Hi Tom, How are you configuring the various config files? Through the docker container's environment variables, or through modifying those files directly? If modifying those files, are you injecting them through a volume or something like that? Trying to determine if there is something else at play here overwritting your settings on startup...
It sounds like you are able to configure authentication/login successfully, and are just running into a snag on the authorization / initial admin side of things. Try this: 1. In authorizers.xml, set the "Initial User Identity 1" and "Initial Admin Identity" properties to exactly match the user identity recognized by NiFi (the one you see in the upper-right corner of the UI after logging in). Make sure whitespace and capitalization all agree. 2. Delete users.xml and authorizations.xml files and restart NiFI Registry. If all goes successfully, your users.xml file should be regenerated to hold a user with an identity matching "Initial User Identity 1", and authorizations.xml should be regenerated to hold the policies for the "Initial Admin Identity". If you get that working, you can improve things a bit by configuring the LdapUserGroupProvider to sync users and groups from LDAP, letting you set policies in the UI without having to manually create users that match the LDAP directory users. Hope this helps, Kevin On February 13, 2019 at 03:56:52, Tomislav Novosel (to.novo...@gmail.com) wrote: > Also, FYI. > > If I set for INITIAL_ADMIN_IDENTITY my user's full DN, cn=...,ou=...,dc=... > I can also login into UI, but there is no properties button upper right in > the UI. > > [image: 1.PNG] > > If I set only USERNEMA to be u21g46, I can see properties button, but I > can't add new users. > > BR, > Tom > > On Fri, 8 Feb 2019 at 16:03, Bryan Bende wrote: > > > Thinking about it more, I guess if you are not trying to do spnego > > then that message from the logs is not really an error. The registry > > UI always tries the spnego end-point first and if it returns the > > conflict response (as the log says) then you get sent to the login > > page. > > > > Maybe try turning on debug logging by editing logback.xml > > > > name="org.apache.nifi.registry" level="INFO"/> and changing to DEBUG. > > > > On Fri, Feb 8, 2019 at 9:51 AM Tomislav Novosel > > wrote: > > > > > > Hi Bryan, > > > > > > I don't have this properties populated in Nifi registry instance > > > outside Docker (as a service on linux server), and everything works. > > > > > > What are this properties up to? > > > > > > Regards, > > > Tom > > > > > > > > > > > > On Fri, 8 Feb 2019 at 15:25, Bryan Bende wrote: > > >> > > >> The message about "Kerberos service ticket login not supported by this > > >> NiFi Registry" means that one of the following properties is not > > >> populated: > > >> > > >> nifi.registry.kerberos.spnego.principal= > > >> nifi.registry.kerberos.spnego.keytab.location= > > >> > > >> On Fri, Feb 8, 2019 at 8:20 AM Tomislav Novosel > > wrote: > > >> > > > >> > Hi Daniel, > > >> > > > >> > Ok, I see. Thanks for the answer. > > >> > > > >> > I switched to official Nifi registry image. I succeeded to spin up > > registry in docker container and to > > >> > setup Kerberos provider in identity-providers.xml. Also I configured > > authorizers.xml as per afficial Nifi documentation. > > >> > > > >> > I already have the same setup with Kerberos, but not in Docker > > container. And everything works like a charm. > > >> > > > >> > When I enter credentials, login does not pass. This is app log: > > >> > > > >> > 2019-02-08 12:52:30,568 INFO [NiFi Registry Web Server-14] > > o.a.n.r.w.m.IllegalStateExceptionMapper java.lang.IllegalStateException: > > Kerberos service ticket login not supported by this NiFi Registry. > > Returning Conflict response. > > >> > 2019-02-08 12:52:30,644 INFO [NiFi Registry Web Server-13] > > o.a.n.r.w.s.NiFiRegistrySecurityConfig Client could not be authenticated > > due to: > > org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: > > > > An Authentication object was not found in the SecurityContext Returning 401 > > response. > > >> > 2019-02-08 12:52:50,557 INFO [NiFi Registry Web Server-14] > > o.a.n.r.w.m.UnauthorizedExceptionMapper > > org.apache.nifi.registry.web.exception.UnauthorizedException: The supplied > > client credentials are not valid.. Returning Unauthorized response. > > >> > > > >> > Not sure what is going on here. > > >> > > > >> > Regards, > > >> > Tom > > >> > > > >> > > > >> > On Fri, 8 Feb 2019 at 11:36, Daniel Chaffelson > > wrote: > > >> >> > > >> >> Hi Tomislav, > > >> >> I created that build a long time ago before the official apache one > > was up, and it is out of date sorry. > > >> >> Can I suggest you switch to the official apache image that Kevin > > mentioned and try again? It is an up to date version and recommended by the > > community. > > >> >> > > >> >> On Thu, Feb 7, 2019 at 5:54 PM Tomislav Novosel < > > to.novo...@gmail.com> wrote: > > >> >>> > > >> >>> Hi Kevin, > > >> >>> > > >> >>> I'm using image from Docker hub on this link: > > >> >>> https://hub.docker.com/r/chaffelson/nifi-registry > > >> >>> > > >> >>> I think I know where is the problem. The problem is in config file > > where > > >> >>> http host and http port property remains even if I manually set > > https host and htpps port. > > >> >>> I deleted http host and http port to be empty, but when I started > > container again, those values are again there. > > >> >>> > > >> >>> I don't know what the author of image wanted to say with this: > > >> >>> > > >> >>> The Docker image can be built using the following command: > > >> >>> > > >> >>> . > > ~/Projects/nifi-dev/nifi-registry/nifi-registry-docker/dockerhub/DockerBuild.sh > > > > >> >>> > > >> >>> What does this commend mean? > > >> >>> > > >> >>> And this: > > >> >>> > > >> >>> Note: The default version of NiFi-Registry specified by the > > Dockerfile is typically that of one that is unreleased if working from > > source. To build an image for a prior released version, one can override > > the NIFI_REGISTRY_VERSIONbuild-arg with the following command: > > >> >>> > > >> >>> docker build --build-arg=NIFI_REGISRTY_VERSION={Desired > > NiFi-Registry Version} -t apache/nifi-registry:latest . > > >> >>> > > >> >>> For this command above you need to have Dockerfile. I tried with > > Dockerfile from docker hub, but there are errors in execution on this line: > > >> >>> > > >> >>> ADD sh/ ${NIFI_REGISTRY_BASE_DIR}/scripts/ > > >> >>> > > >> >>> On the other hand, If I manage to get the image with first > > command, I will get Nifi registry version 0.1.0 which I don't want. > > >> >>> > > >> >>> I'm little bit confused here, sorry for longer mail. > > >> >>> > > >> >>> Thanks. > > >> >>> > > >> >>> Regards, > > >> >>> Tom > > >> >>> > > >> >>> On Thu, 7 Feb 2019 at 17:38, Kevin Doran wrote: > > >> >>>> > > >> >>>> Hi Tom, > > >> >>>> > > >> >>>> Are you using the apache/nifi-registry image or a custom image for > > this? > > >> >>>> > > >> >>>> Have you configured TLS? > > >> >>>> Can you share your complete conf dir (removing sensitive values > > such as password or domains)? > > >> >>>> > > >> >>>> Thanks, > > >> >>>> Kevin > > >> >>>> > > >> >>>> > > >> >>>> On February 7, 2019 at 05:57:37, Tomislav Novosel ( > > to.novo...@gmail.com) wrote: > > >> >>>> > Hi all, > > >> >>>> > > > >> >>>> > I'm trying to configure Nifi registry authentication with > > Kerberos while > > >> >>>> > Nifi registry runs > > >> >>>> > inside Docker container. > > >> >>>> > > > >> >>>> > I configured all security properties in > > nifi-registry.properties, login > > >> >>>> > identity provider and > > >> >>>> > authorizers.xml. Everything the same as for Nifi registry > > running as a > > >> >>>> > service without Docker container. > > >> >>>> > > > >> >>>> > When I open UI in browser and type in login data, login dose not > > pass. > > >> >>>> > > > >> >>>> > In /logs/nifi-registry-app.log I see error: > > >> >>>> > > > >> >>>> > An Authentication object was not found in the SecurityContext > > Returning > > >> >>>> > 401 response > > >> >>>> > java.lang.IllegalStateException: Access tokens are only issued > > over HTTPS > > >> >>>> > > > >> >>>> > nifi.registry.web.https.host property is default because of > > Docker: > > >> >>>> > ae24ea32faef > > >> >>>> > nifi.registry.web.https.port=18080 > > >> >>>> > > > >> >>>> > How can I resolve this? > > >> >>>> > Thanks. > > >> >>>> > > > >> >>>> > > > >> >>>> > BR, > > >> >>>> > Tom > > >> >>>> > > > >> >>>> > > >
