow me into the app now. > > > > > > Is there a way to allow processors to run securely with kerberos without > > > having to auth myself into the app via kerberos? Which I'm not sure how > > > to do. > > > > > > Darren > > > > > > PS. I do have a Apache Kerby KDC running locally if that can help me auth > > > into Nifi.
Re: Secure Mode & Kerberos
I see this error in the browser [cid:6d423021-564f-4505-9f55-11a4628ebb86] Along with the exception in the log: Kerberos ticket login not supported by this NiFi That is just with adding the /etc/krb5.conf to nifi.properties per your suggestion. I do have a browser cert it prompted me to select. I had started to add the cert CN to authorizers.xml (i.e. add it to initial admin field), but it requires populating authorizations.xml as well and I'm not sure how to do that. From: Bryan Bende Sent: Monday, December 14, 2020 1:04 PM To: users@nifi.apache.org Subject: Re: Secure Mode & Kerberos I'm confused, how are you trying to authenticate to nifi and what is the error your are getting in the nifi UI when you attempt to access it? You said you didn't want to authenticate via kerberos, so the warning should not matter. On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni wrote: > > Thanks Bryan. > > I'm seeing in AccessResource.java that it will throw this exception if spnego > is not configured or keberosService is null, which it is in my nifi. > > Doing a quick search for setKeberosService callers doesnt turn anything up in > the code. And this exception prevents me accessing the app. > > Do i need to configure anything in authorizers.xml or users.xml? > > I set the krb file in nifi.properties already. > > Darren > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android > > > From: Bryan Bende > Sent: Monday, December 14, 2020 11:19:28 AM > To: users@nifi.apache.org > Subject: Re: Secure Mode & Kerberos > > That is just a warning that prints every time you refresh the UI, the > UI makes a call to see if SPNEGO is enabled, it shouldn't impact > anything, same case for OIDC. > > On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni wrote: > > > > When I remove the SPNEGO properties and set the krb5 file > > > > # kerberos # > > nifi.kerberos.krb5.file=/etc/krb5.conf > > > > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > > Kerberos ticket login not supported by this NiFi.. Returning Conflict > > response. > > java.lang.IllegalStateException: Kerberos ticket login not supported by > > this NiFi. > > > > Also threw exception about OpenID Connect not configured. > > > > Nifi 1.11.4 > > > > > > From: Darren Govoni > > Sent: Monday, December 14, 2020 10:00 AM > > To: users@nifi.apache.org > > Subject: Re: Secure Mode & Kerberos > > > > Hi Bryan > > > > I did do that but still got the warning/error. But I will go back and > > verify this. > > > > Darren > > > > Sent from my Verizon, Samsung Galaxy smartphone > > Get Outlook for Android > > > > > > From: Bryan Bende > > Sent: Monday, December 14, 2020 9:37:33 AM > > To: users@nifi.apache.org > > Subject: Re: Secure Mode & Kerberos > > > > You don't need to have NiFi secured with Kerberos in order to use HDFS > > processors talking to kerberized HDFS. > > > > You just need to specify the krb5.conf in nifi.properties, and you > > need to provide the HDFS processors with a core-site.xml that has > > security set to kerberos. > > > > On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni wrote: > > > > > > Hi, > > > I want to test the HDFS processors using Kerberos, but they trigger a > > > warning saying Nifi is not running in secure mode, so it ignores kerberos. > > > > > > In order to get Nifi into secure mode I had to enable SPNEGO which it > > > seems to want a kerberos header to allow me into the app now. > > > > > > Is there a way to allow processors to run securely with kerberos without > > > having to auth myself into the app via kerberos? Which I'm not sure how > > > to do. > > > > > > Darren > > > > > > PS. I do have a Apache Kerby KDC running locally if that can help me auth > > > into Nifi.
Re: Secure Mode & Kerberos
Ok so you are authenticating with a client cert, so this has nothing to do with kerberos. Put the DN from the client cert as the initial admin in authorizers.xml and it generates the policies in authorizations.xml for you. You likely need to delete users.xml and authorizations.xml in order for it to be a fresh setup and trigger the seeding of the initial admin. On Mon, Dec 14, 2020 at 1:51 PM Darren Govoni wrote: > I see this error in the browser > > Along with the exception in the log: Kerberos ticket login not supported > by this NiFi > > That is just with adding the /etc/krb5.conf to nifi.properties per your > suggestion. > > I do have a browser cert it prompted me to select. > > I had started to add the cert CN to authorizers.xml (i.e. add it to > initial admin field), but it requires populating authorizations.xml as well > and I'm not sure how to do that. > > -- > *From:* Bryan Bende > *Sent:* Monday, December 14, 2020 1:04 PM > *To:* users@nifi.apache.org > *Subject:* Re: Secure Mode & Kerberos > > I'm confused, how are you trying to authenticate to nifi and what is > the error your are getting in the nifi UI when you attempt to access > it? > > You said you didn't want to authenticate via kerberos, so the warning > should not matter. > > On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni > wrote: > > > > Thanks Bryan. > > > > I'm seeing in AccessResource.java that it will throw this exception if > spnego is not configured or keberosService is null, which it is in my nifi. > > > > Doing a quick search for setKeberosService callers doesnt turn anything > up in the code. And this exception prevents me accessing the app. > > > > Do i need to configure anything in authorizers.xml or users.xml? > > > > I set the krb file in nifi.properties already. > > > > Darren > > > > Sent from my Verizon, Samsung Galaxy smartphone > > Get Outlook for Android > > > > > > From: Bryan Bende > > Sent: Monday, December 14, 2020 11:19:28 AM > > To: users@nifi.apache.org > > Subject: Re: Secure Mode & Kerberos > > > > That is just a warning that prints every time you refresh the UI, the > > UI makes a call to see if SPNEGO is enabled, it shouldn't impact > > anything, same case for OIDC. > > > > On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni > wrote: > > > > > > When I remove the SPNEGO properties and set the krb5 file > > > > > > # kerberos # > > > nifi.kerberos.krb5.file=/etc/krb5.conf > > > > > > > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > Kerberos ticket login not supported by this NiFi.. Returning Conflict > response. > > > java.lang.IllegalStateException: Kerberos ticket login not supported > by this NiFi. > > > > > > Also threw exception about OpenID Connect not configured. > > > > > > Nifi 1.11.4 > > > > > > > > > From: Darren Govoni > > > Sent: Monday, December 14, 2020 10:00 AM > > > To: users@nifi.apache.org > > > Subject: Re: Secure Mode & Kerberos > > > > > > Hi Bryan > > > > > > I did do that but still got the warning/error. But I will go back and > verify this. > > > > > > Darren > > > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > Get Outlook for Android > > > > > > > > > From: Bryan Bende > > > Sent: Monday, December 14, 2020 9:37:33 AM > > > To: users@nifi.apache.org > > > Subject: Re: Secure Mode & Kerberos > > > > > > You don't need to have NiFi secured with Kerberos in order to use HDFS > > > processors talking to kerberized HDFS. > > > > > > You just need to specify the krb5.conf in nifi.properties, and you > > > need to provide the HDFS processors with a core-site.xml that has > > > security set to kerberos. > > > > > > On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni > wrote: > > > > > > > > Hi, > > > > I want to test the HDFS processors using Kerberos, but they > trigger a warning saying Nifi is not running in secure mode, so it ignores > kerberos. > > > > > > > > In order to get Nifi into secure mode I had to enable SPNEGO which > it seems to want a kerberos header to allow me into the app now. > > > > > > > > Is there a way to allow processors to run securely with kerberos > without having to auth myself into the app via kerberos? Which I'm not sure > how to do. > > > > > > > > Darren > > > > > > > > PS. I do have a Apache Kerby KDC running locally if that can help me > auth into Nifi. >
Re: Secure Mode & Kerberos
Gotcha. Thanks. The only reason I got down this road is because the HDFS processors were logging "Configuration does not have security enabled, keytab and principal will be ignored." Which is a bit vague and left me thinking i needed to run Nifi in secure mode. The processors were configured for kereberos. Still not sure what the message refers to though. Darren Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/ghei36> From: Bryan Bende Sent: Monday, December 14, 2020 1:56:01 PM To: users@nifi.apache.org Subject: Re: Secure Mode & Kerberos Ok so you are authenticating with a client cert, so this has nothing to do with kerberos. Put the DN from the client cert as the initial admin in authorizers.xml and it generates the policies in authorizations.xml for you. You likely need to delete users.xml and authorizations.xml in order for it to be a fresh setup and trigger the seeding of the initial admin. On Mon, Dec 14, 2020 at 1:51 PM Darren Govoni mailto:dar...@ontrenet.com>> wrote: I see this error in the browser [cid:1766299c1e4cb971f161] Along with the exception in the log: Kerberos ticket login not supported by this NiFi That is just with adding the /etc/krb5.conf to nifi.properties per your suggestion. I do have a browser cert it prompted me to select. I had started to add the cert CN to authorizers.xml (i.e. add it to initial admin field), but it requires populating authorizations.xml as well and I'm not sure how to do that. From: Bryan Bende mailto:bbe...@gmail.com>> Sent: Monday, December 14, 2020 1:04 PM To: users@nifi.apache.org<mailto:users@nifi.apache.org> mailto:users@nifi.apache.org>> Subject: Re: Secure Mode & Kerberos I'm confused, how are you trying to authenticate to nifi and what is the error your are getting in the nifi UI when you attempt to access it? You said you didn't want to authenticate via kerberos, so the warning should not matter. On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni mailto:dar...@ontrenet.com>> wrote: > > Thanks Bryan. > > I'm seeing in AccessResource.java that it will throw this exception if spnego > is not configured or keberosService is null, which it is in my nifi. > > Doing a quick search for setKeberosService callers doesnt turn anything up in > the code. And this exception prevents me accessing the app. > > Do i need to configure anything in authorizers.xml or users.xml? > > I set the krb file in nifi.properties already. > > Darren > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android > > > From: Bryan Bende mailto:bbe...@gmail.com>> > Sent: Monday, December 14, 2020 11:19:28 AM > To: users@nifi.apache.org<mailto:users@nifi.apache.org> > mailto:users@nifi.apache.org>> > Subject: Re: Secure Mode & Kerberos > > That is just a warning that prints every time you refresh the UI, the > UI makes a call to see if SPNEGO is enabled, it shouldn't impact > anything, same case for OIDC. > > On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni > mailto:dar...@ontrenet.com>> wrote: > > > > When I remove the SPNEGO properties and set the krb5 file > > > > # kerberos # > > nifi.kerberos.krb5.file=/etc/krb5.conf > > > > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > > Kerberos ticket login not supported by this NiFi.. Returning Conflict > > response. > > java.lang.IllegalStateException: Kerberos ticket login not supported by > > this NiFi. > > > > Also threw exception about OpenID Connect not configured. > > > > Nifi 1.11.4 > > > > > > From: Darren Govoni mailto:dar...@ontrenet.com>> > > Sent: Monday, December 14, 2020 10:00 AM > > To: users@nifi.apache.org<mailto:users@nifi.apache.org> > > mailto:users@nifi.apache.org>> > > Subject: Re: Secure Mode & Kerberos > > > > Hi Bryan > > > > I did do that but still got the warning/error. But I will go back and > > verify this. > > > > Darren > > > > Sent from my Verizon, Samsung Galaxy smartphone > > Get Outlook for Android > > > > > > From: Bryan Bende mailto:bbe...@gmail.com>> > > Sent: Monday, December 14, 2020 9:37:33 AM > > To: users@nifi.apache.org<mailto:users@nifi.apache.org> > > mailto:users@nifi.apache.org>> > > Subject: Re: Secure Mode & Kerberos > > > > You don't need to have NiFi sec
Re: Secure Mode & Kerberos
It refers to what I said earlier about providing a core-site.xml to the processor that has: hadoop.security.authentication kerberos It means the core-site you provided doesn't have that, which indicates HDFS is not kerberized, but you filled in the kerberos properties on the processor, so it is telling you they won't be used for anything since core-site doesn't say that kerberos is enabled. On Mon, Dec 14, 2020 at 2:12 PM Darren Govoni wrote: > Gotcha. Thanks. > > The only reason I got down this road is because the HDFS processors were > logging > > "Configuration does not have security enabled, keytab and principal will > be ignored." > > Which is a bit vague and left me thinking i needed to run Nifi in secure > mode. The processors were configured for kereberos. Still not sure what the > message refers to though. > > Darren > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android <https://aka.ms/ghei36> > > -- > *From:* Bryan Bende > *Sent:* Monday, December 14, 2020 1:56:01 PM > *To:* users@nifi.apache.org > *Subject:* Re: Secure Mode & Kerberos > > Ok so you are authenticating with a client cert, so this has nothing to do > with kerberos. > > Put the DN from the client cert as the initial admin in authorizers.xml > and it generates the policies in authorizations.xml for you. > > You likely need to delete users.xml and authorizations.xml in order for it > to be a fresh setup and trigger the seeding of the initial admin. > > > > On Mon, Dec 14, 2020 at 1:51 PM Darren Govoni wrote: > > I see this error in the browser > > Along with the exception in the log: Kerberos ticket login not supported > by this NiFi > > That is just with adding the /etc/krb5.conf to nifi.properties per your > suggestion. > > I do have a browser cert it prompted me to select. > > I had started to add the cert CN to authorizers.xml (i.e. add it to > initial admin field), but it requires populating authorizations.xml as well > and I'm not sure how to do that. > > -- > *From:* Bryan Bende > *Sent:* Monday, December 14, 2020 1:04 PM > *To:* users@nifi.apache.org > *Subject:* Re: Secure Mode & Kerberos > > I'm confused, how are you trying to authenticate to nifi and what is > the error your are getting in the nifi UI when you attempt to access > it? > > You said you didn't want to authenticate via kerberos, so the warning > should not matter. > > On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni > wrote: > > > > Thanks Bryan. > > > > I'm seeing in AccessResource.java that it will throw this exception if > spnego is not configured or keberosService is null, which it is in my nifi. > > > > Doing a quick search for setKeberosService callers doesnt turn anything > up in the code. And this exception prevents me accessing the app. > > > > Do i need to configure anything in authorizers.xml or users.xml? > > > > I set the krb file in nifi.properties already. > > > > Darren > > > > Sent from my Verizon, Samsung Galaxy smartphone > > Get Outlook for Android > > > > > > From: Bryan Bende > > Sent: Monday, December 14, 2020 11:19:28 AM > > To: users@nifi.apache.org > > Subject: Re: Secure Mode & Kerberos > > > > That is just a warning that prints every time you refresh the UI, the > > UI makes a call to see if SPNEGO is enabled, it shouldn't impact > > anything, same case for OIDC. > > > > On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni > wrote: > > > > > > When I remove the SPNEGO properties and set the krb5 file > > > > > > # kerberos # > > > nifi.kerberos.krb5.file=/etc/krb5.conf > > > > > > > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > Kerberos ticket login not supported by this NiFi.. Returning Conflict > response. > > > java.lang.IllegalStateException: Kerberos ticket login not supported > by this NiFi. > > > > > > Also threw exception about OpenID Connect not configured. > > > > > > Nifi 1.11.4 > > > > > > ________ > > > From: Darren Govoni > > > Sent: Monday, December 14, 2020 10:00 AM > > > To: users@nifi.apache.org > > > Subject: Re: Secure Mode & Kerberos > > > > > > Hi Bryan > > > > > > I did do that but still got the warning/error. But I will go back an
Re: Secure Mode & Kerberos
I see. Thank you. Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/ghei36> From: Bryan Bende Sent: Monday, December 14, 2020 2:26:54 PM To: users@nifi.apache.org Subject: Re: Secure Mode & Kerberos It refers to what I said earlier about providing a core-site.xml to the processor that has: hadoop.security.authentication kerberos It means the core-site you provided doesn't have that, which indicates HDFS is not kerberized, but you filled in the kerberos properties on the processor, so it is telling you they won't be used for anything since core-site doesn't say that kerberos is enabled. On Mon, Dec 14, 2020 at 2:12 PM Darren Govoni mailto:dar...@ontrenet.com>> wrote: Gotcha. Thanks. The only reason I got down this road is because the HDFS processors were logging "Configuration does not have security enabled, keytab and principal will be ignored." Which is a bit vague and left me thinking i needed to run Nifi in secure mode. The processors were configured for kereberos. Still not sure what the message refers to though. Darren Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/ghei36> From: Bryan Bende mailto:bbe...@gmail.com>> Sent: Monday, December 14, 2020 1:56:01 PM To: users@nifi.apache.org<mailto:users@nifi.apache.org> mailto:users@nifi.apache.org>> Subject: Re: Secure Mode & Kerberos Ok so you are authenticating with a client cert, so this has nothing to do with kerberos. Put the DN from the client cert as the initial admin in authorizers.xml and it generates the policies in authorizations.xml for you. You likely need to delete users.xml and authorizations.xml in order for it to be a fresh setup and trigger the seeding of the initial admin. On Mon, Dec 14, 2020 at 1:51 PM Darren Govoni mailto:dar...@ontrenet.com>> wrote: I see this error in the browser [cid:17662b30953cb971f161] Along with the exception in the log: Kerberos ticket login not supported by this NiFi That is just with adding the /etc/krb5.conf to nifi.properties per your suggestion. I do have a browser cert it prompted me to select. I had started to add the cert CN to authorizers.xml (i.e. add it to initial admin field), but it requires populating authorizations.xml as well and I'm not sure how to do that. From: Bryan Bende mailto:bbe...@gmail.com>> Sent: Monday, December 14, 2020 1:04 PM To: users@nifi.apache.org<mailto:users@nifi.apache.org> mailto:users@nifi.apache.org>> Subject: Re: Secure Mode & Kerberos I'm confused, how are you trying to authenticate to nifi and what is the error your are getting in the nifi UI when you attempt to access it? You said you didn't want to authenticate via kerberos, so the warning should not matter. On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni mailto:dar...@ontrenet.com>> wrote: > > Thanks Bryan. > > I'm seeing in AccessResource.java that it will throw this exception if spnego > is not configured or keberosService is null, which it is in my nifi. > > Doing a quick search for setKeberosService callers doesnt turn anything up in > the code. And this exception prevents me accessing the app. > > Do i need to configure anything in authorizers.xml or users.xml? > > I set the krb file in nifi.properties already. > > Darren > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android > > > From: Bryan Bende mailto:bbe...@gmail.com>> > Sent: Monday, December 14, 2020 11:19:28 AM > To: users@nifi.apache.org<mailto:users@nifi.apache.org> > mailto:users@nifi.apache.org>> > Subject: Re: Secure Mode & Kerberos > > That is just a warning that prints every time you refresh the UI, the > UI makes a call to see if SPNEGO is enabled, it shouldn't impact > anything, same case for OIDC. > > On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni > mailto:dar...@ontrenet.com>> wrote: > > > > When I remove the SPNEGO properties and set the krb5 file > > > > # kerberos # > > nifi.kerberos.krb5.file=/etc/krb5.conf > > > > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > > Kerberos ticket login not supported by this NiFi.. Returning Conflict > > response. > > java.lang.IllegalStateException: Kerberos ticket login not supported by > > this NiFi. > > > > Also threw exception about OpenID Connect not configured. > > > > Nifi 1.11.4 > > > > > > From: Darren Govoni mailto:dar...