yes, and set the nifi.kerberos.service.principal to nifi, but when I did
that I'm getting an java.lang.StringIndexOutOfBoundsException: String
index out of range: -1
Let me look at the code for setting the principal, maybe I have that
borked....
On Mon, Jul 6, 2020 at 10:47 AM Bryan Bende <bbe...@gmail.com> wrote:
> Have you configured this in nifi.properties?
>
> nifi.zookeeper.auth.type=sasl
>
>
> On Mon, Jul 6, 2020 at 12:43 PM dan young <danoyo...@gmail.com> wrote:
>
>> Hello,
>>
>> And a follow up on this, if I delete the znode in zookeeper, the leaders
>> is written to the /nifi znode, but the ACL is open, 'world';'anyone.... I
>> do have the Access COntrol set to CreatorOnly in the state-management.xml.
>> So one question, is the CreatorOnly only supported when we run in kerberos
>> env?
>>
>> Dano
>>
>> On Mon, Jul 6, 2020 at 10:36 AM dan young <danoyo...@gmail.com> wrote:
>>
>>> Hello everyone,
>>>
>>> I'm trying to configure the zookeeper state provider in NiFi to use the
>>> Access Policy of CreatorOnly vs Open using DIGEST vs Kerberos. I believe
>>> I've setup zookeeper correctly for this, and partly Nifi, but when I
>>> startup nifi cluster, we seem to get stuck with the following:
>>>
>>> 2020-07-06 16:06:20,826 WARN [Clustering Tasks Thread-1]
>>> o.apache.nifi.controller.FlowController Failed to send heartbeat due to:
>>> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat
>>> because there is no Cluster Coordinator currently elected
>>> 2020-07-06 16:06:35,920 WARN [Clustering Tasks Thread-2]
>>> o.apache.nifi.controller.FlowController Failed to send heartbeat due to:
>>> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat
>>> because there is no Cluster Coordinator currently elected
>>> 2020-07-06 16:06:50,923 WARN [Clustering Tasks Thread-2]
>>> o.apache.nifi.controller.FlowController Failed to send heartbeat due to:
>>> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat
>>> because there is no Cluster Coordinator currently elected
>>> 2020-07-06 16:07:06,071 WARN [Clustering Tasks Thread-2]
>>> o.apache.nifi.controller.FlowController Failed to send heartbeat due to:
>>> org.apache.nifi.cluster.protocol.ProtocolException: Cannot send heartbeat
>>> because there is no Cluster Coordinator currently elected
>>>
>>> I can see the znode in zookeeper, and it appears to at least have the
>>> correct permissions. I created this znode in the CLI:
>>>
>>> addauth digest nifi:<passwd>
>>> create /nifi data digest:nifi<passwd digest>:cdrwa
>>>
>>> The digest was generated via:
>>>
>>> java -cp
>>> '/op/zookeeper/lib/zookeeper-3.5.8.jar:/opt/zookeeper/lib/slf4j-api-1.7.25.jar'
>>> org.apache.auth.AuthenticationProvider nifi:<passwd>
>>>
>>> [zk: nifi1-5:2181,nifi2-5:2181,nifi3-5:2181(CONNECTED) 4] getAcl /nifi
>>> 'digest,'nifi:the-passwd-digest'
>>> : cdrwa
>>>
>>>
>>> after starting up Nifi, doing and ls /nifi, the znode is empty.
>>> [zk: nifi1-5:2181,nifi2-5:2181,nifi3-5:2181(CONNECTED) 4] ls /nifi
>>> []
>>>
>>> Seems like we can't write the leaders or components value under the
>>> /nifi znode.
>>>
>>>
>>> Looking at the nifi-app log
>>>
>>> 2020-07-06 16:05:46,554 INFO [main-SendThread(xx.xxx.x.xx:2181)]
>>> org.apache.zookeeper.Login Client successfully logged in.
>>> 2020-07-06 16:05:46,556 INFO [main-SendThread(xx.xxx.x.xx:2181)]
>>> o.a.zookeeper.client.ZooKeeperSaslClient Client will use DIGEST-MD5 as SASL
>>> mechanism.
>>> 2020-07-06 16:05:46,900 INFO [main-EventThread]
>>> o.a.c.f.state.ConnectionStateManager State change: CONNECTED
>>> 2020-07-06 16:05:47,347 INFO [main-EventThread]
>>> o.a.c.framework.imps.EnsembleTracker New config event received:
>>> {server.1=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181, version=0,
>>> server.3=xx.xxx.x.xx:2888:3888:participant;0.0.0.0:2181,
>>> server.2=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181}
>>> 2020-07-06 16:05:47,354 INFO [main-EventThread]
>>> o.a.c.framework.imps.EnsembleTracker New config event received:
>>> {server.1=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181, version=0,
>>> server.3=xx.xxx.x.xx:2888:3888:participant;0.0.0.0:2181,
>>> server.2=xx.xxx.x.xxx:2888:3888:participant;0.0.0.0:2181}
>>> 2020-07-06 16:05:47,357 INFO [Curator-Framework-0]
>>> o.a.c.f.imps.CuratorFrameworkImpl backgroundOperationsLoop exiting
>>> 2020-07-06 16:05:47,364 DEBUG [main] org.apache.zookeeper.ZooKeeper
>>> Closing session: 0x3002a05b0c60006
>>> 2020-07-06 16:05:47,469 INFO [main/ org.apache.zookeeper.ZooKeeper
>>> Session: 0x3002a05b0c60006 closed
>>>
>>>
>>>
>>> Any ideas on what configuration I could be missing or have wrong? I
>>> have a jaas.conf file in the $NIFI_HOME/conf directory and have a
>>> java.arg.18--Djava.security.auth.login.config=<path to jaas.conf file>
>>>
>>> One question I have, in the jaas.conf file, I put the passwd in there
>>> and not the digest I believe...I understand this would be passed around
>>> cleartext, but this is just for testing purposes currently....
>>>
>>> Nifi 1.11.4
>>> external zookeeper 3.5.8
>>>
>>> Regards,
>>>
>>> Dano
>>>
>>>
