Hi,
I run into the same issue, except I use ldap instead of oidc.
My schema is this:
┌────────────┐ ┌─────────────┐ Initial admin
│Univention │ │NiFi 2.0.0 M4│ added, can login
│LDAP(7389) ◄────────┼Secured │ and manage users
└────▲───────┘ │https │ and flows as
│ └──────┬──────┘ expected.
│ │
│ │
│ ┌──────▼──────┐ Initial admin
│ │NiFi Registry│ added, can login
│ │2.0.0 M4 │ can manage users
└────────────────┼Secured │ and buckets. It
│https │ seems ok as
└─────────────┘ expected.
Steps:
* I created keystore/truststore on registry and secured registry.
- /opt/nifi-toolkit-1.27.0/bin/tls-toolkit.sh standalone -n $NODENAME
-O -o /opt/nifi-registry-2.0.0-M4/conf/tls
cp /opt/nifi-registry-2.0.0-M4/conf/tls/$NODENAME/*jks /opt/nifi-
registry-2.0.0-M4/conf/
- please note, there is no sys_admin etc. users created with certs.
* Registry set to only use ldap-* (auth/prov)
* I can login with initial admin (I added one user from ldap) who is
able to manage users, buckets, set privileges etc., exactly as
expected.
* NiFi instance installed, the same keystore and truststore files are
copied from Registry (see above).
* NiFi set to use only ldap as identity provider/auth, so, no file
based or hybrid usersgroups. ldap users set to allow proxy (please
note, only ldap users are exist)
* On this NiFi I created a new registry client
(https://nifireg:18443) [1] without ssl context (earlier I did with
ssl context, I got connection refused etc. error messages, so, I do
not remember for these configs/setups) .
* Created process group and apply Version/Start Version Control
* I got no error messages, but the bucket list remains empty.
* There are even publicly visible buckets.
* Nothing in the logs (no DEBUG, only INFO).
* Host names are added to /etc/hosts to provide correct name
resolution.
My question:
- during securing nifi registry, do I need to create sys_admin cert
using the toolkit and copy *jsk to the registry and NiFi instance?
- how can I register a NiFi instance under registry? This part is not
exactly clear for me, maybe I try to reduce the complexity to my level,
can happen. Probably this is that part, where sys_admin and ou=NIFI
appears in documents?
I did a lot of tests until I reached this state, where this setup seems
working as I would like to, but now I suspect that my conception about
using only ldap without any "external" users and certs could work.
Any hint to the right direction welcome :)
Thank you!
István
2023. 09. 18, hétfő keltezéssel 13.43-kor Chris Sampson ezt írta:
> Have you added the NiFi Instance(s) as Users within the Registry with
> the "Can Proxy User" access policy [1]?
> If you're managing Buckets/Flow Definitions within Registry from
> NiFi, then the NiFi instance/cluster needs to be granted permission
> to "proxy" (act on behalf of) the end user. So both the end user
> (nifi_sysadm in your case) and the NiFi instance(s) need to be added
> to Registry. The username to use within Registry will be the DN
> presented by your NiFi instance's certificate used to connect to
> Registry.
>
>
> [1]:
> https://nifi.apache.org/docs/nifi-registry-docs/html/user-guide.html#special-privileges
>
>
> Cheers,
>
> ---
> Chris Sampson
> IT Consultant
> [email protected]
>
>
>
>
>
> On Mon, 18 Sept 2023 at 12:25, Brant Gardner <[email protected]>
> wrote:
> >
> >
> > Bumping this question here, does any other NiFi user have this
> > configuration (Nifi+Registry, both secured with OIDC) that works?
> > We’re still not able to get the Registry to recognize users trying
> > to utilize version control on flows; if we could see someone else’s
> > configuration that works it might unblock us.
> >
> > Thanks!
> >
> >
> > Brant Gardner
> > Software Developer– BI & Analytics
> > 3M Health Information Systems
> > 3M Center, 223-1N-03 | St. Paul, MN 55144-1000 | United States
> > Time: GMT -6:00
> > Office: +1 651 467 3620 | Mobile: +1 402 470 7895 |
> > [email protected]
> >
> >
> >
> >
> >
> >
> >
> >
> > From: Mark Moore <[email protected]>
> > Sent: Monday, August 21, 2023 13:59
> > To: [email protected]
> > Subject: [EXTERNAL] Registry client cant see available buckets in
> > secure setup using oidc authentication
> >
> >
> > WARNING: This email is not from 3M. If you are not expecting an
> > email from this sender, do not click on links or open attachments
> > and report it using the Report Phish button.
> >
> >
> > We have a secure nifi and nifi registry running with oidc
> > authentication version 1.23.0.
> > Both nifi and registry authentication is working through oidc,
> > however when we try to start version control there are no available
> > buckets.
> > Also if we try and import from the bucket when creating a process
> > group all the buckets are available.
> >
> >
> > The tls-toolkit was used create the keystore/truststore and the
> > certs.
> > The SSL cert from nifi registry keystore has been added to the
> > nifi’s truststore.
> > The cert was added to our browser as well.
> >
> > All values in the nifi-registry.properties files for the keystore
> > and truststore have been updated to the correct values, ie type,
> > passwords and where to find the stores.
> >
> >
> > The authorizations.xml file has been modified in 2 places to add
> > the DN.
> >
> > User group provider
> > <propertyname="Initial User Identity
> > 1">CN=nifi_sysadm,OU=3M</property>
> >
> > Access policy
> > <propertyname="Initial Admin
> > Identity">CN=nifi_sysadm,OU=3M</property>
> >
> > I did not use a space after the comma in my DN when using tls-
> > toolkit to create certificate. I read where someone pointed that
> > out so I used the exact same string when I setup the user in the
> > registry.
> >
> >
> > Permissions to the buckets and users are shown below
> >
> >
> > The user has all permissions on the bucket policy as well.
> >
> >
> >
> > Logs show nothing and registry client setup shows no errors. Any
> > help would be appreciated.
> >
> >
> > Thanks
> >
> >
> >
> > Mark Moore | Business Intelligence
> > 3M Health Information Systems
> > Franklin, TN 37067 | United States
> > Office: +1 651 732 2034
> > [email protected]
> >
> >
> >
[1] https://nifireg:18443) https://nifireg:18443/
