Ok so you are authenticating with a client cert, so this has nothing to do with kerberos.
Put the DN from the client cert as the initial admin in authorizers.xml and it generates the policies in authorizations.xml for you. You likely need to delete users.xml and authorizations.xml in order for it to be a fresh setup and trigger the seeding of the initial admin. On Mon, Dec 14, 2020 at 1:51 PM Darren Govoni <dar...@ontrenet.com> wrote: > I see this error in the browser > > Along with the exception in the log: Kerberos ticket login not supported > by this NiFi > > That is just with adding the /etc/krb5.conf to nifi.properties per your > suggestion. > > I do have a browser cert it prompted me to select. > > I had started to add the cert CN to authorizers.xml (i.e. add it to > initial admin field), but it requires populating authorizations.xml as well > and I'm not sure how to do that. > > ------------------------------ > *From:* Bryan Bende <bbe...@gmail.com> > *Sent:* Monday, December 14, 2020 1:04 PM > *To:* users@nifi.apache.org <users@nifi.apache.org> > *Subject:* Re: Secure Mode & Kerberos > > I'm confused, how are you trying to authenticate to nifi and what is > the error your are getting in the nifi UI when you attempt to access > it? > > You said you didn't want to authenticate via kerberos, so the warning > should not matter. > > On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni <dar...@ontrenet.com> > wrote: > > > > Thanks Bryan. > > > > I'm seeing in AccessResource.java that it will throw this exception if > spnego is not configured or keberosService is null, which it is in my nifi. > > > > Doing a quick search for setKeberosService callers doesnt turn anything > up in the code. And this exception prevents me accessing the app. > > > > Do i need to configure anything in authorizers.xml or users.xml? > > > > I set the krb file in nifi.properties already. > > > > Darren > > > > Sent from my Verizon, Samsung Galaxy smartphone > > Get Outlook for Android > > > > ________________________________ > > From: Bryan Bende <bbe...@gmail.com> > > Sent: Monday, December 14, 2020 11:19:28 AM > > To: users@nifi.apache.org <users@nifi.apache.org> > > Subject: Re: Secure Mode & Kerberos > > > > That is just a warning that prints every time you refresh the UI, the > > UI makes a call to see if SPNEGO is enabled, it shouldn't impact > > anything, same case for OIDC. > > > > On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni <dar...@ontrenet.com> > wrote: > > > > > > When I remove the SPNEGO properties and set the krb5 file > > > > > > # kerberos # > > > nifi.kerberos.krb5.file=/etc/krb5.conf > > > > > > > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > Kerberos ticket login not supported by this NiFi.. Returning Conflict > response. > > > java.lang.IllegalStateException: Kerberos ticket login not supported > by this NiFi. > > > > > > Also threw exception about OpenID Connect not configured. > > > > > > Nifi 1.11.4 > > > > > > ________________________________ > > > From: Darren Govoni <dar...@ontrenet.com> > > > Sent: Monday, December 14, 2020 10:00 AM > > > To: users@nifi.apache.org <users@nifi.apache.org> > > > Subject: Re: Secure Mode & Kerberos > > > > > > Hi Bryan > > > > > > I did do that but still got the warning/error. But I will go back and > verify this. > > > > > > Darren > > > > > > Sent from my Verizon, Samsung Galaxy smartphone > > > Get Outlook for Android > > > > > > ________________________________ > > > From: Bryan Bende <bbe...@gmail.com> > > > Sent: Monday, December 14, 2020 9:37:33 AM > > > To: users@nifi.apache.org <users@nifi.apache.org> > > > Subject: Re: Secure Mode & Kerberos > > > > > > You don't need to have NiFi secured with Kerberos in order to use HDFS > > > processors talking to kerberized HDFS. > > > > > > You just need to specify the krb5.conf in nifi.properties, and you > > > need to provide the HDFS processors with a core-site.xml that has > > > security set to kerberos. > > > > > > On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni <dar...@ontrenet.com> > wrote: > > > > > > > > Hi, > > > > I want to test the HDFS processors using Kerberos, but they > trigger a warning saying Nifi is not running in secure mode, so it ignores > kerberos. > > > > > > > > In order to get Nifi into secure mode I had to enable SPNEGO which > it seems to want a kerberos header to allow me into the app now. > > > > > > > > Is there a way to allow processors to run securely with kerberos > without having to auth myself into the app via kerberos? Which I'm not sure > how to do. > > > > > > > > Darren > > > > > > > > PS. I do have a Apache Kerby KDC running locally if that can help me > auth into Nifi. >
