setting up secure nifi

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

setting up secure nifi

Anil Rai
All,

I am trying to install nifi 1.5 and making it https. Below is the steps
followed and the error i am getting. Below is the config and log files
content. Please help

1. Installed nifi 1.5
2. Installed nifi toolkit 1.5
3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
'CN=TC,OU=NIFI' -O -o ../security_output
4. Copied generated keystore, truststore and nifi properties to nifi/config
folder
5. Imported the generated certificate to chrome browser
6. Modified authorizers.xml as attached.
7. With required restarts. Now when i enter the below url in the browser, I
see the below error.

https://localhost:9443/nifi/

Insufficient Permissions

   - home

Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
administrator.


authorizers.xml
--------------------
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity
1">cn=TC,ou=NIFI,dc=example,dc=com</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group
Provider">file-user-group-provider</property>
        <property name="Authorizations
File">./conf/authorizations.xml</property>
        <property name="Initial Admin
Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1"></property>
    </accessPolicyProvider>
------------------------

nifi-user.log
-----------------------
2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider Creating
new users file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
Creating new authorizations file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/authorizations.xml
2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
Populating authorizations for Initial Admin: cn=TC,ou=NIFI,dc=example,dc=com
2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, OU=NIFI)
GET https://localhost:9443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC, OU=NIFI
2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], groups[]
does not have permission to access the requested resource. Unknown user
with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
------------------------------

Generated users.xml
--------------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
    </users>
</tenants>
--------------------------------

Generated authorizations.xml
--------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
resource="/flow" action="R">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="R">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="W">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="R">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="W">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
resource="/restricted-components" action="W">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
resource="/tenants" action="R">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
resource="/tenants" action="W">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
resource="/policies" action="R">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
resource="/policies" action="W">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
resource="/controller" action="R">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
resource="/controller" action="W">
            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
        </policy>
    </policies>
</authorizations>
------------------------------------

nifi.properties
----------------------------
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=localhost
nifi.web.https.port=9443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=

# security properties #
nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks
nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3ZHZyqI4
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
----------------------



Please help.

Regards
Anil
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Bryan Bende
Hello,

The identity in authorizers.xml for your initial admin does not match the
identity of your client cert.

You should be putting “CN=TC, OU=NIFI” as the initial admin because that is
the DN of your client cert.

You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
authorizations.xml, and start back up.

Thanks,

Bryan

On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:

> All,
>
> I am trying to install nifi 1.5 and making it https. Below is the steps
> followed and the error i am getting. Below is the config and log files
> content. Please help
>
> 1. Installed nifi 1.5
> 2. Installed nifi toolkit 1.5
> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> 'CN=TC,OU=NIFI' -O -o ../security_output
> 4. Copied generated keystore, truststore and nifi properties to nifi/config
> folder
> 5. Imported the generated certificate to chrome browser
> 6. Modified authorizers.xml as attached.
> 7. With required restarts. Now when i enter the below url in the browser, I
> see the below error.
>
> https://localhost:9443/nifi/
>
> Insufficient Permissions
>
>    - home
>
> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> administrator.
>
>
> authorizers.xml
> --------------------
>     <userGroupProvider>
>         <identifier>file-user-group-provider</identifier>
>         <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
>         <property name="Users File">./conf/users.xml</property>
>         <property name="Legacy Authorized Users File"></property>
>
>         <property name="Initial User Identity
> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>     </userGroupProvider>
>
>     <accessPolicyProvider>
>         <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>         <property name="User Group
> Provider">file-user-group-provider</property>
>         <property name="Authorizations
> File">./conf/authorizations.xml</property>
>         <property name="Initial Admin
> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>         <property name="Legacy Authorized Users File"></property>
>
>         <property name="Node Identity 1"></property>
>     </accessPolicyProvider>
> ------------------------
>
> nifi-user.log
> -----------------------
> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider Creating
> new users file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Creating new authorizations file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/authorizations.xml
> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Populating authorizations for Initial Admin:
> cn=TC,ou=NIFI,dc=example,dc=com
> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> Kerberos ticket login not supported by this NiFi.. Returning Conflict
> response.
> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> OpenId Connect is not configured.. Returning Conflict response.
> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC, OU=NIFI)
> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> 127.0.0.1)
> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> OU=NIFI
> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI], groups[]
> does not have permission to access the requested resource. Unknown user
> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> ------------------------------
>
> Generated users.xml
> --------------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
>     <groups/>
>     <users>
>         <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>     </users>
> </tenants>
> --------------------------------
>
> Generated authorizations.xml
> --------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
>     <policies>
>         <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>         <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
>             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>         </policy>
>     </policies>
> </authorizations>
> ------------------------------------
>
> nifi.properties
> ----------------------------
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=localhost
> nifi.web.https.port=9443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
> nifi.web.max.header.size=16 KB
> nifi.web.proxy.context.path=
>
> # security properties #
> nifi.sensitive.props.key=
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> nifi.sensitive.props.provider=BC
> nifi.sensitive.props.additional.keys=
>
> nifi.security.keystore=./conf/keystore.jks
> nifi.security.keystoreType=jks
> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.truststore=./conf/truststore.jks
> nifi.security.truststoreType=jks
> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3ZHZyqI4
> nifi.security.needClientAuth=
> nifi.security.user.authorizer=managed-authorizer
> nifi.security.user.login.identity.provider=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
> ----------------------
>
>
>
> Please help.
>
> Regards
> Anil
>
--
Sent from Gmail Mobile
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Anil Rai
Hi Bryan,

Thanks for the quick reply. I did followed your steps. But I am seeing the
same error.
Now the entry looks like
        <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
dc=com</property>

Also what does dc stand for after CN and OU. Is that a problem.
Is there a blog that talks about installing and making it https using
toolkit?. I did not find any good post that talks end to end from
installing to making it secure using tls toolkit.

Any help is appreciated.

Thanks
Anil



On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[hidden email]> wrote:

> Hello,
>
> The identity in authorizers.xml for your initial admin does not match the
> identity of your client cert.
>
> You should be putting “CN=TC, OU=NIFI” as the initial admin because that is
> the DN of your client cert.
>
> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
> authorizations.xml, and start back up.
>
> Thanks,
>
> Bryan
>
> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:
>
> > All,
> >
> > I am trying to install nifi 1.5 and making it https. Below is the steps
> > followed and the error i am getting. Below is the config and log files
> > content. Please help
> >
> > 1. Installed nifi 1.5
> > 2. Installed nifi toolkit 1.5
> > 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> > 'CN=TC,OU=NIFI' -O -o ../security_output
> > 4. Copied generated keystore, truststore and nifi properties to
> nifi/config
> > folder
> > 5. Imported the generated certificate to chrome browser
> > 6. Modified authorizers.xml as attached.
> > 7. With required restarts. Now when i enter the below url in the
> browser, I
> > see the below error.
> >
> > https://localhost:9443/nifi/
> >
> > Insufficient Permissions
> >
> >    - home
> >
> > Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> > administrator.
> >
> >
> > authorizers.xml
> > --------------------
> >     <userGroupProvider>
> >         <identifier>file-user-group-provider</identifier>
> >         <class>org.apache.nifi.authorization.
> FileUserGroupProvider</class>
> >         <property name="Users File">./conf/users.xml</property>
> >         <property name="Legacy Authorized Users File"></property>
> >
> >         <property name="Initial User Identity
> > 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
> >     </userGroupProvider>
> >
> >     <accessPolicyProvider>
> >         <identifier>file-access-policy-provider</identifier>
> >
> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> >         <property name="User Group
> > Provider">file-user-group-provider</property>
> >         <property name="Authorizations
> > File">./conf/authorizations.xml</property>
> >         <property name="Initial Admin
> > Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
> >         <property name="Legacy Authorized Users File"></property>
> >
> >         <property name="Node Identity 1"></property>
> >     </accessPolicyProvider>
> > ------------------------
> >
> > nifi-user.log
> > -----------------------
> > 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
> Creating
> > new users file at
> > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> > 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> > Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> > 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Creating new authorizations file at
> > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
> authorizations.xml
> > 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Populating authorizations for Initial Admin:
> > cn=TC,ou=NIFI,dc=example,dc=com
> > 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> > 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> > Kerberos ticket login not supported by this NiFi.. Returning Conflict
> > response.
> > 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException:
> > OpenId Connect is not configured.. Returning Conflict response.
> > 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
> OU=NIFI)
> > GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> > 127.0.0.1)
> > 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> > OU=NIFI
> > 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
> groups[]
> > does not have permission to access the requested resource. Unknown user
> > with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> > ------------------------------
> >
> > Generated users.xml
> > --------------------------------
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <tenants>
> >     <groups/>
> >     <users>
> >         <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> > identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
> >     </users>
> > </tenants>
> > --------------------------------
> >
> > Generated authorizations.xml
> > --------------------------
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <authorizations>
> >     <policies>
> >         <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> > resource="/flow" action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> > resource="/restricted-components" action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> > resource="/tenants" action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> > resource="/tenants" action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> > resource="/policies" action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> > resource="/policies" action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> > resource="/controller" action="R">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >         <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> > resource="/controller" action="W">
> >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> >         </policy>
> >     </policies>
> > </authorizations>
> > ------------------------------------
> >
> > nifi.properties
> > ----------------------------
> > # web properties #
> > nifi.web.war.directory=./lib
> > nifi.web.http.host=
> > nifi.web.http.port=
> > nifi.web.http.network.interface.default=
> > nifi.web.https.host=localhost
> > nifi.web.https.port=9443
> > nifi.web.https.network.interface.default=
> > nifi.web.jetty.working.directory=./work/jetty
> > nifi.web.jetty.threads=200
> > nifi.web.max.header.size=16 KB
> > nifi.web.proxy.context.path=
> >
> > # security properties #
> > nifi.sensitive.props.key=
> > nifi.sensitive.props.key.protected=
> > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> > nifi.sensitive.props.provider=BC
> > nifi.sensitive.props.additional.keys=
> >
> > nifi.security.keystore=./conf/keystore.jks
> > nifi.security.keystoreType=jks
> > nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > nifi.security.truststore=./conf/truststore.jks
> > nifi.security.truststoreType=jks
> > nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
> ZHZyqI4
> > nifi.security.needClientAuth=
> > nifi.security.user.authorizer=managed-authorizer
> > nifi.security.user.login.identity.provider=
> > nifi.security.ocsp.responder.url=
> > nifi.security.ocsp.responder.certificate=
> > ----------------------
> >
> >
> >
> > Please help.
> >
> > Regards
> > Anil
> >
> --
> Sent from Gmail Mobile
>
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Bryan Bende
It’s the same problem, your initial admin should be:

CN=TC, OU=NIFI

Not

CN=TC,OU=NIFI,dc=example,dc=com

The first one is the DN of your client cert, the second one is not.

On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[hidden email]> wrote:

> Hi Bryan,
>
> Thanks for the quick reply. I did followed your steps. But I am seeing the
> same error.
> Now the entry looks like
>         <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
> dc=com</property>
>
> Also what does dc stand for after CN and OU. Is that a problem.
> Is there a blog that talks about installing and making it https using
> toolkit?. I did not find any good post that talks end to end from
> installing to making it secure using tls toolkit.
>
> Any help is appreciated.
>
> Thanks
> Anil
>
>
>
> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[hidden email]> wrote:
>
> > Hello,
> >
> > The identity in authorizers.xml for your initial admin does not match the
> > identity of your client cert.
> >
> > You should be putting “CN=TC, OU=NIFI” as the initial admin because that
> is
> > the DN of your client cert.
> >
> > You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
> > authorizations.xml, and start back up.
> >
> > Thanks,
> >
> > Bryan
> >
> > On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:
> >
> > > All,
> > >
> > > I am trying to install nifi 1.5 and making it https. Below is the steps
> > > followed and the error i am getting. Below is the config and log files
> > > content. Please help
> > >
> > > 1. Installed nifi 1.5
> > > 2. Installed nifi toolkit 1.5
> > > 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> > > 'CN=TC,OU=NIFI' -O -o ../security_output
> > > 4. Copied generated keystore, truststore and nifi properties to
> > nifi/config
> > > folder
> > > 5. Imported the generated certificate to chrome browser
> > > 6. Modified authorizers.xml as attached.
> > > 7. With required restarts. Now when i enter the below url in the
> > browser, I
> > > see the below error.
> > >
> > > https://localhost:9443/nifi/
> > >
> > > Insufficient Permissions
> > >
> > >    - home
> > >
> > > Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> > > administrator.
> > >
> > >
> > > authorizers.xml
> > > --------------------
> > >     <userGroupProvider>
> > >         <identifier>file-user-group-provider</identifier>
> > >         <class>org.apache.nifi.authorization.
> > FileUserGroupProvider</class>
> > >         <property name="Users File">./conf/users.xml</property>
> > >         <property name="Legacy Authorized Users File"></property>
> > >
> > >         <property name="Initial User Identity
> > > 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
> > >     </userGroupProvider>
> > >
> > >     <accessPolicyProvider>
> > >         <identifier>file-access-policy-provider</identifier>
> > >
> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
> > >         <property name="User Group
> > > Provider">file-user-group-provider</property>
> > >         <property name="Authorizations
> > > File">./conf/authorizations.xml</property>
> > >         <property name="Initial Admin
> > > Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
> > >         <property name="Legacy Authorized Users File"></property>
> > >
> > >         <property name="Node Identity 1"></property>
> > >     </accessPolicyProvider>
> > > ------------------------
> > >
> > > nifi-user.log
> > > -----------------------
> > > 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
> > Creating
> > > new users file at
> > > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> > > 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> > > Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> > > 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > > Creating new authorizations file at
> > > /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
> > authorizations.xml
> > > 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > > Populating authorizations for Initial Admin:
> > > cn=TC,ou=NIFI,dc=example,dc=com
> > > 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> > > Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> > > 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> > > o.a.n.w.a.c.IllegalStateExceptionMapper
> java.lang.IllegalStateException:
> > > Kerberos ticket login not supported by this NiFi.. Returning Conflict
> > > response.
> > > 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> > > o.a.n.w.a.c.IllegalStateExceptionMapper
> java.lang.IllegalStateException:
> > > OpenId Connect is not configured.. Returning Conflict response.
> > > 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> > > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
> > OU=NIFI)
> > > GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> > > 127.0.0.1)
> > > 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> > > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> > > OU=NIFI
> > > 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> > > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
> > groups[]
> > > does not have permission to access the requested resource. Unknown user
> > > with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> > > ------------------------------
> > >
> > > Generated users.xml
> > > --------------------------------
> > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > > <tenants>
> > >     <groups/>
> > >     <users>
> > >         <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> > > identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
> > >     </users>
> > > </tenants>
> > > --------------------------------
> > >
> > > Generated authorizations.xml
> > > --------------------------
> > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > > <authorizations>
> > >     <policies>
> > >         <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> > > resource="/flow" action="R">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> > > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > > action="R">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> > > resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > > action="W">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> > > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="R">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> > > resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> > action="W">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> > > resource="/restricted-components" action="W">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> > > resource="/tenants" action="R">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> > > resource="/tenants" action="W">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> > > resource="/policies" action="R">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> > > resource="/policies" action="W">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> > > resource="/controller" action="R">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >         <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> > > resource="/controller" action="W">
> > >             <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
> > >         </policy>
> > >     </policies>
> > > </authorizations>
> > > ------------------------------------
> > >
> > > nifi.properties
> > > ----------------------------
> > > # web properties #
> > > nifi.web.war.directory=./lib
> > > nifi.web.http.host=
> > > nifi.web.http.port=
> > > nifi.web.http.network.interface.default=
> > > nifi.web.https.host=localhost
> > > nifi.web.https.port=9443
> > > nifi.web.https.network.interface.default=
> > > nifi.web.jetty.working.directory=./work/jetty
> > > nifi.web.jetty.threads=200
> > > nifi.web.max.header.size=16 KB
> > > nifi.web.proxy.context.path=
> > >
> > > # security properties #
> > > nifi.sensitive.props.key=
> > > nifi.sensitive.props.key.protected=
> > > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> > > nifi.sensitive.props.provider=BC
> > > nifi.sensitive.props.additional.keys=
> > >
> > > nifi.security.keystore=./conf/keystore.jks
> > > nifi.security.keystoreType=jks
> > >
> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > > nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> > > nifi.security.truststore=./conf/truststore.jks
> > > nifi.security.truststoreType=jks
> > > nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
> > ZHZyqI4
> > > nifi.security.needClientAuth=
> > > nifi.security.user.authorizer=managed-authorizer
> > > nifi.security.user.login.identity.provider=
> > > nifi.security.ocsp.responder.url=
> > > nifi.security.ocsp.responder.certificate=
> > > ----------------------
> > >
> > >
> > >
> > > Please help.
> > >
> > > Regards
> > > Anil
> > >
> > --
> > Sent from Gmail Mobile
> >
>
--
Sent from Gmail Mobile
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Andy LoPresto-2
Hi Anil,

In addition to Bryan’s explanation, there are a number of blog posts and articles covering this topic:

* Authorization and Multi-Tenancy by Bryan Bende [1]
* Secured Cluster Setup by Pierre Villard [2]
* TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
* Initial Admin Identity section of Apache NiFi Admin Guide [4]
* Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
* Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan Rosander [6]

The sequence “dc=example,dc=com” in your current user DN (Distinguished Name) is incorrect and not present in the DN of the certificate. I imagine you copied this from an example posted online. “dc=“ is a sequence used in DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” would be the parent DN. But when you generated the certificate, you did not provide this information, so the DNs do not match, and NiFi correctly asserts that this is not a valid certificate identifying the user DN you specified in your XML files. Removing “dc=example,dc=com” from that definition as Bryan suggested will resolve your issue. 


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jan 31, 2018, at 7:32 PM, Bryan Bende <[hidden email]> wrote:

It’s the same problem, your initial admin should be:

CN=TC, OU=NIFI

Not

CN=TC,OU=NIFI,dc=example,dc=com

The first one is the DN of your client cert, the second one is not.

On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[hidden email]> wrote:

Hi Bryan,

Thanks for the quick reply. I did followed your steps. But I am seeing the
same error.
Now the entry looks like
       <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
dc=com</property>

Also what does dc stand for after CN and OU. Is that a problem.
Is there a blog that talks about installing and making it https using
toolkit?. I did not find any good post that talks end to end from
installing to making it secure using tls toolkit.

Any help is appreciated.

Thanks
Anil



On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[hidden email]> wrote:

Hello,

The identity in authorizers.xml for your initial admin does not match the
identity of your client cert.

You should be putting “CN=TC, OU=NIFI” as the initial admin because that
is
the DN of your client cert.

You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
authorizations.xml, and start back up.

Thanks,

Bryan

On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:

All,

I am trying to install nifi 1.5 and making it https. Below is the steps
followed and the error i am getting. Below is the config and log files
content. Please help

1. Installed nifi 1.5
2. Installed nifi toolkit 1.5
3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
'CN=TC,OU=NIFI' -O -o ../security_output
4. Copied generated keystore, truststore and nifi properties to
nifi/config
folder
5. Imported the generated certificate to chrome browser
6. Modified authorizers.xml as attached.
7. With required restarts. Now when i enter the below url in the
browser, I
see the below error.

https://localhost:9443/nifi/

Insufficient Permissions

  - home

Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
administrator.


authorizers.xml
--------------------
   <userGroupProvider>
       <identifier>file-user-group-provider</identifier>
       <class>org.apache.nifi.authorization.
FileUserGroupProvider</class>
       <property name="Users File">./conf/users.xml</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Initial User Identity
1">cn=TC,ou=NIFI,dc=example,dc=com</property>
   </userGroupProvider>

   <accessPolicyProvider>
       <identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
       <property name="User Group
Provider">file-user-group-provider</property>
       <property name="Authorizations
File">./conf/authorizations.xml</property>
       <property name="Initial Admin
Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Node Identity 1"></property>
   </accessPolicyProvider>
------------------------

nifi-user.log
-----------------------
2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
Creating
new users file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
Creating new authorizations file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
authorizations.xml
2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
Populating authorizations for Initial Admin:
cn=TC,ou=NIFI,dc=example,dc=com
2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
OU=NIFI)
GET https://localhost:9443/nifi-api/flow/current-user (source ip:
127.0.0.1)
2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
OU=NIFI
2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
groups[]
does not have permission to access the requested resource. Unknown user
with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
------------------------------

Generated users.xml
--------------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
   <groups/>
   <users>
       <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
   </users>
</tenants>
--------------------------------

Generated authorizations.xml
--------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
   <policies>
       <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
resource="/flow" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
resource="/restricted-components" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
resource="/tenants" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
resource="/tenants" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
resource="/policies" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
resource="/policies" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
resource="/controller" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
resource="/controller" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
   </policies>
</authorizations>
------------------------------------

nifi.properties
----------------------------
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=localhost
nifi.web.https.port=9443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=

# security properties #
nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks

nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
ZHZyqI4
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
----------------------



Please help.

Regards
Anil

--
Sent from Gmail Mobile


--
Sent from Gmail Mobile


signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Andy LoPresto-2
In reply to this post by Bryan Bende
Hi Anil,

In addition to Bryan’s explanation, there are a number of blog posts and articles covering this topic:

* Authorization and Multi-Tenancy by Bryan Bende [1]
* Secured Cluster Setup by Pierre Villard [2]
* TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
* Initial Admin Identity section of Apache NiFi Admin Guide [4]
* Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
* Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan Rosander [6]

The sequence “dc=example,dc=com” in your current user DN (Distinguished Name) is incorrect and not present in the DN of the certificate. I imagine you copied this from an example posted online. “dc=“ is a sequence used in DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” would be the parent DN. But when you generated the certificate, you did not provide this information, so the DNs do not match, and NiFi correctly asserts that this is not a valid certificate identifying the user DN you specified in your XML files. Removing “dc=example,dc=com” from that definition as Bryan suggested will resolve your issue. 


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jan 31, 2018, at 7:32 PM, Bryan Bende <[hidden email]> wrote:

It’s the same problem, your initial admin should be:

CN=TC, OU=NIFI

Not

CN=TC,OU=NIFI,dc=example,dc=com

The first one is the DN of your client cert, the second one is not.

On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[hidden email]> wrote:

Hi Bryan,

Thanks for the quick reply. I did followed your steps. But I am seeing the
same error.
Now the entry looks like
       <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
dc=com</property>

Also what does dc stand for after CN and OU. Is that a problem.
Is there a blog that talks about installing and making it https using
toolkit?. I did not find any good post that talks end to end from
installing to making it secure using tls toolkit.

Any help is appreciated.

Thanks
Anil



On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[hidden email]> wrote:

Hello,

The identity in authorizers.xml for your initial admin does not match the
identity of your client cert.

You should be putting “CN=TC, OU=NIFI” as the initial admin because that
is
the DN of your client cert.

You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
authorizations.xml, and start back up.

Thanks,

Bryan

On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:

All,

I am trying to install nifi 1.5 and making it https. Below is the steps
followed and the error i am getting. Below is the config and log files
content. Please help

1. Installed nifi 1.5
2. Installed nifi toolkit 1.5
3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
'CN=TC,OU=NIFI' -O -o ../security_output
4. Copied generated keystore, truststore and nifi properties to
nifi/config
folder
5. Imported the generated certificate to chrome browser
6. Modified authorizers.xml as attached.
7. With required restarts. Now when i enter the below url in the
browser, I
see the below error.

https://localhost:9443/nifi/

Insufficient Permissions

  - home

Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
administrator.


authorizers.xml
--------------------
   <userGroupProvider>
       <identifier>file-user-group-provider</identifier>
       <class>org.apache.nifi.authorization.
FileUserGroupProvider</class>
       <property name="Users File">./conf/users.xml</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Initial User Identity
1">cn=TC,ou=NIFI,dc=example,dc=com</property>
   </userGroupProvider>

   <accessPolicyProvider>
       <identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
       <property name="User Group
Provider">file-user-group-provider</property>
       <property name="Authorizations
File">./conf/authorizations.xml</property>
       <property name="Initial Admin
Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Node Identity 1"></property>
   </accessPolicyProvider>
------------------------

nifi-user.log
-----------------------
2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
Creating
new users file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
Creating new authorizations file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
authorizations.xml
2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
Populating authorizations for Initial Admin:
cn=TC,ou=NIFI,dc=example,dc=com
2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
OU=NIFI)
GET https://localhost:9443/nifi-api/flow/current-user (source ip:
127.0.0.1)
2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
OU=NIFI
2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
groups[]
does not have permission to access the requested resource. Unknown user
with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
------------------------------

Generated users.xml
--------------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
   <groups/>
   <users>
       <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
   </users>
</tenants>
--------------------------------

Generated authorizations.xml
--------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
   <policies>
       <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
resource="/flow" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
resource="/restricted-components" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
resource="/tenants" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
resource="/tenants" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
resource="/policies" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
resource="/policies" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
resource="/controller" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
resource="/controller" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
   </policies>
</authorizations>
------------------------------------

nifi.properties
----------------------------
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=localhost
nifi.web.https.port=9443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=

# security properties #
nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks

nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
ZHZyqI4
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
----------------------



Please help.

Regards
Anil

--
Sent from Gmail Mobile


--
Sent from Gmail Mobile


signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Andy LoPresto-2
In reply to this post by Bryan Bende
Hi Anil,

In addition to Bryan’s explanation, there are a number of blog posts and articles covering this topic:

* Authorization and Multi-Tenancy by Bryan Bende [1]
* Secured Cluster Setup by Pierre Villard [2]
* TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
* Initial Admin Identity section of Apache NiFi Admin Guide [4]
* Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
* Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan Rosander [6]

The sequence “dc=example,dc=com” in your current user DN (Distinguished Name) is incorrect and not present in the DN of the certificate. I imagine you copied this from an example posted online. “dc=“ is a sequence used in DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com” would be the parent DN. But when you generated the certificate, you did not provide this information, so the DNs do not match, and NiFi correctly asserts that this is not a valid certificate identifying the user DN you specified in your XML files. Removing “dc=example,dc=com” from that definition as Bryan suggested will resolve your issue. 


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Jan 31, 2018, at 7:32 PM, Bryan Bende <[hidden email]> wrote:

It’s the same problem, your initial admin should be:

CN=TC, OU=NIFI

Not

CN=TC,OU=NIFI,dc=example,dc=com

The first one is the DN of your client cert, the second one is not.

On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[hidden email]> wrote:

Hi Bryan,

Thanks for the quick reply. I did followed your steps. But I am seeing the
same error.
Now the entry looks like
       <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
dc=com</property>

Also what does dc stand for after CN and OU. Is that a problem.
Is there a blog that talks about installing and making it https using
toolkit?. I did not find any good post that talks end to end from
installing to making it secure using tls toolkit.

Any help is appreciated.

Thanks
Anil



On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[hidden email]> wrote:

Hello,

The identity in authorizers.xml for your initial admin does not match the
identity of your client cert.

You should be putting “CN=TC, OU=NIFI” as the initial admin because that
is
the DN of your client cert.

You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
authorizations.xml, and start back up.

Thanks,

Bryan

On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:

All,

I am trying to install nifi 1.5 and making it https. Below is the steps
followed and the error i am getting. Below is the config and log files
content. Please help

1. Installed nifi 1.5
2. Installed nifi toolkit 1.5
3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
'CN=TC,OU=NIFI' -O -o ../security_output
4. Copied generated keystore, truststore and nifi properties to
nifi/config
folder
5. Imported the generated certificate to chrome browser
6. Modified authorizers.xml as attached.
7. With required restarts. Now when i enter the below url in the
browser, I
see the below error.

https://localhost:9443/nifi/

Insufficient Permissions

  - home

Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
administrator.


authorizers.xml
--------------------
   <userGroupProvider>
       <identifier>file-user-group-provider</identifier>
       <class>org.apache.nifi.authorization.
FileUserGroupProvider</class>
       <property name="Users File">./conf/users.xml</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Initial User Identity
1">cn=TC,ou=NIFI,dc=example,dc=com</property>
   </userGroupProvider>

   <accessPolicyProvider>
       <identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
       <property name="User Group
Provider">file-user-group-provider</property>
       <property name="Authorizations
File">./conf/authorizations.xml</property>
       <property name="Initial Admin
Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
       <property name="Legacy Authorized Users File"></property>

       <property name="Node Identity 1"></property>
   </accessPolicyProvider>
------------------------

nifi-user.log
-----------------------
2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
Creating
new users file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
Creating new authorizations file at
/Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
authorizations.xml
2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
Populating authorizations for Initial Admin:
cn=TC,ou=NIFI,dc=example,dc=com
2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException:
Kerberos ticket login not supported by this NiFi.. Returning Conflict
response.
2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException:
OpenId Connect is not configured.. Returning Conflict response.
2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
OU=NIFI)
GET https://localhost:9443/nifi-api/flow/current-user (source ip:
127.0.0.1)
2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
OU=NIFI
2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
groups[]
does not have permission to access the requested resource. Unknown user
with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
------------------------------

Generated users.xml
--------------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
   <groups/>
   <users>
       <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
   </users>
</tenants>
--------------------------------

Generated authorizations.xml
--------------------------
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
   <policies>
       <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
resource="/flow" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
resource="/restricted-components" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
resource="/tenants" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
resource="/tenants" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
resource="/policies" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
resource="/policies" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
resource="/controller" action="R">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
       <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
resource="/controller" action="W">
           <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
       </policy>
   </policies>
</authorizations>
------------------------------------

nifi.properties
----------------------------
# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.http.network.interface.default=
nifi.web.https.host=localhost
nifi.web.https.port=9443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=

# security properties #
nifi.sensitive.props.key=
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=

nifi.security.keystore=./conf/keystore.jks
nifi.security.keystoreType=jks

nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=jks
nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
ZHZyqI4
nifi.security.needClientAuth=
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=
----------------------



Please help.

Regards
Anil

--
Sent from Gmail Mobile


--
Sent from Gmail Mobile


signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Anil Rai
In reply to this post by Andy LoPresto-2
Thanks Andy. It did resolve my issue. I got it working.
Thanks again for all the links. Very helpful.

Cheers
Anil


On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <[hidden email]> wrote:

> Hi Anil,
>
> In addition to Bryan’s explanation, there are a number of blog posts and
> articles covering this topic:
>
> * Authorization and Multi-Tenancy by Bryan Bende [1]
> * Secured Cluster Setup by Pierre Villard [2]
> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
> * Initial Admin Identity section of Apache NiFi Admin Guide [4]
> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan
> Rosander [6]
>
> The sequence “dc=example,dc=com” in your current user DN (Distinguished
> Name) is incorrect and not present in the DN of the certificate. I imagine
> you copied this from an example posted online. “dc=“ is a sequence used in
> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is
> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com”
> would be the parent DN. But when you generated the certificate, you did not
> provide this information, so the DNs do not match, and NiFi correctly
> asserts that this is not a valid certificate identifying the user DN you
> specified in your XML files. Removing “dc=example,dc=com” from that
> definition as Bryan suggested will resolve your issue.
>
> [1] https://bryanbende.com/development/2016/08/17/apache-
> nifi-1-0-0-authorization-and-multi-tenancy
> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-
> secured-cluster-setup/
> [3] https://nifi.apache.org/docs/nifi-docs/html/
> administration-guide.html#tls-generation-toolkit
> [4] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#
> initial-admin-identity
> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/
> 09/19/tls-toolkit-intro.html
> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/
> 09/20/tls-toolkit-standalone-multi.html
> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_
> Access_Protocol#Directory_structure
>
> Andy LoPresto
> [hidden email]
> *[hidden email] <[hidden email]>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Jan 31, 2018, at 7:32 PM, Bryan Bende <[hidden email]> wrote:
>
> It’s the same problem, your initial admin should be:
>
> CN=TC, OU=NIFI
>
> Not
>
> CN=TC,OU=NIFI,dc=example,dc=com
>
> The first one is the DN of your client cert, the second one is not.
>
> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[hidden email]> wrote:
>
> Hi Bryan,
>
> Thanks for the quick reply. I did followed your steps. But I am seeing the
> same error.
> Now the entry looks like
>        <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
> dc=com</property>
>
> Also what does dc stand for after CN and OU. Is that a problem.
> Is there a blog that talks about installing and making it https using
> toolkit?. I did not find any good post that talks end to end from
> installing to making it secure using tls toolkit.
>
> Any help is appreciated.
>
> Thanks
> Anil
>
>
>
> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[hidden email]> wrote:
>
> Hello,
>
> The identity in authorizers.xml for your initial admin does not match the
> identity of your client cert.
>
> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>
> is
>
> the DN of your client cert.
>
> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
> authorizations.xml, and start back up.
>
> Thanks,
>
> Bryan
>
> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:
>
> All,
>
> I am trying to install nifi 1.5 and making it https. Below is the steps
> followed and the error i am getting. Below is the config and log files
> content. Please help
>
> 1. Installed nifi 1.5
> 2. Installed nifi toolkit 1.5
> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
> 'CN=TC,OU=NIFI' -O -o ../security_output
> 4. Copied generated keystore, truststore and nifi properties to
>
> nifi/config
>
> folder
> 5. Imported the generated certificate to chrome browser
> 6. Modified authorizers.xml as attached.
> 7. With required restarts. Now when i enter the below url in the
>
> browser, I
>
> see the below error.
>
> https://localhost:9443/nifi/
>
> Insufficient Permissions
>
>   - home
>
> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
> administrator.
>
>
> authorizers.xml
> --------------------
>    <userGroupProvider>
>        <identifier>file-user-group-provider</identifier>
>        <class>org.apache.nifi.authorization.
>
> FileUserGroupProvider</class>
>
>        <property name="Users File">./conf/users.xml</property>
>        <property name="Legacy Authorized Users File"></property>
>
>        <property name="Initial User Identity
> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>    </userGroupProvider>
>
>    <accessPolicyProvider>
>        <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>        <property name="User Group
> Provider">file-user-group-provider</property>
>        <property name="Authorizations
> File">./conf/authorizations.xml</property>
>        <property name="Initial Admin
> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>        <property name="Legacy Authorized Users File"></property>
>
>        <property name="Node Identity 1"></property>
>    </accessPolicyProvider>
> ------------------------
>
> nifi-user.log
> -----------------------
> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>
> Creating
>
> new users file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Creating new authorizations file at
> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>
> authorizations.xml
>
> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Populating authorizations for Initial Admin:
> cn=TC,ou=NIFI,dc=example,dc=com
> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
> o.a.n.w.a.c.IllegalStateExceptionMapper
>
> java.lang.IllegalStateException:
>
> Kerberos ticket login not supported by this NiFi.. Returning Conflict
> response.
> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
> o.a.n.w.a.c.IllegalStateExceptionMapper
>
> java.lang.IllegalStateException:
>
> OpenId Connect is not configured.. Returning Conflict response.
> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>
> OU=NIFI)
>
> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
> 127.0.0.1)
> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
> OU=NIFI
> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>
> groups[]
>
> does not have permission to access the requested resource. Unknown user
> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
> ------------------------------
>
> Generated users.xml
> --------------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
>    <groups/>
>    <users>
>        <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>    </users>
> </tenants>
> --------------------------------
>
> Generated authorizations.xml
> --------------------------
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
>    <policies>
>        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
> action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>
> action="R">
>
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>
> action="W">
>
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>        </policy>
>    </policies>
> </authorizations>
> ------------------------------------
>
> nifi.properties
> ----------------------------
> # web properties #
> nifi.web.war.directory=./lib
> nifi.web.http.host=
> nifi.web.http.port=
> nifi.web.http.network.interface.default=
> nifi.web.https.host=localhost
> nifi.web.https.port=9443
> nifi.web.https.network.interface.default=
> nifi.web.jetty.working.directory=./work/jetty
> nifi.web.jetty.threads=200
> nifi.web.max.header.size=16 KB
> nifi.web.proxy.context.path=
>
> # security properties #
> nifi.sensitive.props.key=
> nifi.sensitive.props.key.protected=
> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
> nifi.sensitive.props.provider=BC
> nifi.sensitive.props.additional.keys=
>
> nifi.security.keystore=./conf/keystore.jks
> nifi.security.keystoreType=jks
>
> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>
> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
> nifi.security.truststore=./conf/truststore.jks
> nifi.security.truststoreType=jks
> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>
> ZHZyqI4
>
> nifi.security.needClientAuth=
> nifi.security.user.authorizer=managed-authorizer
> nifi.security.user.login.identity.provider=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
> ----------------------
>
>
>
> Please help.
>
> Regards
> Anil
>
> --
> Sent from Gmail Mobile
>
>
> --
> Sent from Gmail Mobile
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Anil Rai
The below links does not work. Have they moved somewhere else?

https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html
https://blog.rosander.ninja/nifi/toolkit/tls/2016/
09/20/tls-toolkit-standalone-multi.html

Thanks
Anil

On Thu, Feb 1, 2018 at 10:35 AM, Anil Rai <[hidden email]> wrote:

> Thanks Andy. It did resolve my issue. I got it working.
> Thanks again for all the links. Very helpful.
>
> Cheers
> Anil
>
>
> On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <[hidden email]>
> wrote:
>
>> Hi Anil,
>>
>> In addition to Bryan’s explanation, there are a number of blog posts and
>> articles covering this topic:
>>
>> * Authorization and Multi-Tenancy by Bryan Bende [1]
>> * Secured Cluster Setup by Pierre Villard [2]
>> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
>> * Initial Admin Identity section of Apache NiFi Admin Guide [4]
>> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
>> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan
>> Rosander [6]
>>
>> The sequence “dc=example,dc=com” in your current user DN (Distinguished
>> Name) is incorrect and not present in the DN of the certificate. I imagine
>> you copied this from an example posted online. “dc=“ is a sequence used in
>> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is
>> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com”
>> would be the parent DN. But when you generated the certificate, you did not
>> provide this information, so the DNs do not match, and NiFi correctly
>> asserts that this is not a valid certificate identifying the user DN you
>> specified in your XML files. Removing “dc=example,dc=com” from that
>> definition as Bryan suggested will resolve your issue.
>>
>> [1] https://bryanbende.com/development/2016/08/17/apache-nif
>> i-1-0-0-authorization-and-multi-tenancy
>> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-s
>> ecured-cluster-setup/
>> [3] https://nifi.apache.org/docs/nifi-docs/html/administrati
>> on-guide.html#tls-generation-toolkit
>> [4] https://nifi.apache.org/docs/nifi-docs/html/administrati
>> on-guide.html#initial-admin-identity
>> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/
>> tls-toolkit-intro.html
>> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/
>> tls-toolkit-standalone-multi.html
>> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_Acce
>> ss_Protocol#Directory_structure
>>
>> Andy LoPresto
>> [hidden email]
>> *[hidden email] <[hidden email]>*
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>>
>> On Jan 31, 2018, at 7:32 PM, Bryan Bende <[hidden email]> wrote:
>>
>> It’s the same problem, your initial admin should be:
>>
>> CN=TC, OU=NIFI
>>
>> Not
>>
>> CN=TC,OU=NIFI,dc=example,dc=com
>>
>> The first one is the DN of your client cert, the second one is not.
>>
>> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[hidden email]> wrote:
>>
>> Hi Bryan,
>>
>> Thanks for the quick reply. I did followed your steps. But I am seeing the
>> same error.
>> Now the entry looks like
>>        <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
>> dc=com</property>
>>
>> Also what does dc stand for after CN and OU. Is that a problem.
>> Is there a blog that talks about installing and making it https using
>> toolkit?. I did not find any good post that talks end to end from
>> installing to making it secure using tls toolkit.
>>
>> Any help is appreciated.
>>
>> Thanks
>> Anil
>>
>>
>>
>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[hidden email]> wrote:
>>
>> Hello,
>>
>> The identity in authorizers.xml for your initial admin does not match the
>> identity of your client cert.
>>
>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>>
>> is
>>
>> the DN of your client cert.
>>
>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
>> authorizations.xml, and start back up.
>>
>> Thanks,
>>
>> Bryan
>>
>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:
>>
>> All,
>>
>> I am trying to install nifi 1.5 and making it https. Below is the steps
>> followed and the error i am getting. Below is the config and log files
>> content. Please help
>>
>> 1. Installed nifi 1.5
>> 2. Installed nifi toolkit 1.5
>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
>> 'CN=TC,OU=NIFI' -O -o ../security_output
>> 4. Copied generated keystore, truststore and nifi properties to
>>
>> nifi/config
>>
>> folder
>> 5. Imported the generated certificate to chrome browser
>> 6. Modified authorizers.xml as attached.
>> 7. With required restarts. Now when i enter the below url in the
>>
>> browser, I
>>
>> see the below error.
>>
>> https://localhost:9443/nifi/
>>
>> Insufficient Permissions
>>
>>   - home
>>
>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
>> administrator.
>>
>>
>> authorizers.xml
>> --------------------
>>    <userGroupProvider>
>>        <identifier>file-user-group-provider</identifier>
>>        <class>org.apache.nifi.authorization.
>>
>> FileUserGroupProvider</class>
>>
>>        <property name="Users File">./conf/users.xml</property>
>>        <property name="Legacy Authorized Users File"></property>
>>
>>        <property name="Initial User Identity
>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>    </userGroupProvider>
>>
>>    <accessPolicyProvider>
>>        <identifier>file-access-policy-provider</identifier>
>>
>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>        <property name="User Group
>> Provider">file-user-group-provider</property>
>>        <property name="Authorizations
>> File">./conf/authorizations.xml</property>
>>        <property name="Initial Admin
>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>        <property name="Legacy Authorized Users File"></property>
>>
>>        <property name="Node Identity 1"></property>
>>    </accessPolicyProvider>
>> ------------------------
>>
>> nifi-user.log
>> -----------------------
>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>>
>> Creating
>>
>> new users file at
>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
>> Creating new authorizations file at
>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>>
>> authorizations.xml
>>
>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
>> Populating authorizations for Initial Admin:
>> cn=TC,ou=NIFI,dc=example,dc=com
>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
>> o.a.n.w.a.c.IllegalStateExceptionMapper
>>
>> java.lang.IllegalStateException:
>>
>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>> response.
>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
>> o.a.n.w.a.c.IllegalStateExceptionMapper
>>
>> java.lang.IllegalStateException:
>>
>> OpenId Connect is not configured.. Returning Conflict response.
>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>>
>> OU=NIFI)
>>
>> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
>> 127.0.0.1)
>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
>> OU=NIFI
>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>>
>> groups[]
>>
>> does not have permission to access the requested resource. Unknown user
>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
>> ------------------------------
>>
>> Generated users.xml
>> --------------------------------
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <tenants>
>>    <groups/>
>>    <users>
>>        <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>>    </users>
>> </tenants>
>> --------------------------------
>>
>> Generated authorizations.xml
>> --------------------------
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> <authorizations>
>>    <policies>
>>        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>> resource="/flow" action="R">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>> action="R">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>> action="W">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>
>> action="R">
>>
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>
>> action="W">
>>
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>> resource="/restricted-components" action="W">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>> resource="/tenants" action="R">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>> resource="/tenants" action="W">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>> resource="/policies" action="R">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>> resource="/policies" action="W">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>> resource="/controller" action="R">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>> resource="/controller" action="W">
>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>        </policy>
>>    </policies>
>> </authorizations>
>> ------------------------------------
>>
>> nifi.properties
>> ----------------------------
>> # web properties #
>> nifi.web.war.directory=./lib
>> nifi.web.http.host=
>> nifi.web.http.port=
>> nifi.web.http.network.interface.default=
>> nifi.web.https.host=localhost
>> nifi.web.https.port=9443
>> nifi.web.https.network.interface.default=
>> nifi.web.jetty.working.directory=./work/jetty
>> nifi.web.jetty.threads=200
>> nifi.web.max.header.size=16 KB
>> nifi.web.proxy.context.path=
>>
>> # security properties #
>> nifi.sensitive.props.key=
>> nifi.sensitive.props.key.protected=
>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
>> nifi.sensitive.props.provider=BC
>> nifi.sensitive.props.additional.keys=
>>
>> nifi.security.keystore=./conf/keystore.jks
>> nifi.security.keystoreType=jks
>>
>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>
>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>> nifi.security.truststore=./conf/truststore.jks
>> nifi.security.truststoreType=jks
>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>>
>> ZHZyqI4
>>
>> nifi.security.needClientAuth=
>> nifi.security.user.authorizer=managed-authorizer
>> nifi.security.user.login.identity.provider=
>> nifi.security.ocsp.responder.url=
>> nifi.security.ocsp.responder.certificate=
>> ----------------------
>>
>>
>>
>> Please help.
>>
>> Regards
>> Anil
>>
>> --
>> Sent from Gmail Mobile
>>
>>
>> --
>> Sent from Gmail Mobile
>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: setting up secure nifi

Matt Burgess-2
They work for me, perhaps there was a connectivity issue or something?

On Thu, Feb 1, 2018 at 10:56 AM, Anil Rai <[hidden email]> wrote:

> The below links does not work. Have they moved somewhere else?
>
> https://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
> https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/tls-toolkit-intro.html
> https://blog.rosander.ninja/nifi/toolkit/tls/2016/
> 09/20/tls-toolkit-standalone-multi.html
>
> Thanks
> Anil
>
> On Thu, Feb 1, 2018 at 10:35 AM, Anil Rai <[hidden email]> wrote:
>
>> Thanks Andy. It did resolve my issue. I got it working.
>> Thanks again for all the links. Very helpful.
>>
>> Cheers
>> Anil
>>
>>
>> On Thu, Feb 1, 2018 at 10:14 AM, Andy LoPresto <[hidden email]>
>> wrote:
>>
>>> Hi Anil,
>>>
>>> In addition to Bryan’s explanation, there are a number of blog posts and
>>> articles covering this topic:
>>>
>>> * Authorization and Multi-Tenancy by Bryan Bende [1]
>>> * Secured Cluster Setup by Pierre Villard [2]
>>> * TLS Generation Toolkit section of Apache NiFi Admin Guide [3]
>>> * Initial Admin Identity section of Apache NiFi Admin Guide [4]
>>> * Apache NiFi TLS Toolkit single node standalone by Bryan Rosander [5]
>>> * Apache NiFi TLS Toolkit multi-node standalone in Docker by Bryan
>>> Rosander [6]
>>>
>>> The sequence “dc=example,dc=com” in your current user DN (Distinguished
>>> Name) is incorrect and not present in the DN of the certificate. I imagine
>>> you copied this from an example posted online. “dc=“ is a sequence used in
>>> DNS to indicate “Domain Component” [7]. In your case, “CN=TC,OU=NIFI” is
>>> the RDN (Relative Distinguished Name) of your user, and “dc=example,dc=com”
>>> would be the parent DN. But when you generated the certificate, you did not
>>> provide this information, so the DNs do not match, and NiFi correctly
>>> asserts that this is not a valid certificate identifying the user DN you
>>> specified in your XML files. Removing “dc=example,dc=com” from that
>>> definition as Bryan suggested will resolve your issue.
>>>
>>> [1] https://bryanbende.com/development/2016/08/17/apache-nif
>>> i-1-0-0-authorization-and-multi-tenancy
>>> [2] https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-s
>>> ecured-cluster-setup/
>>> [3] https://nifi.apache.org/docs/nifi-docs/html/administrati
>>> on-guide.html#tls-generation-toolkit
>>> [4] https://nifi.apache.org/docs/nifi-docs/html/administrati
>>> on-guide.html#initial-admin-identity
>>> [5] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/19/
>>> tls-toolkit-intro.html
>>> [6] https://blog.rosander.ninja/nifi/toolkit/tls/2016/09/20/
>>> tls-toolkit-standalone-multi.html
>>> [7] https://en.wikipedia.org/wiki/Lightweight_Directory_Acce
>>> ss_Protocol#Directory_structure
>>>
>>> Andy LoPresto
>>> [hidden email]
>>> *[hidden email] <[hidden email]>*
>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>>>
>>> On Jan 31, 2018, at 7:32 PM, Bryan Bende <[hidden email]> wrote:
>>>
>>> It’s the same problem, your initial admin should be:
>>>
>>> CN=TC, OU=NIFI
>>>
>>> Not
>>>
>>> CN=TC,OU=NIFI,dc=example,dc=com
>>>
>>> The first one is the DN of your client cert, the second one is not.
>>>
>>> On Wed, Jan 31, 2018 at 7:23 PM Anil Rai <[hidden email]> wrote:
>>>
>>> Hi Bryan,
>>>
>>> Thanks for the quick reply. I did followed your steps. But I am seeing the
>>> same error.
>>> Now the entry looks like
>>>        <property name="Initial User Identity 1">CN=TC,OU=NIFI,dc=example,
>>> dc=com</property>
>>>
>>> Also what does dc stand for after CN and OU. Is that a problem.
>>> Is there a blog that talks about installing and making it https using
>>> toolkit?. I did not find any good post that talks end to end from
>>> installing to making it secure using tls toolkit.
>>>
>>> Any help is appreciated.
>>>
>>> Thanks
>>> Anil
>>>
>>>
>>>
>>> On Wed, Jan 31, 2018 at 6:42 PM, Bryan Bende <[hidden email]> wrote:
>>>
>>> Hello,
>>>
>>> The identity in authorizers.xml for your initial admin does not match the
>>> identity of your client cert.
>>>
>>> You should be putting “CN=TC, OU=NIFI” as the initial admin because that
>>>
>>> is
>>>
>>> the DN of your client cert.
>>>
>>> You’ll need to stop NiFi, edit authorizers.xml, delete users.xml and
>>> authorizations.xml, and start back up.
>>>
>>> Thanks,
>>>
>>> Bryan
>>>
>>> On Wed, Jan 31, 2018 at 6:11 PM Anil Rai <[hidden email]> wrote:
>>>
>>> All,
>>>
>>> I am trying to install nifi 1.5 and making it https. Below is the steps
>>> followed and the error i am getting. Below is the config and log files
>>> content. Please help
>>>
>>> 1. Installed nifi 1.5
>>> 2. Installed nifi toolkit 1.5
>>> 3. Ran toolkit - ./tls-toolkit.sh standalone -n 'localhost' -C
>>> 'CN=TC,OU=NIFI' -O -o ../security_output
>>> 4. Copied generated keystore, truststore and nifi properties to
>>>
>>> nifi/config
>>>
>>> folder
>>> 5. Imported the generated certificate to chrome browser
>>> 6. Modified authorizers.xml as attached.
>>> 7. With required restarts. Now when i enter the below url in the
>>>
>>> browser, I
>>>
>>> see the below error.
>>>
>>> https://localhost:9443/nifi/
>>>
>>> Insufficient Permissions
>>>
>>>   - home
>>>
>>> Unknown user with identity 'CN=TC, OU=NIFI'. Contact the system
>>> administrator.
>>>
>>>
>>> authorizers.xml
>>> --------------------
>>>    <userGroupProvider>
>>>        <identifier>file-user-group-provider</identifier>
>>>        <class>org.apache.nifi.authorization.
>>>
>>> FileUserGroupProvider</class>
>>>
>>>        <property name="Users File">./conf/users.xml</property>
>>>        <property name="Legacy Authorized Users File"></property>
>>>
>>>        <property name="Initial User Identity
>>> 1">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>    </userGroupProvider>
>>>
>>>    <accessPolicyProvider>
>>>        <identifier>file-access-policy-provider</identifier>
>>>
>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>>>        <property name="User Group
>>> Provider">file-user-group-provider</property>
>>>        <property name="Authorizations
>>> File">./conf/authorizations.xml</property>
>>>        <property name="Initial Admin
>>> Identity">cn=TC,ou=NIFI,dc=example,dc=com</property>
>>>        <property name="Legacy Authorized Users File"></property>
>>>
>>>        <property name="Node Identity 1"></property>
>>>    </accessPolicyProvider>
>>> ------------------------
>>>
>>> nifi-user.log
>>> -----------------------
>>> 2018-01-31 17:51:20,220 INFO [main] o.a.n.a.FileUserGroupProvider
>>>
>>> Creating
>>>
>>> new users file at
>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/users.xml
>>> 2018-01-31 17:51:20,234 INFO [main] o.a.n.a.FileUserGroupProvider
>>> Users/Groups file loaded at Wed Jan 31 17:51:20 EST 2018
>>> 2018-01-31 17:51:20,240 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>> Creating new authorizations file at
>>> /Users/anilrai/projects/tc/servicemax/nifi-1.5.0/./conf/
>>>
>>> authorizations.xml
>>>
>>> 2018-01-31 17:51:20,264 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>> Populating authorizations for Initial Admin:
>>> cn=TC,ou=NIFI,dc=example,dc=com
>>> 2018-01-31 17:51:20,271 INFO [main] o.a.n.a.FileAccessPolicyProvider
>>> Authorizations file loaded at Wed Jan 31 17:51:20 EST 2018
>>> 2018-01-31 17:52:18,192 INFO [NiFi Web Server-28]
>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>>>
>>> java.lang.IllegalStateException:
>>>
>>> Kerberos ticket login not supported by this NiFi.. Returning Conflict
>>> response.
>>> 2018-01-31 17:52:18,306 INFO [NiFi Web Server-67]
>>> o.a.n.w.a.c.IllegalStateExceptionMapper
>>>
>>> java.lang.IllegalStateException:
>>>
>>> OpenId Connect is not configured.. Returning Conflict response.
>>> 2018-01-31 17:52:18,350 INFO [NiFi Web Server-27]
>>> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=TC,
>>>
>>> OU=NIFI)
>>>
>>> GET https://localhost:9443/nifi-api/flow/current-user (source ip:
>>> 127.0.0.1)
>>> 2018-01-31 17:52:18,354 INFO [NiFi Web Server-27]
>>> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=TC,
>>> OU=NIFI
>>> 2018-01-31 17:52:18,424 INFO [NiFi Web Server-27]
>>> o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=TC, OU=NIFI],
>>>
>>> groups[]
>>>
>>> does not have permission to access the requested resource. Unknown user
>>> with identity 'CN=TC, OU=NIFI'. Returning Forbidden response.
>>> ------------------------------
>>>
>>> Generated users.xml
>>> --------------------------------
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>> <tenants>
>>>    <groups/>
>>>    <users>
>>>        <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"
>>> identity="cn=TC,ou=NIFI,dc=example,dc=com"/>
>>>    </users>
>>> </tenants>
>>> --------------------------------
>>>
>>> Generated authorizations.xml
>>> --------------------------
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>> <authorizations>
>>>    <policies>
>>>        <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>>> resource="/flow" action="R">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="87f484e7-b2e9-39fe-a77c-6c3e345ce847"
>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="R">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="3bf4d5e2-eebb-39ea-b417-2ce31959bd66"
>>> resource="/data/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>> action="W">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="a5a489df-b8f0-3948-9456-64a9aaed38fc"
>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>
>>> action="R">
>>>
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="f7f4a277-67f7-3f16-9963-6a0ccf1e4e23"
>>> resource="/process-groups/4dedb986-0161-1000-0db6-e28e0a2db61d"
>>>
>>> action="W">
>>>
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>>> resource="/restricted-components" action="W">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>>> resource="/tenants" action="R">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>>> resource="/tenants" action="W">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>>> resource="/policies" action="R">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>>> resource="/policies" action="W">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>>> resource="/controller" action="R">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>        <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>>> resource="/controller" action="W">
>>>            <user identifier="5c27599e-20cc-3258-b663-df5b8ca461b4"/>
>>>        </policy>
>>>    </policies>
>>> </authorizations>
>>> ------------------------------------
>>>
>>> nifi.properties
>>> ----------------------------
>>> # web properties #
>>> nifi.web.war.directory=./lib
>>> nifi.web.http.host=
>>> nifi.web.http.port=
>>> nifi.web.http.network.interface.default=
>>> nifi.web.https.host=localhost
>>> nifi.web.https.port=9443
>>> nifi.web.https.network.interface.default=
>>> nifi.web.jetty.working.directory=./work/jetty
>>> nifi.web.jetty.threads=200
>>> nifi.web.max.header.size=16 KB
>>> nifi.web.proxy.context.path=
>>>
>>> # security properties #
>>> nifi.sensitive.props.key=
>>> nifi.sensitive.props.key.protected=
>>> nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
>>> nifi.sensitive.props.provider=BC
>>> nifi.sensitive.props.additional.keys=
>>>
>>> nifi.security.keystore=./conf/keystore.jks
>>> nifi.security.keystoreType=jks
>>>
>>> nifi.security.keystorePasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>>
>>> nifi.security.keyPasswd=dDGiDzvaUrecDVYGbfXq/w6G7z6ldn4oKuQemifG3iI
>>> nifi.security.truststore=./conf/truststore.jks
>>> nifi.security.truststoreType=jks
>>> nifi.security.truststorePasswd=Kckcz+CPJduHRzOsdJFaSffmJHLHqJ7noxY3
>>>
>>> ZHZyqI4
>>>
>>> nifi.security.needClientAuth=
>>> nifi.security.user.authorizer=managed-authorizer
>>> nifi.security.user.login.identity.provider=
>>> nifi.security.ocsp.responder.url=
>>> nifi.security.ocsp.responder.certificate=
>>> ----------------------
>>>
>>>
>>>
>>> Please help.
>>>
>>> Regards
>>> Anil
>>>
>>> --
>>> Sent from Gmail Mobile
>>>
>>>
>>> --
>>> Sent from Gmail Mobile
>>>
>>>
>>>
>>