Closed bmgante closed 3 years ago
Below my config:
properties:
# use externalSecure for when inbound SSL is provided by nginx-ingress or other external mechanism
externalSecure: false
isNode: false # set to false if ldap is enabled
httpPort: null # set to null if ldap is enabled
httpsPort: 9443 # set to 9443 if ldap is enabled
webProxyHost:
clusterPort: 6007
clusterSecure: true # set to true if ldap is enabled
needClientAuth: false
provenanceStorage: "8 GB"
siteToSite:
port: 10000
authorizer: managed-authorizer
# use properties.safetyValve to pass explicit 'key: value' pairs that overwrite other configuration
safetyValve:
#nifi.variable.registry.properties: "${NIFI_HOME}/example1.properties, ${NIFI_HOME}/example2.properties"
nifi.web.http.network.interface.default: eth0
# listen to loopback interface so "kubectl port-forward ..." works
nifi.web.http.network.interface.lo: lo
# Nifi User Authentication
auth:
admin: CN=admin, OU=NIFI
SSL:
keystorePasswd: env:PASS
truststorePasswd: env:PASS
ldap:
enabled: true
host: ldaps://xxx.com:636
searchBase: OU=AADDC Users,DC=xxx,DC=com
admin: cn=xxx.xxx,OU=AADDC Users,DC=xxx,DC=com
pass: xxxx
searchFilter: (sAMAccountName=%s)
userIdentityAttribute: cn
authStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
identityStrategy: USE_DN
authExpiration: 12 hours
# ca server details
# Setting this true would create a nifi-toolkit based ca server
# The ca server will be used to generate self-signed certificates required setting up secured cluster
ca:
## If true, enable the nifi-toolkit certificate authority
enabled: true
persistence:
enabled: true
server: ""
service:
port: 9090
token: sixteenCharacters
admin:
cn: admin
serviceAccount:
create: false
#name: nifi-ca
openshift:
scc:
enabled: false
This is the error i got when truing to access https url:
I am wondering if i may have some misconfiguration on values.yml. Does anyone know what could be missing?
There are some instructions and examples here: https://github.com/cetic/fadi/blob/develop/doc/USERMANAGEMENT.md#nifi
Even following those instruction I get the same error. Nifi toolkit generates the certificates for this address and I need to reach the ui on the load balancer external address nifi.staging.xxx.net which is defined in lb config below.
From Certificate:
DNS Name nifi-nifi-0.nifi-nifi-headless.xxx.svc.cluster.local
Deployed services:
kubectl get svc -n xxx --kubeconfig=$HOME/.kube/config-files/xxx.yml | grep nifi
nifi LoadBalancer 172.20.52.169 internal-a27ee58c5feb2487e9902a71bec18189-888972753.eu-west-1.elb.amazonaws.com 9443:30236/TCP 11d
nifi-ca ClusterIP 172.20.130.19 <none> 9090/TCP 4m23s
nifi-headless ClusterIP None <none> 9443/TCP,6007/TCP 11d
nifi-metrics ClusterIP 172.20.12.155 <none> 9092/TCP 10d
nifi-redis ClusterIP 172.20.225.208 <none> 6379/TCP,26379/TCP 10d
nifi-redis-headless ClusterIP None <none> 6379/TCP,26379/TCP 10d
nifi-registry ClusterIP 172.20.108.47 <none> 80/TCP 11d
nifi-zookeeper ClusterIP 172.20.95.65 <none> 2181/TCP,2888/TCP,3888/TCP 11d
nifi-zookeeper-headless ClusterIP None <none> 2181/TCP,2888/TCP,3888/TCP 11d
UI service config:
service:
type: LoadBalancer
httpPort: 8080
httpsPort: 9443
nodePort: 30236
annotations:
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=staging,Function=xxx,Service=nifi
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
#external-dns.alpha.kubernetes.io/hostname: nifi.xxx.net
external-dns.alpha.kubernetes.io/hostname: nifi.staging.xxx.net
external-dns.alpha.kubernetes.io/ttl: "60"
Was able to reach the UI with https and ldap enabled. To achieve added webProxyHost as the DNS entry and with the https port:
webProxyHost: nifi.xxx.net:9443
However cannot login with the admin account I´ve configured:
Error:
Unknown user with identity 'cn=nifi,ou=AADDC Users,dc=xxx,dc=com'. Contact the system administrator.
Logs:
2021-07-09 14:16:22,427 INFO [NiFi Web Server-179] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.xxx.net:9443/nifi-api/flow/current-user (source ip: 10.218.3.151)
2021-07-09 14:16:22,430 INFO [NiFi Web Server-179] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=nifi,ou=AADDC Users,dc=xxx,dc=com
2021-07-09 14:16:22,431 INFO [NiFi Web Server-179] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=nifi,ou=AADDC Users,dc=xxx,dc=com], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=nifi,ou=AADDC Users,dc=xxx,dc=com'. Returning Forbidden response.
But in te config I´ve ldap admin account to this nifi user. In the authoriser.xml indeed the configuration seems to be ok:
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
**<property name="Initial Admin Identity">cn=nifi,OU=AADDC Users,DC=xxx,DC=com</property>**
<property name="Legacy Authorized Users File"></property>
</authorizer>
one step closer... the problem was that ldap was returning "cn=nifi,ou=AADDC Users,dc=xxx,dc=com" and I set "cn=nifi,OU=AADDC Users,DC=xxx,DC=com" and it seems to be case sensitive. After changing to lower case I was able to login with that account but only 1x, seconds after started having another kind of errors and now I am getting them all the time:
2021-07-09 17:45:24,672 INFO [NiFi Web Server-154] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.xxx.net:9443/nifi-api/flow/controller-service-types (source ip: 10.218.0.113)
2021-07-09 17:45:24,675 ERROR [NiFi Web Server-154] o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT
2021-07-09 17:45:24,675 ERROR [NiFi Web Server-154] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
Caused by: Unable to determine signing key for cn=nifi,ou=AADDC Users,dc=xxx,dc=com [kid: 2]
2021-07-09 17:45:24,675 WARN [NiFi Web Server-154] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.
2021-07-09 17:45:25,325 INFO [NiFi Web Server-117] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.xxx.net:9443/nifi-api/flow/controller/bulletins (source ip: 10.218.0.113)
2021-07-09 17:45:25,327 ERROR [NiFi Web Server-117] o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT
2021-07-09 17:45:25,327 ERROR [NiFi Web Server-117] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
Caused by: Unable to determine signing key for cn=nifi,ou=AADDC Users,dc=xxx,dc=com [kid: 2]
2021-07-09 17:45:25,327 WARN [NiFi Web Server-117] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.
2021-07-09 17:45:25,481 INFO [NiFi Web Server-132] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.xxx.net:9443/nifi-api/flow/cluster/summary (source ip: 10.218.2.220)
2021-07-09 17:45:25,487 ERROR [NiFi Web Server-132] o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT
2021-07-09 17:45:25,487 ERROR [NiFi Web Server-132] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
Caused by: Unable to determine signing key for cn=nifi,ou=AADDC Users,dc=xxx,dc=com [kid: 2]
2021-07-09 17:45:25,487 WARN [NiFi Web Server-132] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.
Any idea?
Sorry guys, the problem was the sticky session that was required to be configured on load balancer. Now that I am able to connect with ldap users noticed that my 3 nodes cluster does not appear on UI... it shows 0... in the backend flow files are being processed but using only one node (nifi-0). I should be missing some configuration for sure, does anyone know how to figure it out? if I disable https+ldap, 3xnodes cluster sync and work properly. @banzo can you provide some guidance here pls?
Below the pods running where we can confirm the 3x nifi nodes:
This issue is stale because it has not seen recent activity. Remove stale label or comment or this will be closed.
Hi,
I am trying to enable ldap authentication for the cluster. CA is enabled, ldap parameters configured and pods are running but can´t reach the UI. Is there anything else that must be configured to properly enable ldap authentication?
pods:
app-log:
2021-06-25 16:27:01,638 WARN [NiFi Web Server-115] o.a.nifi.web.server.HostHeaderHandler Request host header [nifi.xxx.net:9443] different from web hostname [localhost(:9443)]. Overriding to [localhost:9443/favicon.ico]