Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

nifi-san
Hello,

We are trying to integrate Nifi-7.1 with SSL and LDAP.

We have two different Nifi installation,one which is a standalone node and
the other which is a three node cluster.

Nifi Standalone:-
We were able to successfully integrate the Standalone node with SSL and
login to the Nifi UI with the client certificate.

Nifi Cluster:-
With the same configurations for authorizers.xml as is for the Nifi
standalone, on the Nifi cluster nodes,we get the below error:-

ERROR:-
********************************************
Insufficient Permissions  
Untrusted proxy CN=host1, OU=NIFI  
********************************************

The authorizers.xml configurations on the cluster is as follows:-

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users
File">/opt/app/resources/nifi/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity 1">CN=NADMIN,
OU=NIFI</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
       
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group
Provider">file-user-group-provider</property>
        <property name="Authorizations
File">/opt/app/resources/nifi/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=NADMIN,
OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>

        <property
name="ohlvnfiap002dd.oh.dev.dat.aws.vz-connect.net"></property>
        <property name="Node Identity 1">CN=host1, OU=NIFI</property>
<property name="Node Identity 2">CN=host2, OU=NIFI</property>
<property name="Node Identity 3">CN=host3, OU=NIFI</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
       
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy
Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

We have checked the FQDN and the CN Name of the certificates generated and
all other configurations but could not identify anything specifically that
could be the root cause of the issue.

Apart from the above error with respect to privilege, we do not see any
other error in the logs.

The same configurations worked fine on Nifi-1.3,however, not sure why it
does not work on Nifi-1.7.
Also, it works fine on the standalone node but not on the cluster.

Appreciate if you could provide any assistance on this as it has already
been a while that we have been blocked because of this issue.



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

Pierre Villard
Sounds like a permission issue. Can you share the content of
/opt/app/resources/nifi/authorizations.xml to be sure that /proxy
permissions have been correctly set on the node entities?

Thanks,
Pierre

Le mar. 18 sept. 2018 à 11:54, nifi-san <[hidden email]> a écrit :

> Hello,
>
> We are trying to integrate Nifi-7.1 with SSL and LDAP.
>
> We have two different Nifi installation,one which is a standalone node and
> the other which is a three node cluster.
>
> Nifi Standalone:-
> We were able to successfully integrate the Standalone node with SSL and
> login to the Nifi UI with the client certificate.
>
> Nifi Cluster:-
> With the same configurations for authorizers.xml as is for the Nifi
> standalone, on the Nifi cluster nodes,we get the below error:-
>
> ERROR:-
> ********************************************
> Insufficient Permissions
> Untrusted proxy CN=host1, OU=NIFI
> ********************************************
>
> The authorizers.xml configurations on the cluster is as follows:-
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers>
>     <userGroupProvider>
>         <identifier>file-user-group-provider</identifier>
>         <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>         <property name="Users
> File">/opt/app/resources/nifi/users.xml</property>
>         <property name="Legacy Authorized Users File"></property>
>
>         <property name="Initial User Identity 1">CN=NADMIN,
> OU=NIFI</property>
>     </userGroupProvider>
>     <accessPolicyProvider>
>         <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>         <property name="User Group
> Provider">file-user-group-provider</property>
>         <property name="Authorizations
> File">/opt/app/resources/nifi/authorizations.xml</property>
>         <property name="Initial Admin Identity">CN=NADMIN,
> OU=NIFI</property>
>         <property name="Legacy Authorized Users File"></property>
>
>         <property
> name="ohlvnfiap002dd.oh.dev.dat.aws.vz-connect.net"></property>
>         <property name="Node Identity 1">CN=host1, OU=NIFI</property>
> <property name="Node Identity 2">CN=host2, OU=NIFI</property>
> <property name="Node Identity 3">CN=host3, OU=NIFI</property>
>     </accessPolicyProvider>
>     <authorizer>
>         <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>         <property name="Access Policy
> Provider">file-access-policy-provider</property>
>     </authorizer>
> </authorizers>
>
> We have checked the FQDN and the CN Name of the certificates generated and
> all other configurations but could not identify anything specifically that
> could be the root cause of the issue.
>
> Apart from the above error with respect to privilege, we do not see any
> other error in the logs.
>
> The same configurations worked fine on Nifi-1.3,however, not sure why it
> does not work on Nifi-1.7.
> Also, it works fine on the standalone node but not on the cluster.
>
> Appreciate if you could provide any assistance on this as it has already
> been a while that we have been blocked because of this issue.
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
>
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

Peter Wilcsinszky
In reply to this post by nifi-san
Hi,

are your hosts registered in LDAP properly? If you don't want them to come
from LDAP then they should come from the file-user-group-provider as
initial user identities in addition to your "Initial User Identity 1".

Peter

On Tue, Sep 18, 2018 at 11:54 AM nifi-san <[hidden email]> wrote:

> Hello,
>
> We are trying to integrate Nifi-7.1 with SSL and LDAP.
>
> We have two different Nifi installation,one which is a standalone node and
> the other which is a three node cluster.
>
> Nifi Standalone:-
> We were able to successfully integrate the Standalone node with SSL and
> login to the Nifi UI with the client certificate.
>
> Nifi Cluster:-
> With the same configurations for authorizers.xml as is for the Nifi
> standalone, on the Nifi cluster nodes,we get the below error:-
>
> ERROR:-
> ********************************************
> Insufficient Permissions
> Untrusted proxy CN=host1, OU=NIFI
> ********************************************
>
> The authorizers.xml configurations on the cluster is as follows:-
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizers>
>     <userGroupProvider>
>         <identifier>file-user-group-provider</identifier>
>         <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>         <property name="Users
> File">/opt/app/resources/nifi/users.xml</property>
>         <property name="Legacy Authorized Users File"></property>
>
>         <property name="Initial User Identity 1">CN=NADMIN,
> OU=NIFI</property>
>     </userGroupProvider>
>     <accessPolicyProvider>
>         <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>         <property name="User Group
> Provider">file-user-group-provider</property>
>         <property name="Authorizations
> File">/opt/app/resources/nifi/authorizations.xml</property>
>         <property name="Initial Admin Identity">CN=NADMIN,
> OU=NIFI</property>
>         <property name="Legacy Authorized Users File"></property>
>
>         <property
> name="ohlvnfiap002dd.oh.dev.dat.aws.vz-connect.net"></property>
>         <property name="Node Identity 1">CN=host1, OU=NIFI</property>
> <property name="Node Identity 2">CN=host2, OU=NIFI</property>
> <property name="Node Identity 3">CN=host3, OU=NIFI</property>
>     </accessPolicyProvider>
>     <authorizer>
>         <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>         <property name="Access Policy
> Provider">file-access-policy-provider</property>
>     </authorizer>
> </authorizers>
>
> We have checked the FQDN and the CN Name of the certificates generated and
> all other configurations but could not identify anything specifically that
> could be the root cause of the issue.
>
> Apart from the above error with respect to privilege, we do not see any
> other error in the logs.
>
> The same configurations worked fine on Nifi-1.3,however, not sure why it
> does not work on Nifi-1.7.
> Also, it works fine on the standalone node but not on the cluster.
>
> Appreciate if you could provide any assistance on this as it has already
> been a while that we have been blocked because of this issue.
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
>
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

Andy LoPresto-2
A few things to note:

Between NiFi 1.3.0 and NiFi 1.7.0, the authorizer structure changed, as the user and group provider was separated from the policy provider. This means there are two components (UserGroupProvider) and (AccessPolicyProvider) that are defined independently and compose the ManagedAuthorizer. This means that for a cluster, the proxies must be defined in two locations in the authorizers.xml file (see below). 

Also, in NiFi 1.7.1, there were changes to hostname verification and wildcard certificates are fixed but wildcard certificates are not supported. If you are using wildcard certificates in your cluster, you should convert these to unique, explicit certificates for each node. Each node certificate should also contain a SubjectAlternativeName entry with the explicit DNS name of the service. More information can be found in the Admin Guide [1] or the Migration Guidance [2]. 

Here is an example authorizers.xml file with the proxies defined in both locations. 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity A">CN=alopresto_NIFI-5370, OU=NIFI</property>
        <property name="Initial User Identity 1">CN=node1.nifi.apache.org, OU=NIFI</property>
        <property name="Initial User Identity 2">CN=node2.nifi.apache.org, OU=NIFI</property>
        <property name="Initial User Identity 3">CN=node3.nifi.apache.org, OU=NIFI</property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">CN=alopresto_NIFI-5370, OU=NIFI</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1">CN=node1.nifi.apache.org, OU=NIFI</property>
        <property name="Node Identity 2">CN=node2.nifi.apache.org, OU=NIFI</property>
        <property name="Node Identity 3">CN=node3.nifi.apache.org, OU=NIFI</property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Sep 18, 2018, at 4:55 AM, Peter Wilcsinszky <[hidden email]> wrote:

Hi,

are your hosts registered in LDAP properly? If you don't want them to come
from LDAP then they should come from the file-user-group-provider as
initial user identities in addition to your "Initial User Identity 1".

Peter

On Tue, Sep 18, 2018 at 11:54 AM nifi-san <[hidden email]> wrote:

Hello,

We are trying to integrate Nifi-7.1 with SSL and LDAP.

We have two different Nifi installation,one which is a standalone node and
the other which is a three node cluster.

Nifi Standalone:-
We were able to successfully integrate the Standalone node with SSL and
login to the Nifi UI with the client certificate.

Nifi Cluster:-
With the same configurations for authorizers.xml as is for the Nifi
standalone, on the Nifi cluster nodes,we get the below error:-

ERROR:-
********************************************
Insufficient Permissions
Untrusted proxy CN=host1, OU=NIFI
********************************************

The authorizers.xml configurations on the cluster is as follows:-

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
   <userGroupProvider>
       <identifier>file-user-group-provider</identifier>
       <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
       <property name="Users
File">/opt/app/resources/nifi/users.xml</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Initial User Identity 1">CN=NADMIN,
OU=NIFI</property>
   </userGroupProvider>
   <accessPolicyProvider>
       <identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
       <property name="User Group
Provider">file-user-group-provider</property>
       <property name="Authorizations
File">/opt/app/resources/nifi/authorizations.xml</property>
       <property name="Initial Admin Identity">CN=NADMIN,
OU=NIFI</property>
       <property name="Legacy Authorized Users File"></property>

       <property
name="ohlvnfiap002dd.oh.dev.dat.aws.vz-connect.net"></property>
       <property name="Node Identity 1">CN=host1, OU=NIFI</property>
<property name="Node Identity 2">CN=host2, OU=NIFI</property>
<property name="Node Identity 3">CN=host3, OU=NIFI</property>
   </accessPolicyProvider>
   <authorizer>
       <identifier>managed-authorizer</identifier>

<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
       <property name="Access Policy
Provider">file-access-policy-provider</property>
   </authorizer>
</authorizers>

We have checked the FQDN and the CN Name of the certificates generated and
all other configurations but could not identify anything specifically that
could be the root cause of the issue.

Apart from the above error with respect to privilege, we do not see any
other error in the logs.

The same configurations worked fine on Nifi-1.3,however, not sure why it
does not work on Nifi-1.7.
Also, it works fine on the standalone node but not on the cluster.

Appreciate if you could provide any assistance on this as it has already
been a while that we have been blocked because of this issue.



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

nifi-san
In reply to this post by nifi-san
Thanks for the reply.Please find below the authorizations.xml and user.xml;-

Authorizations.xml:-

<?xml version="1.0" encoding="UTF-8" standalone="true"?>
-<authorizations>
-<policies>
-<policy action="R" resource="/flow"
identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="R"
resource="/data/process-groups/e66f0489-0165-1000-4ffd-578079bc2961"
identifier="f2a6ce38-565b-3fb1-a02d-9e0c0fdaa59e">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="W"
resource="/data/process-groups/e66f0489-0165-1000-4ffd-578079bc2961"
identifier="05766804-6d66-3d49-a8f4-0d73b5ea2121">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="R"
resource="/process-groups/e66f0489-0165-1000-4ffd-578079bc2961"
identifier="d78cdb6e-344b-370d-8714-c4b7a88cf585">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="W"
resource="/process-groups/e66f0489-0165-1000-4ffd-578079bc2961"
identifier="d3910dff-c116-35bb-85f3-d6c2215d1cdb">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="W" resource="/restricted-components"
identifier="b8775bd4-704a-34c6-987b-84f2daf7a515">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="R" resource="/tenants"
identifier="627410be-1717-35b4-a06f-e9362b89e0b7">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="W" resource="/tenants"
identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="R" resource="/policies"
identifier="ff96062a-fa99-36dc-9942-0f6442ae7212">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="W" resource="/policies"
identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="R" resource="/controller"
identifier="2e1015cb-0fed-3005-8e0d-722311f21a03">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
-<policy action="W" resource="/controller"
identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf">
<user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</policy>
</policies>
</authorizations>

user.xml:-

<?xml version="1.0" encoding="UTF-8" standalone="true"?>
-<tenants>
<groups/>
-<users>
<user identity="CN=NADMIN, OU=NIFI"
identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
</users>
</tenants>

Errors in the user logs:-

2018-09-19 05:25:14,267 INFO [NiFi Web Server-22]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2018-09-19 05:25:14,688 INFO [NiFi Web Server-18]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
2018-09-19 05:25:15,073 INFO [NiFi Web Server-164]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=NADMIN,
OU=NIFI) GET https://hostname1:9443/nifi-api/flow/current-user (source ip:
10.253.220.155)
2018-09-19 05:25:15,074 INFO [NiFi Web Server-164]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=NADMIN,
OU=NIFI
2018-09-19 05:25:15,149 INFO [NiFi Web Server-22]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for () GET
https://hostname1:9443/nifi-api/flow/current-user (source ip: 10.59.68.155)
2018-09-19 05:25:15,149 WARN [NiFi Web Server-22]
o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted
proxy CN=hostname1:9443, OU=NIFI

Shouldn’t the authorizations.xml get automatically generated?
Strange this is, it works fine on the standalone node.






--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

Pierre Villard
I believe the reason why you get the error is because you added the Node
Identities in authorizers.xml after you started your NiFi cluster once.

In short, when NiFi is starting for the first time, it'll detect that
authorizations.xml and users.xml do not exist and the files will be
automatically generated based on what you configured in authorizers.xml. If
you add things in authorizers.xml after the files have been generated, it
won't be taken into account (meaning: if the files exist, NiFi won't
change/update the files). Two options: add the required elements manually
or delete both authorizations.xml and users.xml files and restart the
cluster to have the files generated with the changes.

Based on the content of your authorizations.xml, it looks like you didn't
make any change so I'd recommend the second option: delete
authorizations.xml and users.xml files on all your NiFi nodes and restart
the nodes.

Thanks,
Pierre

Le mer. 19 sept. 2018 à 13:26, nifi-san <[hidden email]> a écrit :

> Thanks for the reply.Please find below the authorizations.xml and
> user.xml;-
>
> Authorizations.xml:-
>
> <?xml version="1.0" encoding="UTF-8" standalone="true"?>
> -<authorizations>
> -<policies>
> -<policy action="R" resource="/flow"
> identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="R"
> resource="/data/process-groups/e66f0489-0165-1000-4ffd-578079bc2961"
> identifier="f2a6ce38-565b-3fb1-a02d-9e0c0fdaa59e">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="W"
> resource="/data/process-groups/e66f0489-0165-1000-4ffd-578079bc2961"
> identifier="05766804-6d66-3d49-a8f4-0d73b5ea2121">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="R"
> resource="/process-groups/e66f0489-0165-1000-4ffd-578079bc2961"
> identifier="d78cdb6e-344b-370d-8714-c4b7a88cf585">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="W"
> resource="/process-groups/e66f0489-0165-1000-4ffd-578079bc2961"
> identifier="d3910dff-c116-35bb-85f3-d6c2215d1cdb">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="W" resource="/restricted-components"
> identifier="b8775bd4-704a-34c6-987b-84f2daf7a515">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="R" resource="/tenants"
> identifier="627410be-1717-35b4-a06f-e9362b89e0b7">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="W" resource="/tenants"
> identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="R" resource="/policies"
> identifier="ff96062a-fa99-36dc-9942-0f6442ae7212">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="W" resource="/policies"
> identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="R" resource="/controller"
> identifier="2e1015cb-0fed-3005-8e0d-722311f21a03">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> -<policy action="W" resource="/controller"
> identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf">
> <user identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </policy>
> </policies>
> </authorizations>
>
> user.xml:-
>
> <?xml version="1.0" encoding="UTF-8" standalone="true"?>
> -<tenants>
> <groups/>
> -<users>
> <user identity="CN=NADMIN, OU=NIFI"
> identifier="991a6798-da54-3570-bf24-061e3ff2b099"/>
> </users>
> </tenants>
>
> Errors in the user logs:-
>
> 2018-09-19 05:25:14,267 INFO [NiFi Web Server-22]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos ticket login not supported by this NiFi.. Returning Conflict
> response.
> 2018-09-19 05:25:14,688 INFO [NiFi Web Server-18]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> OpenId Connect is not configured.. Returning Conflict response.
> 2018-09-19 05:25:15,073 INFO [NiFi Web Server-164]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=NADMIN,
> OU=NIFI) GET https://hostname1:9443/nifi-api/flow/current-user (source ip:
> 10.253.220.155)
> 2018-09-19 05:25:15,074 INFO [NiFi Web Server-164]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=NADMIN,
> OU=NIFI
> 2018-09-19 05:25:15,149 INFO [NiFi Web Server-22]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for () GET
> https://hostname1:9443/nifi-api/flow/current-user (source ip:
> 10.59.68.155)
> 2018-09-19 05:25:15,149 WARN [NiFi Web Server-22]
> o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted
> proxy CN=hostname1:9443, OU=NIFI
>
> Shouldn’t the authorizations.xml get automatically generated?
> Strange this is, it works fine on the standalone node.
>
>
>
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
>
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

nifi-san
Thanks for the suggestions.

I tried exactly the same step and deleted authorizations.xml and user.xml
from all the cluster nodes and tried starting the nodes.I am encountering
the below error while starting the nodes now and the node does not start
now.

2018-09-20 08:20:09,003 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Failed to start web server: Error creating bean with name
'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Unsatisfied dependency expressed through method
'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
org.springframework.beans.factory.BeanExpressionException: Expression
parsing failed; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
dependency expressed through method 'setJwtAuthenticationProvider' parameter
0; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'jwtAuthenticationProvider' defined in class path resource
[nifi-web-security-context.xml]: Cannot resolve reference to bean
'authorizer' while setting constructor argument; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'authorizer': FactoryBean threw exception on object creation;
nested exception is
org.apache.nifi.authorization.exception.AuthorizerCreationException:
org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
to locate node CN=hostname, OU=NIFI to seed policies.
2018-09-20 08:20:09,003 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Shutting down...
2018-09-20 08:20:09,662 INFO [main] org.apache.nifi.bootstrap.RunNiFi A
shutdown was initiated. Will not restart NiFi
2018-09-20 08:20:10,291 INFO [main] org.apache.nifi.bootstrap.Command NiFi
has finished shutting down.
2018-09-20 08:20:13,739 INFO [main] o.a.n.b.NotificationServiceManager
Successfully loaded the following 0 services: []
2018-09-20 08:20:13,743 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_STARTED
2018-09-20 08:20:13,743 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_STOPPED
2018-09-20 08:20:13,743 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_DIED
2018-09-20 08:20:13,759 INFO [main] org.apache.nifi.bootstrap.Command
Starting Apache NiFi...
2018-09-20 08:20:13,760 INFO [main] org.apache.nifi.bootstrap.Command
Working Directory: /opt/app/nifi-1.7.1
2018-09-20 08:20:13,760 INFO [main] org.apache.nifi.bootstrap.Command
Command: java -classpath
/opt/app/nifi-1.7.1/./conf:/opt/app/nifi-1.7.1/./lib/javax.servlet-api-3.1.0.jar:/opt/app/nifi-1.7.1/./lib/jetty-schemas-3.1.jar:/opt/app/nifi-1.7.1/./lib/logback-classic-1.2.3.jar:/opt/app/nifi-1.7.1/./lib/logback-core-1.2.3.jar:/opt/app/nifi-1.7.1/./lib/slf4j-api-1.7.25.jar:/opt/app/nifi-1.7.1/./lib/jcl-over-slf4j-1.7.25.jar:/opt/app/nifi-1.7.1/./lib/jul-to-slf4j-1.7.25.jar:/opt/app/nifi-1.7.1/./lib/log4j-over-slf4j-1.7.25.jar:/opt/app/nifi-1.7.1/./lib/nifi-api-1.7.1.jar:/opt/app/nifi-1.7.1/./lib/nifi-framework-api-1.7.1.jar:/opt/app/nifi-1.7.1/./lib/nifi-runtime-1.7.1.jar:/opt/app/nifi-1.7.1/./lib/nifi-nar-utils-1.7.1.jar:/opt/app/nifi-1.7.1/./lib/nifi-properties-1.7.1.jar
-Dorg.apache.jasper.compiler.disablejsr199=true -Xms8g -Xms8g
-Djavax.security.auth.useSubjectCredsOnly=true
-Djava.security.egd=file:/dev/urandom
-Dsun.net.http.allowRestrictedHeaders=true -Djava.net.preferIPv4Stack=true
-Djava.awt.headless=true -XX:+UseG1GC
-Djava.protocol.handler.pkgs=sun.net.www.protocol
-Dnifi.properties.file.path=/opt/app/nifi-1.7.1/./conf/nifi.properties
-Dnifi.bootstrap.listen.port=40021 -Dapp=NiFi
-Dorg.apache.nifi.bootstrap.config.log.dir=/opt/app/nifi-1.7.1/logs
org.apache.nifi.NiFi
2018-09-20 08:20:13,784 INFO [main] org.apache.nifi.bootstrap.Command
Launched Apache NiFi with Process ID 19384
2018-09-20 08:20:14,481 INFO [NiFi Bootstrap Command Listener]
org.apache.nifi.bootstrap.RunNiFi Apache NiFi now running and listening for
Bootstrap requests on port 40283
2018-09-20 08:20:35,382 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Failed to start web server: Error creating bean with name
'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Unsatisfied dependency expressed through method
'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
org.springframework.beans.factory.BeanExpressionException: Expression
parsing failed; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
dependency expressed through method 'setJwtAuthenticationProvider' parameter
0; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'jwtAuthenticationProvider' defined in class path resource
[nifi-web-security-context.xml]: Cannot resolve reference to bean
'authorizer' while setting constructor argument; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'authorizer': FactoryBean threw exception on object creation;
nested exception is
org.apache.nifi.authorization.exception.AuthorizerCreationException:
org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
to locate node CN=ohlvnfiap004dd.oh.dev.dat.aws.vz-connect.net, OU=NIFI to
seed policies.
2018-09-20 08:20:35,382 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Shutting down...
2018-09-20 08:20:36,798 INFO [main] org.apache.nifi.bootstrap.RunNiFi NiFi
never started. Will not restart NiFi
2018-09-20 08:23:22,682 INFO [main] o.a.n.b.NotificationServiceManager
Successfully loaded the following 0 services: []
2018-09-20 08:23:22,685 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_STARTED
2018-09-20 08:23:22,685 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_STOPPED
2018-09-20 08:23:22,685 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_DIED
2018-09-20 08:23:22,707 INFO [main] org.apache.nifi.bootstrap.Command Apache
NiFi is not running



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

nifi-san
In reply to this post by Pierre Villard
I deleted the authorizations.xml and user.xml files on all the nodes of the
cluster and restarted the nodes.
The Nifi nodes do not start up and I see the following errors int he logs
now:-

2018-09-20 08:20:09,003 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Failed to start web server: Error creating bean with name
'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Unsatisfied dependency expressed through method
'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
org.springframework.beans.factory.BeanExpressionException: Expression
parsing failed; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
dependency expressed through method 'setJwtAuthenticationProvider' parameter
0; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'jwtAuthenticationProvider' defined in class path resource
[nifi-web-security-context.xml]: Cannot resolve reference to bean
'authorizer' while setting constructor argument; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'authorizer': FactoryBean threw exception on object creation;
nested exception is
org.apache.nifi.authorization.exception.AuthorizerCreationException:
org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
to locate node CN=hostname, OU=NIFI to seed policies.
2018-09-20 08:20:09,003 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Shutting down...
2018-09-20 08:20:09,662 INFO [main] org.apache.nifi.bootstrap.RunNiFi A
shutdown was initiated. Will not restart NiFi
2018-09-20 08:20:10,291 INFO [main] org.apache.nifi.bootstrap.Command NiFi
has finished shutting down.
2018-09-20 08:20:13,739 INFO [main] o.a.n.b.NotificationServiceManager
Successfully loaded the following 0 services: []
2018-09-20 08:20:13,743 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_STARTED
2018-09-20 08:20:13,743 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_STOPPED
2018-09-20 08:20:13,743 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_DIED
2018-09-20 08:20:13,759 INFO [main] org.apache.nifi.bootstrap.Command
Starting Apache NiFi...
2018-09-20 08:20:13,760 INFO [main] org.apache.nifi.bootstrap.Command
Working Directory: /opt/app/nifi-1.7.1
2018-09-20 08:20:13,760 INFO [main] org.apache.nifi.bootstrap.Command
Command: java -classpath
/opt/app/nifi-1.7.1/./conf:/opt/app/nifi-1.7.1/./lib/javax.servlet-api-3.1.0.jar:/opt/app/nifi-1.7.1/./lib/jetty-schemas-3.1.jar:/opt/app/nifi-1.7.1/./lib/logback-classic-1.2.3.jar:/opt/app/nifi-1.7.1/./lib/logback-core-1.2.3.jar:/opt/app/nifi-1.7.1/./lib/slf4j-api-1.7.25.jar:/opt/app/nifi-1.7.1/./lib/jcl-over-slf4j-1.7.25.jar:/opt/app/nifi-1.7.1/./lib/jul-to-slf4j-1.7.25.jar:/opt/app/nifi-1.7.1/./lib/log4j-over-slf4j-1.7.25.jar:/opt/app/nifi-1.7.1/./lib/nifi-api-1.7.1.jar:/opt/app/nifi-1.7.1/./lib/nifi-framework-api-1.7.1.jar:/opt/app/nifi-1.7.1/./lib/nifi-runtime-1.7.1.jar:/opt/app/nifi-1.7.1/./lib/nifi-nar-utils-1.7.1.jar:/opt/app/nifi-1.7.1/./lib/nifi-properties-1.7.1.jar
-Dorg.apache.jasper.compiler.disablejsr199=true -Xms8g -Xms8g
-Djavax.security.auth.useSubjectCredsOnly=true
-Djava.security.egd=file:/dev/urandom
-Dsun.net.http.allowRestrictedHeaders=true -Djava.net.preferIPv4Stack=true
-Djava.awt.headless=true -XX:+UseG1GC
-Djava.protocol.handler.pkgs=sun.net.www.protocol
-Dnifi.properties.file.path=/opt/app/nifi-1.7.1/./conf/nifi.properties
-Dnifi.bootstrap.listen.port=40021 -Dapp=NiFi
-Dorg.apache.nifi.bootstrap.config.log.dir=/opt/app/nifi-1.7.1/logs
org.apache.nifi.NiFi
2018-09-20 08:20:13,784 INFO [main] org.apache.nifi.bootstrap.Command
Launched Apache NiFi with Process ID 19384
2018-09-20 08:20:14,481 INFO [NiFi Bootstrap Command Listener]
org.apache.nifi.bootstrap.RunNiFi Apache NiFi now running and listening for
Bootstrap requests on port 40283
2018-09-20 08:20:35,382 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Failed to start web server: Error creating bean with name
'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration':
Unsatisfied dependency expressed through method
'setFilterChainProxySecurityConfigurer' parameter 1; nested exception is
org.springframework.beans.factory.BeanExpressionException: Expression
parsing failed; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name
'org.apache.nifi.web.NiFiWebApiSecurityConfiguration': Unsatisfied
dependency expressed through method 'setJwtAuthenticationProvider' parameter
0; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'jwtAuthenticationProvider' defined in class path resource
[nifi-web-security-context.xml]: Cannot resolve reference to bean
'authorizer' while setting constructor argument; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'authorizer': FactoryBean threw exception on object creation;
nested exception is
org.apache.nifi.authorization.exception.AuthorizerCreationException:
org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
to locate node CN=hostname, OU=NIFI to seed policies.
2018-09-20 08:20:35,382 ERROR [NiFi logging handler] org.apache.nifi.StdErr
Shutting down...
2018-09-20 08:20:36,798 INFO [main] org.apache.nifi.bootstrap.RunNiFi NiFi
never started. Will not restart NiFi
2018-09-20 08:23:22,682 INFO [main] o.a.n.b.NotificationServiceManager
Successfully loaded the following 0 services: []
2018-09-20 08:23:22,685 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_STARTED
2018-09-20 08:23:22,685 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_STOPPED
2018-09-20 08:23:22,685 INFO [main] org.apache.nifi.bootstrap.RunNiFi
Registered no Notification Services for Notification Type NIFI_DIED
2018-09-20 08:23:22,707 INFO [main] org.apache.nifi.bootstrap.Command Apache
NiFi is not running



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

nifi-san
In reply to this post by Andy LoPresto-2
We have no wild cards in the certificates created.Each node certificate has a
unique CN name same as that of the hostname.



--
Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: Nifi -1.7 -Insufficient Permissions Untrusted proxy CN=host1, OU=NIFI error on cluster node

Bryan Bende
nested exception is
org.apache.nifi.authorization.exception.AuthorizerCreationException:
org.apache.nifi.authorization.exception.AuthorizerCreationException: Unable
to locate node CN=ohlvnfiap004dd.oh.dev.dat.aws.vz-connect.net, OU=NIFI to
seed policies.

This means CN=ohlvnfiap004dd.oh.dev.dat.aws.vz-connect.net, OU=NIFI
was put in the Node Identities section in the policy provider, but it
wasn't defined as a user in the user group provider.

It needs to be listed in both places, same as initial admin.
On Thu, Sep 20, 2018 at 6:42 AM nifi-san <[hidden email]> wrote:
>
> We have no wild cards in the certificates created.Each node certificate has a
> unique CN name same as that of the hostname.
>
>
>
> --
> Sent from: http://apache-nifi-developer-list.39713.n7.nabble.com/