yes, and set the nifi.kerberos.service.principal to nifi, but when I did that I'm getting an java.lang.StringIndexOutOfBoundsException: String index out of range: -1
Let me look at the code for setting the principal, maybe I have that borked.... On Mon, Jul 6, 2020 at 10:47 AM Bryan Bende <bbe...@gmail.com> wrote: > Have you configured this in nifi.properties? > > nifi.zookeeper.auth.type=sasl > > > On Mon, Jul 6, 2020 at 12:43 PM dan young <danoyo...@gmail.com> wrote: > >> Hello, >> >> And a follow up on this, if I delete the znode in zookeeper, the leaders >> is written to the /nifi znode, but the ACL is open, 'world';'anyone.... I >> do have the Access COntrol set to CreatorOnly in the state-management.xml. >> So one question, is the CreatorOnly only supported when we run in kerberos >> env? >> >> Dano >> >> On Mon, Jul 6, 2020 at 10:36 AM dan young <danoyo...@gmail.com> wrote: >> >>> Hello everyone, >>> >>> I'm trying to configure the zookeeper state provider in NiFi to use the >>> Access Policy of CreatorOnly vs Open using DIGEST vs Kerberos. I believe >>> I've setup zookeeper correctly for this, and partly Nifi, but when I >>> startup nifi cluster, we seem to get stuck with the following: >>> >>> 2020-07-06 16:06:20,826 WARN [Clustering Tasks Thread-1] >>> o.apache.nifi.controller.FlowController Failed to send heartbeat due to: >>> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat >>> because there is no Cluster Coordinator currently elected >>> 2020-07-06 16:06:35,920 WARN [Clustering Tasks Thread-2] >>> o.apache.nifi.controller.FlowController Failed to send heartbeat due to: >>> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat >>> because there is no Cluster Coordinator currently elected >>> 2020-07-06 16:06:50,923 WARN [Clustering Tasks Thread-2] >>> o.apache.nifi.controller.FlowController Failed to send heartbeat due to: >>> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat >>> because there is no Cluster Coordinator currently elected >>> 2020-07-06 16:07:06,071 WARN [Clustering Tasks Thread-2] >>> o.apache.nifi.controller.FlowController Failed to send heartbeat due to: >>> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat >>> because there is no Cluster Coordinator currently elected >>> >>> I can see the znode in zookeeper, and it appears to at least have the >>> correct permissions. I created this znode in the CLI: >>> >>> addauth digest nifi:<passwd> >>> create /nifi data digest:nifi<passwd digest>:cdrwa >>> >>> The digest was generated via: >>> >>> java -cp >>> '/op/zookeeper/lib/zookeeper-3.5.8.jar:/opt/zookeeper/lib/slf4j-api-1.7.25.jar' >>> org.apache.auth.AuthenticationProvider nifi:<passwd> >>> >>> [zk: nifi1-5:2181,nifi2-5:2181,nifi3-5:2181(CONNECTED) 4] getAcl /nifi >>> 'digest,'nifi:the-passwd-digest' >>> : cdrwa >>> >>> >>> after starting up Nifi, doing and ls /nifi, the znode is empty. >>> [zk: nifi1-5:2181,nifi2-5:2181,nifi3-5:2181(CONNECTED) 4] ls /nifi >>> [] >>> >>> Seems like we can't write the leaders or components value under the >>> /nifi znode. >>> >>> >>> Looking at the nifi-app log >>> >>> 2020-07-06 16:05:46,554 INFO [main-SendThread(xx.xxx.x.xx:2181)] >>> org.apache.zookeeper.Login Client successfully logged in. >>> 2020-07-06 16:05:46,556 INFO [main-SendThread(xx.xxx.x.xx:2181)] >>> o.a.zookeeper.client.ZooKeeperSaslClient Client will use DIGEST-MD5 as SASL >>> mechanism. >>> 2020-07-06 16:05:46,900 INFO [main-EventThread] >>> o.a.c.f.state.ConnectionStateManager State change: CONNECTED >>> 2020-07-06 16:05:47,347 INFO [main-EventThread] >>> o.a.c.framework.imps.EnsembleTracker New config event received: >>> {server.1=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181, version=0, >>> server.3=xx.xxx.x.xx:2888:3888:participant;0.0.0.0:2181, >>> server.2=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181} >>> 2020-07-06 16:05:47,354 INFO [main-EventThread] >>> o.a.c.framework.imps.EnsembleTracker New config event received: >>> {server.1=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181, version=0, >>> server.3=xx.xxx.x.xx:2888:3888:participant;0.0.0.0:2181, >>> server.2=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181} >>> 2020-07-06 16:05:47,357 INFO [Curator-Framework-0] >>> o.a.c.f.imps.CuratorFrameworkImpl backgroundOperationsLoop exiting >>> 2020-07-06 16:05:47,364 DEBUG [main] org.apache.zookeeper.ZooKeeper >>> Closing session: 0x3002a05b0c60006 >>> 2020-07-06 16:05:47,469 INFO [main/ org.apache.zookeeper.ZooKeeper >>> Session: 0x3002a05b0c60006 closed >>> >>> >>> >>> Any ideas on what configuration I could be missing or have wrong? I >>> have a jaas.conf file in the $NIFI_HOME/conf directory and have a >>> java.arg.18--Djava.security.auth.login.config=<path to jaas.conf file> >>> >>> One question I have, in the jaas.conf file, I put the passwd in there >>> and not the digest I believe...I understand this would be passed around >>> cleartext, but this is just for testing purposes currently.... >>> >>> Nifi 1.11.4 >>> external zookeeper 3.5.8 >>> >>> Regards, >>> >>> Dano >>> >>>