Re: Unable to load the authorizer configuration file

2020-02-11 Thread Josh Friberg-Wyckoff 
I restarted from scratch and tried again.  This time it is complaining
about the Login Identity Provider xml
https://gist.github.com/SquashBuckler/96d23ebd1652908c0b00db0a06198a13

On Tue, Feb 11, 2020 at 10:26 PM Pierre Villard 
wrote:

> There should be more lines below the ERROR log you gave in your initial
> email. The full stack trace here will definitely help. If too long and not
> sensitive, you can put in a public gist [1] and give us the link.
>
> [1] https://gist.github.com/
>
> Le mar. 11 févr. 2020 à 19:30, Josh Friberg-Wyckoff 
> a écrit :
>
>> So is that the entire file or just part of it.  Over 2300 lines in it.
>>
>> On Tue, Feb 11, 2020 at 8:42 PM Pierre Villard <
>> pierre.villard...@gmail.com> wrote:
>>
>>> Hi Josh,
>>>
>>> The full stack trace from nifi-app.log would probably provide more
>>> information. This is likely a configuration issue.
>>>
>>> Thanks,
>>> Pierre
>>>
>>> Le mar. 11 févr. 2020 à 15:44, Josh Friberg-Wyckoff <
>>> j...@thefribergs.com> a écrit :
>>>
 I followed a tutorial from the Mint Ops Blog
  on how
 to setup NiFi with LDAP.

 I am getting the following error when trying to start Nifi.  Would be
 helpful if anyone could point me in the right direction.

 2020-02-11 16:04:59,398 ERROR [NiFi logging handler]
 org.apache.nifi.StdErr Failed to start web server: Error creating bean with
 name
 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
 Unsatisfied dependency expressed through method
 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
 org.springframework.beans.factory.BeanExpressionException: Expression
 parsing failed; nested exception is
 org.springframework.beans.factory.UnsatisfiedDependencyException: Error
 creating bean with name
 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
 dependency expressed through method 'setJwtAuthenticationProvider'
 parameter 0; nested exception is
 org.springframework.beans.factory.BeanCreationException: Error creating
 bean with name 'jwtAuthenticationProvider' defined in class path resource
 [nifi-web-security-context.xml]: Cannot resolve reference to bean
 'authorizer' while setting constructor argument; nested exception is
 org.springframework.beans.factory.BeanCreationException: Error creating
 bean with name 'authorizer': FactoryBean threw exception on object
 creation; nested exception is java.lang.Exception: Unable to load the
 authorizer configuration file at: /apps/nifi/./conf/authorizers.xml

Re: Unable to load the authorizer configuration file

2020-02-11 Thread Pierre Villard 
There should be more lines below the ERROR log you gave in your initial
email. The full stack trace here will definitely help. If too long and not
sensitive, you can put in a public gist [1] and give us the link.

[1] https://gist.github.com/

Le mar. 11 févr. 2020 à 19:30, Josh Friberg-Wyckoff 
a écrit :

> So is that the entire file or just part of it.  Over 2300 lines in it.
>
> On Tue, Feb 11, 2020 at 8:42 PM Pierre Villard <
> pierre.villard...@gmail.com> wrote:
>
>> Hi Josh,
>>
>> The full stack trace from nifi-app.log would probably provide more
>> information. This is likely a configuration issue.
>>
>> Thanks,
>> Pierre
>>
>> Le mar. 11 févr. 2020 à 15:44, Josh Friberg-Wyckoff 
>> a écrit :
>>
>>> I followed a tutorial from the Mint Ops Blog
>>>  on how
>>> to setup NiFi with LDAP.
>>>
>>> I am getting the following error when trying to start Nifi.  Would be
>>> helpful if anyone could point me in the right direction.
>>>
>>> 2020-02-11 16:04:59,398 ERROR [NiFi logging handler]
>>> org.apache.nifi.StdErr Failed to start web server: Error creating bean with
>>> name
>>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
>>> Unsatisfied dependency expressed through method
>>> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
>>> org.springframework.beans.factory.BeanExpressionException: Expression
>>> parsing failed; nested exception is
>>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>>> creating bean with name
>>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
>>> dependency expressed through method 'setJwtAuthenticationProvider'
>>> parameter 0; nested exception is
>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>> bean with name 'jwtAuthenticationProvider' defined in class path resource
>>> [nifi-web-security-context.xml]: Cannot resolve reference to bean
>>> 'authorizer' while setting constructor argument; nested exception is
>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>> bean with name 'authorizer': FactoryBean threw exception on object
>>> creation; nested exception is java.lang.Exception: Unable to load the
>>> authorizer configuration file at: /apps/nifi/./conf/authorizers.xml
>>>
>>>
>>>

Re: Unable to load the authorizer configuration file

2020-02-11 Thread Josh Friberg-Wyckoff 
So is that the entire file or just part of it.  Over 2300 lines in it.

On Tue, Feb 11, 2020 at 8:42 PM Pierre Villard 
wrote:

> Hi Josh,
>
> The full stack trace from nifi-app.log would probably provide more
> information. This is likely a configuration issue.
>
> Thanks,
> Pierre
>
> Le mar. 11 févr. 2020 à 15:44, Josh Friberg-Wyckoff 
> a écrit :
>
>> I followed a tutorial from the Mint Ops Blog
>>  on how
>> to setup NiFi with LDAP.
>>
>> I am getting the following error when trying to start Nifi.  Would be
>> helpful if anyone could point me in the right direction.
>>
>> 2020-02-11 16:04:59,398 ERROR [NiFi logging handler]
>> org.apache.nifi.StdErr Failed to start web server: Error creating bean with
>> name
>> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
>> Unsatisfied dependency expressed through method
>> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
>> org.springframework.beans.factory.BeanExpressionException: Expression
>> parsing failed; nested exception is
>> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
>> creating bean with name
>> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
>> dependency expressed through method 'setJwtAuthenticationProvider'
>> parameter 0; nested exception is
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'jwtAuthenticationProvider' defined in class path resource
>> [nifi-web-security-context.xml]: Cannot resolve reference to bean
>> 'authorizer' while setting constructor argument; nested exception is
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'authorizer': FactoryBean threw exception on object
>> creation; nested exception is java.lang.Exception: Unable to load the
>> authorizer configuration file at: /apps/nifi/./conf/authorizers.xml
>>
>>
>>

Re: Unable to load the authorizer configuration file

2020-02-11 Thread Pierre Villard 
Hi Josh,

The full stack trace from nifi-app.log would probably provide more
information. This is likely a configuration issue.

Thanks,
Pierre

Le mar. 11 févr. 2020 à 15:44, Josh Friberg-Wyckoff 
a écrit :

> I followed a tutorial from the Mint Ops Blog
>  on how to
> setup NiFi with LDAP.
>
> I am getting the following error when trying to start Nifi.  Would be
> helpful if anyone could point me in the right direction.
>
> 2020-02-11 16:04:59,398 ERROR [NiFi logging handler]
> org.apache.nifi.StdErr Failed to start web server: Error creating bean with
> name
> 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
> Unsatisfied dependency expressed through method
> 'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
> org.springframework.beans.factory.BeanExpressionException: Expression
> parsing failed; nested exception is
> org.springframework.beans.factory.UnsatisfiedDependencyException: Error
> creating bean with name
> 'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
> dependency expressed through method 'setJwtAuthenticationProvider'
> parameter 0; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'jwtAuthenticationProvider' defined in class path resource
> [nifi-web-security-context.xml]: Cannot resolve reference to bean
> 'authorizer' while setting constructor argument; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'authorizer': FactoryBean threw exception on object
> creation; nested exception is java.lang.Exception: Unable to load the
> authorizer configuration file at: /apps/nifi/./conf/authorizers.xml
>
>
>

Unable to load the authorizer configuration file

2020-02-11 Thread Josh Friberg-Wyckoff 
I followed a tutorial from the Mint Ops Blog
 on how to
setup NiFi with LDAP.

I am getting the following error when trying to start Nifi.  Would be
helpful if anyone could point me in the right direction.

2020-02-11 16:04:59,398 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Failed to start web server: Error creating bean with name
'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Unsatisfied dependency expressed through method
'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
org.springframework.beans.factory.BeanExpressionException: Expression
parsing failed; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
dependency expressed through method 'setJwtAuthenticationProvider'
parameter 0; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'jwtAuthenticationProvider' defined in class path resource
[nifi-web-security-context.xml]: Cannot resolve reference to bean
'authorizer' while setting constructor argument; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'authorizer': FactoryBean threw exception on object
creation; nested exception is java.lang.Exception: Unable to load the
authorizer configuration file at: /apps/nifi/./conf/authorizers.xml

Re: Can jetty reload keystore credentials dynamically?

2020-02-11 Thread Pat White 
Sounds good, filed NIFI-7134
 and linked to NIFI-5458,
thanks much for the help Andy.

patw

On Tue, Feb 11, 2020 at 3:02 PM Andy LoPresto  wrote:

> This is available in Jetty versions 9.3+ [1], but in NiFi this is not
> currently supported. I have filed a number of enhancement Jiras [2] to
> improve the TLS handling throughout the application, and now that encrypted
> repositories are available, hope to address some of these in the near
> future. Please file a Jira for this specifically and include it in the
> linked epic.
>
> [1] https://github.com/eclipse/jetty.project/issues/918
> [2] https://issues.apache.org/jira/browse/NIFI-5458
>
> Andy LoPresto
> alopre...@apache.org
> *alopresto.apa...@gmail.com *
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Feb 11, 2020, at 12:23 PM, Pat White  wrote:
>
> Hi Folks,
>
> Can Nifi's jetty automatically detect and reload its keystore when the
> keystore is changed, such as during credentials update or rotation?
>
> Thank you
> patw
>
>
>

Re: Can jetty reload keystore credentials dynamically?

2020-02-11 Thread Andy LoPresto 
This is available in Jetty versions 9.3+ [1], but in NiFi this is not currently 
supported. I have filed a number of enhancement Jiras [2] to improve the TLS 
handling throughout the application, and now that encrypted repositories are 
available, hope to address some of these in the near future. Please file a Jira 
for this specifically and include it in the linked epic. 

[1] https://github.com/eclipse/jetty.project/issues/918 

[2] https://issues.apache.org/jira/browse/NIFI-5458 


Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Feb 11, 2020, at 12:23 PM, Pat White  wrote:
> 
> Hi Folks,
> 
> Can Nifi's jetty automatically detect and reload its keystore when the 
> keystore is changed, such as during credentials update or rotation?
> 
> Thank you
> patw

Can jetty reload keystore credentials dynamically?

2020-02-11 Thread Pat White 
Hi Folks,

Can Nifi's jetty automatically detect and reload its keystore when the
keystore is changed, such as during credentials update or rotation?

Thank you
patw

Re: S2S to Specific Nodes in a Cluster

2020-02-11 Thread Noe Detore 
Data is on the same cluster running ver 1.9. As specific nodes can not be
specified in load balance, is using TCP to move data to those specific
nodes the best alternative?

My use case is unique, but only a couple nodes of the 5 have an additional
nic card where data needs to be sent.

thank you

On Tue, Feb 11, 2020 at 10:23 AM Joe Witt  wrote:

> Either way the answer is to use load balanced connections to single node
> once data is on the desired cluster.  You still cannot send to a ‘specific
> node’ but you can to a single node.
>
> Consider the case where data was split up for various reasons but needs to
> be all back together.  Load balancing can handle that case beautifully.
> Just note in 1.11.1 load balancing has a bug which impacts single node and
> partition based load balancing.  It will be fixed in a 1.11.2 release asap.
>
> thanks
>
> On Tue, Feb 11, 2020 at 7:17 AM Bryan Bende  wrote:
>
>> Is it actually two separate clusters, or is it S2S from a cluster back
>> to itself?
>>
>> If it's two separate clusters then I don't think there is way to
>> restrict it to certain nodes.
>>
>> If it is S2S back to self, then a load balanced connection would be
>> better and you can select "single node" as the option.
>>
>> On Tue, Feb 11, 2020 at 10:15 AM Noe Detore 
>> wrote:
>> >
>> > Hello,
>> >
>> > I have a 5 node cluster with all nodes receiving data. Using S2S is it
>> possible to send that data to a specific node or nodes in the cluster?
>> Otherwise, I am looking at using TCP, but are there better alternatives?
>> >
>> > Thank you
>> > Noe
>>
>

Re: S2S to Specific Nodes in a Cluster

2020-02-11 Thread Joe Witt 
Either way the answer is to use load balanced connections to single node
once data is on the desired cluster.  You still cannot send to a ‘specific
node’ but you can to a single node.

Consider the case where data was split up for various reasons but needs to
be all back together.  Load balancing can handle that case beautifully.
Just note in 1.11.1 load balancing has a bug which impacts single node and
partition based load balancing.  It will be fixed in a 1.11.2 release asap.

thanks

On Tue, Feb 11, 2020 at 7:17 AM Bryan Bende  wrote:

> Is it actually two separate clusters, or is it S2S from a cluster back
> to itself?
>
> If it's two separate clusters then I don't think there is way to
> restrict it to certain nodes.
>
> If it is S2S back to self, then a load balanced connection would be
> better and you can select "single node" as the option.
>
> On Tue, Feb 11, 2020 at 10:15 AM Noe Detore 
> wrote:
> >
> > Hello,
> >
> > I have a 5 node cluster with all nodes receiving data. Using S2S is it
> possible to send that data to a specific node or nodes in the cluster?
> Otherwise, I am looking at using TCP, but are there better alternatives?
> >
> > Thank you
> > Noe
>

Re: S2S to Specific Nodes in a Cluster

2020-02-11 Thread Bryan Bende 
Is it actually two separate clusters, or is it S2S from a cluster back
to itself?

If it's two separate clusters then I don't think there is way to
restrict it to certain nodes.

If it is S2S back to self, then a load balanced connection would be
better and you can select "single node" as the option.

On Tue, Feb 11, 2020 at 10:15 AM Noe Detore  wrote:
>
> Hello,
>
> I have a 5 node cluster with all nodes receiving data. Using S2S is it 
> possible to send that data to a specific node or nodes in the cluster? 
> Otherwise, I am looking at using TCP, but are there better alternatives?
>
> Thank you
> Noe

S2S to Specific Nodes in a Cluster

2020-02-11 Thread Noe Detore 
Hello,

I have a 5 node cluster with all nodes receiving data. Using S2S is it
possible to send that data to a specific node or nodes in the cluster?
Otherwise, I am looking at using TCP, but are there better alternatives?

Thank you
Noe

RE: REST API for secured NiFi with OpenID connect for authentication

2020-02-11 Thread Kumara M S, Hemantha (Nokia - IN/Bangalore) 
Thanks Bryan.



I tried to get access token from keycloak and used same token while accessing 
nifi-api url. I got different error when I tried callback “The login request 
identifier was not found in the request. Unable to continue”





Command to get access token from keycloak

TOKEN=curl -f 
https://:8443/auth/realms/ccsp-apcore/protocol/openid-connect/token
 --insecure  -H Content-Type: application/x-www-form-urlencoded  -d 
username=  -d password=  -d grant_type=password  -d 
client_id=nifi  -d client_secret=





Initiated request

# curl -k -i -X GET -H "Authorization: Bearer $TOKEN" 
https://192.168.112.49:9443/nifi-api/access/oidc/request

HTTP/1.1 302 Found

Date: Tue, 11 Feb 2020 15:04:02 GMT

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: frame-ancestors 'self'

X-XSS-Protection: 1; mode=block

Strict-Transport-Security: max-age=3154

Set-Cookie: 
oidc-request-identifier=af8a2da4-c6ea-4c6e-9003-1ad96f861162;Path=/;Expires=Tue,
 11-Feb-2020 15:05:02 GMT;Max-Age=60;Secure;HttpOnly

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: 
https:///auth/realms/ccsp-apcore/protocol/openid-connect/auth?client_id=nifi_type=code=openid+email=bfaffl09j0m5l3vb373q1vqhmp_uri=https%3A%2F%2F192.168.112.49%3A9443%2Fnifi-api%2Faccess%2Foidc%2Fcallback

Content-Length: 0

Server: Jetty(9.4.11.v20180605)



Here it the command I tried for  callback

# curl -k -i -X GET -H "Authorization: Bearer $TOKEN" 
https://192.168.112.49:9443/nifi-api/access/oidc/callback

HTTP/1.1 200 OK

Date: Tue, 11 Feb 2020 15:09:33 GMT

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: frame-ancestors 'self'

X-XSS-Protection: 1; mode=block

Strict-Transport-Security: max-age=3154

Content-Type: text/html;charset=utf-8

Vary: Accept-Encoding, User-Agent

Content-Length: 1974

Server: Jetty(9.4.11.v20180605)









http://www.w3.org/1999/xhtml;>





Unable to continue login sequence





















$(document).ready(function () {

$('#user-home').on('mouseenter', function () {

$(this).addClass('link-over');

}).on('mouseleave', function () {

$(this).removeClass('link-over');

}).on('click', function () {

window.location = '/nifi';

});

});











Unable to continue login 
sequence







home







The login request identifier was 
not found in the request. Unable to continue.









Regards,

Hemantha



-Original Message-
From: Bryan Bende 
Sent: Tuesday, February 11, 2020 7:39 PM
To: users@nifi.apache.org
Subject: Re: REST API for secured NiFi with OpenID connect for authentication



Hello,



The end-point access/token is for any login identity providers defined in 
login-identity-providers.xml.



OIDC works differently because it requires a redirect to an external identity 
provider so the end-points are different:



access/oidc/request

access/oidc/exchange

access/oidc/callback



I'm not sure how to utilize these from curl since it requires being sent to the 
external identity provider's login page in your browser, and then once they 
have authenticated you, they redirect back to NiFi.



Thanks,



Bryan



On Tue, Feb 11, 2020 at 8:55 AM Kumara M S, Hemantha (Nokia -

IN/Bangalore) 
mailto:hemantha.kumara_...@nokia.com>> wrote:

>

> Hi All,

>

>

>

> We have nifi 1.9.2 & configured with oidc for authentication and trying to 
> access the REST API via curl but not able to find documentation for the same.

>

>

>

> I tried with below commands, but it is failing with an error 
> “Username/Password login not supported by this NiFi.”

>

> curl 'https://192.168.112.49:9443/nifi-api/access/token' -H

> 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type:

> application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*'

> --data 'username=nifi=Nifi123!' --compressed -k

>

>

>

> Can someone pls help ? pointing to doc or any other pointers?

>

> I have gone through an old issue 
> http://apache-nifi.1125220.n5.nabble.com/Nifi-REST-API-access-to-OpenID-connect-secured-instance-td20644.html
>  but no proper answer.

>

>

>

> Thanks & Regards,

>

> Hemantha

>

>

REST API for secured NiFi with OpenID connect for authentication

2020-02-11 Thread Kumara M S, Hemantha (Nokia - IN/Bangalore) 
Hi All,

We have nifi 1.9.2 & configured with oidc for authentication and trying to 
access the REST API via curl but not able to find documentation for the same.

I tried with below commands, but it is failing with an error "Username/Password 
login not supported by this NiFi."
curl 'https://192.168.112.49:9443/nifi-api/access/token' -H 'Accept-Encoding: 
gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; 
charset=UTF-8' -H 'Accept: */*' --data 'username=nifi=Nifi123!' 
--compressed -k

Can someone pls help ? pointing to doc or any other pointers?
I have gone through an old issue 
http://apache-nifi.1125220.n5.nabble.com/Nifi-REST-API-access-to-OpenID-connect-secured-instance-td20644.html
 but no proper answer.

Thanks & Regards,
Hemantha