Oh ok now I see what you mean with the double quotes... didn't notice in the first place =/ How did you generate the certificates for the nodes? probably something wrong here that introduced the double quotes in the certificates.
2018-03-30 17:34 GMT+02:00 Scott Howell <[email protected]>: > 2018-03-30 15:32:42,268 INFO [NiFi Web Server-21] > o.a.n.w.s.NiFiAuthenticationFilter > Attempting request for (<JWT token>) GET https://localhost:8443/nifi- > api/flow/current-user (source ip: 10.10.2.214) > 2018-03-30 15:32:42,270 INFO [NiFi Web Server-21] > o.a.n.w.s.NiFiAuthenticationFilter > Authentication success for uid=scott,ou=users,dc={redacted},dc=com > 2018-03-30 15:32:42,325 INFO [NiFi Web Server-18] > o.a.n.w.s.NiFiAuthenticationFilter > Attempting request for (<uid=scott,ou=users,dc={ > redacted},dc=com><CN="nifi-2.dev.{redacted}.com, OU=Nifi">) GET > https://nifi-2.dev.mobilgov.com:8443/nifi-api/flow/current-user (source > ip: 10.10.20.32) > 2018-03-30 15:32:42,325 WARN [NiFi Web Server-18] > o.a.n.w.s.NiFiAuthenticationFilter > Rejecting access to web api: Untrusted proxy CN="nifi-2.dev.{redacted}.com, > OU=Nifi" > > On Mar 30, 2018, at 10:06 AM, Pierre Villard <[email protected]> > wrote: > > Can you copy/paste what you exactly have in the nifi-users.log when you > face this error? > Just want to double check there is not some typo somewhere. > > 2018-03-30 16:50 GMT+02:00 Scott Howell <[email protected]>: > >> Here is my authorizations.xml >> >> <authorizations> >> <policies> >> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" >> resource="/flow" action="R"> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> >> </policy> >> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" >> resource="/restricted-components" action="W"> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> >> </policy> >> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" >> resource="/tenants" action="R"> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> >> </policy> >> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" >> resource="/tenants" action="W"> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> >> </policy> >> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" >> resource="/policies" action="R"> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> >> </policy> >> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" >> resource="/policies" action="W"> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> >> </policy> >> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" >> resource="/controller" action="R"> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> >> </policy> >> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" >> resource="/controller" action="W"> >> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53"/> >> </policy> >> <policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" >> resource="/proxy" action="W"> >> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425"/> >> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9"/> >> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe"/> >> </policy> >> </policies> >> </authorizations> >> >> On Mar 30, 2018, at 9:48 AM, Pierre Villard <[email protected]> >> wrote: >> >> Hi Scott, >> >> Can you have a look at the authorizations.xml file? (and share the >> content of it to confirm that node users are given the proxy >> authorizations?) >> >> Thanks! >> >> 2018-03-30 16:15 GMT+02:00 Scott Howell <[email protected]>: >> >>> I am nearing the finish line of setting up a cluster using a self-signed >>> cert. >>> >>> When trying to login to the cluster after the cluster comes up I am able >>> to see in the logs that my initial admin user is able to login. >>> >>> Once that takes place I get an “Untrusted proxy” error on both the UI >>> and in the nifi-user.log. >>> >>> This is what I see in the UI: Untrusted proxy >>> CN="nifi-2.dev.{redacted}.com, OU=Nifi” >>> >>> In my authorizers.xml I have this: >>> <authorizers> >>> <authorizer> >>> <identifier>file-provider</identifier> >>> <class>org.apache.nifi.authorization.FileAuthorizer</class> >>> <property name="Authorizations File">/opt/config/authorizatio >>> ns.xml</property> >>> <property name="Users File">/opt/config/users.xml</property> >>> <property name="Initial Admin Identity">uid=scott,ou=users,d >>> c={redacted},dc=com</property> >>> <property name="Legacy Authorized Users File"></property> >>> >>> <property name="Node Identity 1">CN=nifi-1.dev.{redacted}.com, >>> OU=Nifi</property> >>> <property name="Node Identity 2">CN=nifi-2.dev.{redacted}.com, >>> OU=Nifi</property> >>> <property name="Node Identity 3">CN=nifi-3.dev.{redacted}.com, >>> OU=Nifi</property> >>> </authorizer> >>> </authorizers> >>> >>> On the nodes I am seeing this in my user.xml >>> <tenants> >>> <groups/> >>> <users> >>> <user identifier="4e9a2753-85a0-3c8e-96bf-6d5ef821fe53" >>> identity="uid=scott,ou=users,dc={redacted},dc=com"/> >>> <user identifier="20f01804-bad9-3baf-9ebb-5846ae8e7425" >>> identity="CN=nifi-1.dev.{redacted}.com, OU=Nifi"/> >>> <user identifier="ce02b3e3-68ff-3bc1-9001-6a66b26db1f9" >>> identity="CN=nifi-2.dev.{redacted}.com, OU=Nifi"/> >>> <user identifier="c0ae0a6d-d80a-39ce-aa5e-b519066ffefe" >>> identity="CN=nifi-3.dev.{redacted}.com, OU=Nifi"/> >>> </users> >>> </tenants> >>> >>> I believe the issue is with where the “ is in my error "Untrusted proxy >>> CN="nifi-2.dev.mobilgov.com, OU=Nifi”” but I am not able to figure out >>> where that quotation is coming from because I can’t find it in anywhere. >>> >>> Was wondering if anyone has had issues with this before. >>> >>> Scott >>> >> >> >> > >
