I see. Thank you.
Sent from my Verizon, Samsung Galaxy smartphone
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: Bryan Bende <bbe...@gmail.com>
Sent: Monday, December 14, 2020 2:26:54 PM
To: users@nifi.apache.org <users@nifi.apache.org>
Subject: Re: Secure Mode & Kerberos
It refers to what I said earlier about providing a core-site.xml to the
processor that has:
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
It means the core-site you provided doesn't have that, which indicates HDFS is
not kerberized, but you filled in the kerberos properties on the processor, so
it is telling you they won't be used for anything since core-site doesn't say
that kerberos is enabled.
On Mon, Dec 14, 2020 at 2:12 PM Darren Govoni
<dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote:
Gotcha. Thanks.
The only reason I got down this road is because the HDFS processors were logging
"Configuration does not have security enabled, keytab and principal will be
ignored."
Which is a bit vague and left me thinking i needed to run Nifi in secure mode.
The processors were configured for kereberos. Still not sure what the message
refers to though.
Darren
Sent from my Verizon, Samsung Galaxy smartphone
Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: Bryan Bende <bbe...@gmail.com<mailto:bbe...@gmail.com>>
Sent: Monday, December 14, 2020 1:56:01 PM
To: users@nifi.apache.org<mailto:users@nifi.apache.org>
<users@nifi.apache.org<mailto:users@nifi.apache.org>>
Subject: Re: Secure Mode & Kerberos
Ok so you are authenticating with a client cert, so this has nothing to do with
kerberos.
Put the DN from the client cert as the initial admin in authorizers.xml and it
generates the policies in authorizations.xml for you.
You likely need to delete users.xml and authorizations.xml in order for it to
be a fresh setup and trigger the seeding of the initial admin.
On Mon, Dec 14, 2020 at 1:51 PM Darren Govoni
<dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote:
I see this error in the browser
[cid:17662b30953cb971f161]
Along with the exception in the log: Kerberos ticket login not supported by
this NiFi
That is just with adding the /etc/krb5.conf to nifi.properties per your
suggestion.
I do have a browser cert it prompted me to select.
I had started to add the cert CN to authorizers.xml (i.e. add it to initial
admin field), but it requires populating authorizations.xml as well and I'm not
sure how to do that.
________________________________
From: Bryan Bende <bbe...@gmail.com<mailto:bbe...@gmail.com>>
Sent: Monday, December 14, 2020 1:04 PM
To: users@nifi.apache.org<mailto:users@nifi.apache.org>
<users@nifi.apache.org<mailto:users@nifi.apache.org>>
Subject: Re: Secure Mode & Kerberos
I'm confused, how are you trying to authenticate to nifi and what is
the error your are getting in the nifi UI when you attempt to access
it?
You said you didn't want to authenticate via kerberos, so the warning
should not matter.
On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni
<dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote:
>
> Thanks Bryan.
>
> I'm seeing in AccessResource.java that it will throw this exception if spnego
> is not configured or keberosService is null, which it is in my nifi.
>
> Doing a quick search for setKeberosService callers doesnt turn anything up in
> the code. And this exception prevents me accessing the app.
>
> Do i need to configure anything in authorizers.xml or users.xml?
>
> I set the krb file in nifi.properties already.
>
> Darren
>
> Sent from my Verizon, Samsung Galaxy smartphone
> Get Outlook for Android
>
> ________________________________
> From: Bryan Bende <bbe...@gmail.com<mailto:bbe...@gmail.com>>
> Sent: Monday, December 14, 2020 11:19:28 AM
> To: users@nifi.apache.org<mailto:users@nifi.apache.org>
> <users@nifi.apache.org<mailto:users@nifi.apache.org>>
> Subject: Re: Secure Mode & Kerberos
>
> That is just a warning that prints every time you refresh the UI, the
> UI makes a call to see if SPNEGO is enabled, it shouldn't impact
> anything, same case for OIDC.
>
> On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni
> <dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote:
> >
> > When I remove the SPNEGO properties and set the krb5 file
> >
> > # kerberos #
> > nifi.kerberos.krb5.file=/etc/krb5.conf
> >
> >
> > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19]
> > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> > Kerberos ticket login not supported by this NiFi.. Returning Conflict
> > response.
> > java.lang.IllegalStateException: Kerberos ticket login not supported by
> > this NiFi.
> >
> > Also threw exception about OpenID Connect not configured.
> >
> > Nifi 1.11.4
> >
> > ________________________________
> > From: Darren Govoni <dar...@ontrenet.com<mailto:dar...@ontrenet.com>>
> > Sent: Monday, December 14, 2020 10:00 AM
> > To: users@nifi.apache.org<mailto:users@nifi.apache.org>
> > <users@nifi.apache.org<mailto:users@nifi.apache.org>>
> > Subject: Re: Secure Mode & Kerberos
> >
> > Hi Bryan
> >
> > I did do that but still got the warning/error. But I will go back and
> > verify this.
> >
> > Darren
> >
> > Sent from my Verizon, Samsung Galaxy smartphone
> > Get Outlook for Android
> >
> > ________________________________
> > From: Bryan Bende <bbe...@gmail.com<mailto:bbe...@gmail.com>>
> > Sent: Monday, December 14, 2020 9:37:33 AM
> > To: users@nifi.apache.org<mailto:users@nifi.apache.org>
> > <users@nifi.apache.org<mailto:users@nifi.apache.org>>
> > Subject: Re: Secure Mode & Kerberos
> >
> > You don't need to have NiFi secured with Kerberos in order to use HDFS
> > processors talking to kerberized HDFS.
> >
> > You just need to specify the krb5.conf in nifi.properties, and you
> > need to provide the HDFS processors with a core-site.xml that has
> > security set to kerberos.
> >
> > On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni
> > <dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote:
> > >
> > > Hi,
> > > I want to test the HDFS processors using Kerberos, but they trigger a
> > > warning saying Nifi is not running in secure mode, so it ignores kerberos.
> > >
> > > In order to get Nifi into secure mode I had to enable SPNEGO which it
> > > seems to want a kerberos header to allow me into the app now.
> > >
> > > Is there a way to allow processors to run securely with kerberos without
> > > having to auth myself into the app via kerberos? Which I'm not sure how
> > > to do.
> > >
> > > Darren
> > >
> > > PS. I do have a Apache Kerby KDC running locally if that can help me auth
> > > into Nifi.
