Etienne, No problem, I understand, it sounds like you are close to getting it working. Feel free to follow up if you run into additional issues.
Regards, David Handermann On Wed, Nov 25, 2020 at 8:28 AM Etienne Jouvin <lapinoujou...@gmail.com> wrote: > David. > > Did not have time this morning to test. > But it may be something really "stupid", my fault. It seems I made a > mistake while generating certificates on nodes, regarding the CA.... > > Hope to have time this afternoon and I will return. > > Etienne > > > > Le mer. 25 nov. 2020 à 14:18, David Handermann <exceptionfact...@gmail.com> > a écrit : > >> I am not as familiar with the LDAP user group provider, but based on the >> "Untrusted proxy" message you are seeing, it sounds like the nodes are not >> being identified properly as members of the "nodes" group from LDAP. Just >> for testing purposes, you could try specifying the node distinguished names >> in the "Node Identity N" properties of the access policy provider, using >> "Node Identity 1", "Node Identity 2" and "Node Identity 3" to specify each >> node DN. If that works, then it sounds like a configuration issue with the >> Node Group, either on the LDAP server, or in the way NiFi is attempting to >> query LDAP. >> >> Regards, >> David Handermann >> >> On Wed, Nov 25, 2020 at 5:19 AM Etienne Jouvin <lapinoujou...@gmail.com> >> wrote: >> >>> Just for information, did not have time to test it from now. >>> I was not able to get this Walk Throughs documentation. >>> https://nifi.apache.org/docs/nifi-docs/html/walkthroughs.html >>> >>> Hope I will find the error I have about certificate (I have a little >>> idea) >>> >>> Etienne >>> >>> >>> >>> >>> Le mer. 25 nov. 2020 à 08:36, Etienne Jouvin <lapinoujou...@gmail.com> >>> a écrit : >>> >>>> Hello. >>>> >>>> I made some progress yesterday. >>>> I did setup in LDAP groups and person >>>> >>>> >>>> >>>> >>>> >>>> Groups : >>>> cn=administrators,ou=groups,ou=nifi,dc=amexio,dc=ch : for administrators >>>> cn=supervisors,ou=groups,ou=nifi,dc=amexio,dc=ch : for supervisors >>>> cn=nodes,ou=groups,ou=nifi,dc=amexio,dc=ch : group where I put all >>>> "person" representing NiFi nodes. >>>> >>>> Users : >>>> cn=migX.amexio.ch,ou=users,ou=nifi,dc=amexio,dc=ch : for each node, >>>> replacing X by the index, and with object class person >>>> uid=mig-admin,ou=users,ou=nifi,dc=amexio,dc=ch : example of "real" user >>>> used to connect on the platform, with object class inetOrgperson >>>> >>>> In NiFi configuration. >>>> I did activate a userGroupProvider linked to the LDAP >>>> <userGroupProvider> >>>> <identifier>amexio-ldap-user-group-provider</identifier> >>>> >>>> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> >>>> <property name="Authentication Strategy">SIMPLE</property> >>>> >>>> <property name="Manager DN">uid=admin,ou=system</property> >>>> <property name="Manager Password">secret</property> >>>> >>>> <property name="TLS - Keystore"></property> >>>> <property name="TLS - Keystore Password"></property> >>>> <property name="TLS - Keystore Type"></property> >>>> <property name="TLS - Truststore"></property> >>>> <property name="TLS - Truststore Password"></property> >>>> <property name="TLS - Truststore Type"></property> >>>> <property name="TLS - Client Auth"></property> >>>> <property name="TLS - Protocol"></property> >>>> <property name="TLS - Shutdown Gracefully"></property> >>>> >>>> <property name="Referral Strategy">FOLLOW</property> >>>> <property name="Connect Timeout">10 secs</property> >>>> <property name="Read Timeout">10 secs</property> >>>> >>>> <property name="Url">ldap://localhost:10389</property> >>>> <property name="Page Size">50</property> >>>> <!-- <property name="Sync Interval">30 mins</property> --> >>>> <property name="Sync Interval">30 seconds</property> >>>> <property name="Group Membership - Enforce Case >>>> Sensitivity">false</property> >>>> >>>> <property name="User Search >>>> Base">ou=users,ou=nifi,dc=amexio,dc=ch</property> >>>> <property name="User Object Class">person</property> >>>> <property name="User Search Scope">ONE_LEVEL</property> >>>> <property name="User Search Filter"></property> >>>> <property name="User Identity Attribute"></property> >>>> <property name="User Group Name Attribute"></property> >>>> <property name="User Group Name Attribute - Referenced Group >>>> Attribute"></property> >>>> >>>> <property name="Group Search >>>> Base">ou=groups,ou=nifi,dc=amexio,dc=ch</property> >>>> <property name="Group Object Class">groupOfNames</property> >>>> <property name="Group Search Scope">ONE_LEVEL</property> >>>> <property name="Group Search Filter"></property> >>>> <property name="Group Name Attribute">cn</property> >>>> <property name="Group Member Attribute">member</property> >>>> <property name="Group Member Attribute - Referenced User >>>> Attribute"></property> >>>> </userGroupProvider> >>>> >>>> Of course, register it inside the accessPolicyProvider >>>> <accessPolicyProvider> >>>> <identifier>file-access-policy-provider</identifier> >>>> >>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >>>> <!-- <property name="User Group >>>> Provider">file-user-group-provider</property> --> >>>> <property name="User Group >>>> Provider">amexio-ldap-user-group-provider</property> >>>> <property name="Authorizations >>>> File">./conf/authorizations.xml</property> >>>> <!-- <property name="Initial Admin Identity"></property> --> >>>> <property name="Initial Admin >>>> Identity">uid=mig-admin,ou=users,ou=nifi,dc=amexio,dc=ch</property> >>>> <property name="Legacy Authorized Users File"></property> >>>> <property name="Node Identity 1"></property> >>>> <property name="Node Group">nodes</property> >>>> </accessPolicyProvider> >>>> >>>> I am able to connect with the initial administrator account, when the >>>> first node is started. >>>> And all nodes are synchronized in the NiFi instance. >>>> >>>> >>>> >>>> >>>> As soon as I start an additional node, I can not connect to the first >>>> node >>>> Erreur message >>>> Untrusted proxy CN=mig1.amexio.ch, OU=users, OU=nifi, DC=amexio, DC=ch >>>> >>>> But I can connect on the second node. >>>> >>>> >>>> So all this is about the certificate I guess. >>>> for reminder, I use nls-toolkit to generate certificate on all nodes >>>> with something like : >>>> tls-toolkit.bat standalone -f >>>> "C:\nifi-1.12.1\node1\conf\nifi.properties" -o >>>> "C:\nifi-1.12.1\node1\conf\secured" -n mig1.amexio.ch --nifiDnPrefix >>>> cn= --nifiDnSuffix ou=users,ou=nifi,dc=amexio,dc=ch >>>> >>>> Proxy is untrusted, ok fine. So may be I should not use the standalone >>>> function of toolkit, but using server and client. In that case, I have to >>>> stay alive the server from toolkit ? >>>> Also, it seems I did not add certificate from node1 inside node2 >>>> trutstore, and node2 certificate inside node1 truststore ? >>>> But in this case, if I have to add a new node, let's say node4, I would >>>> have to push the certificate from node4 inside all existing nodes ? >>>> >>>> I continue to search, but any idea / input will be appreciated. >>>> >>>> Etienne >>>> >>>> >>>> Le lun. 23 nov. 2020 à 18:39, Bryan Bende <bbe...@gmail.com> a écrit : >>>> >>>>> Yes it will be the DN of the server's certificate which comes from the >>>>> keystore. >>>>> >>>>> NiFi will get an incoming request, see that there is an X509 cert, >>>>> take the DN and go to the user group provider and ask for the user >>>>> with this identity. >>>>> >>>>> On Mon, Nov 23, 2020 at 12:01 PM Etienne Jouvin < >>>>> lapinoujou...@gmail.com> wrote: >>>>> > >>>>> > Hum OK, >>>>> > >>>>> > I will give it a try. >>>>> > But one more thing... >>>>> > >>>>> > If I only set the group node; >>>>> > How NiFi will connect the node with the nodeId in the LDAP ? >>>>> > Where does it take the nodeid value ? >>>>> > Is it the value we set in the keystore / truststore, by default >>>>> cn=localhost, dc=NIFI (something like this) ? >>>>> > >>>>> > Etienne >>>>> > >>>>> > >>>>> > Le lun. 23 nov. 2020 à 17:54, Bryan Bende <bbe...@gmail.com> a >>>>> écrit : >>>>> >> >>>>> >> I don't really know the LDAP specifics too well, so I'm not >>>>> actually sure. >>>>> >> >>>>> >> You just need the nodes to come back from the LDAP UserGroupProvider >>>>> >> as if they were regular users and members of some group "foo", which >>>>> >> you then put "foo" into the "Node Group". >>>>> >> >>>>> >> On Mon, Nov 23, 2020 at 11:50 AM Etienne Jouvin < >>>>> lapinoujou...@gmail.com> wrote: >>>>> >> > >>>>> >> > Thanks Bryan. >>>>> >> > >>>>> >> > With your answer.... I will go to the Node Group and assign node >>>>> identities. >>>>> >> > Better for deployment and setup on the fly, I guess. >>>>> >> > >>>>> >> > One more point, you said "creating ldap entries for your nodes >>>>> and assigning them group membership in ldap". What type of objectClass >>>>> would you assign to the node in LDAP ? >>>>> >> > This is not inetOrgPerson. The node should not have password. >>>>> >> > If I create groupOfMembers for each node, is it correct ? >>>>> >> > >>>>> >> > >>>>> >> > Thanks >>>>> >> > >>>>> >> > Etienne >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > Le lun. 23 nov. 2020 à 17:27, Bryan Bende <bbe...@gmail.com> a >>>>> écrit : >>>>> >> >> >>>>> >> >> Hello, >>>>> >> >> >>>>> >> >> "Node Identity" is similar to the "Initial Admin" concept, in >>>>> that it >>>>> >> >> sets up the policies for the initial nodes to have permissions to >>>>> >> >> proxy. >>>>> >> >> >>>>> >> >> If you are creating ldap entries for your nodes and assigning >>>>> them >>>>> >> >> group membership in ldap, then yes you could put that group name >>>>> as >>>>> >> >> the "Node Group" and then you don't need to specify the "Node >>>>> >> >> Identities". >>>>> >> >> >>>>> >> >> If you are creating the node users in NiFi's file-based user >>>>> group >>>>> >> >> provider then you need to use node identities, and when adding a >>>>> new >>>>> >> >> node to the cluster you'd have to add the user first through the >>>>> >> >> UI/REST API and grant it proxy, then actually connect it to the >>>>> >> >> cluster. >>>>> >> >> >>>>> >> >> Thanks, >>>>> >> >> >>>>> >> >> Bryan >>>>> >> >> >>>>> >> >> >>>>> >> >> On Mon, Nov 23, 2020 at 7:58 AM Etienne Jouvin < >>>>> lapinoujou...@gmail.com> wrote: >>>>> >> >> > >>>>> >> >> > Hello all. >>>>> >> >> > >>>>> >> >> > >>>>> >> >> > I am currently setting up a NiFi, 1.12.1, Cluster with LDAP >>>>> authentication. >>>>> >> >> > For now the accessPolicyProvider is the default one with the >>>>> configuration template : >>>>> >> >> > <accessPolicyProvider> >>>>> >> >> > <identifier>file-access-policy-provider</identifier> >>>>> >> >> > >>>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> >>>>> >> >> > <property name="User Group >>>>> Provider">file-user-group-provider</property> >>>>> >> >> > <property name="Authorizations >>>>> File">./conf/authorizations.xml</property> >>>>> >> >> > <property name="Initial Admin Identity"></property> >>>>> >> >> > <property name="Legacy Authorized Users >>>>> File"></property> >>>>> >> >> > <property name="Node Identity 1"></property> >>>>> >> >> > <property name="Node Group"></property> >>>>> >> >> > </accessPolicyProvider> >>>>> >> >> > >>>>> >> >> > But I do not really understand the purpose of the Node >>>>> Identity X property. >>>>> >> >> > If I well understood, all nodes should have the same >>>>> configuration file, and I should register all nodes identity. >>>>> >> >> > >>>>> >> >> > But what about if I want to add a new node in the cluster on >>>>> the fly ? >>>>> >> >> > Should I register a new node identity, and then I should >>>>> change all nodes configurations ? >>>>> >> >> > The comment, in the configuration file, mentions the >>>>> configuration Node Group, The name of a group containing NiFi cluster >>>>> nodes. The typical use for this is when nodes are dynamically >>>>> added/removed >>>>> from the cluster. >>>>> >> >> > Should I just put a Node group name and this will do the trick >>>>> ? >>>>> >> >> > >>>>> >> >> > What should I put ? At the following link, >>>>> https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.0.3/bk_administration/content/cluster-node-identities.html, >>>>> it is said something like : cn=nifi-1,ou=people,dc=example,dc=com >>>>> >> >> > In that case, what should be the obejct class for the node >>>>> cn=nifi-1 in the LDAP ? >>>>> >> >> > >>>>> >> >> > Any documentation links will be appreciated. >>>>> >> >> > >>>>> >> >> > Regards. >>>>> >> >> > >>>>> >> >> > Etienne Jouvin >>>>> >>>>