search

cetic / helm-nifi

Helm Chart for Apache Nifi
Apache License 2.0
215 stars 225 forks source link

LDAP Authentication #154

Closed bmgante closed 3 years ago

bmgante commented 3 years ago

Hi,

I am trying to enable ldap authentication for the cluster. CA is enabled, ldap parameters configured and pods are running but can´t reach the UI. Is there anything else that must be configured to properly enable ldap authentication?

pods:

nifi-0                                             4/4     Running     1          30m
nifi-ca-fc498d866-tdzvn                            1/1     Running     0          67m
nifi-registry-0                                    1/1     Running     0          79m
nifi-zookeeper-0                                   1/1     Running     0          79m
nifi-zookeeper-1                                   1/1     Running     0          79m
nifi-zookeeper-2                                   1/1     Running     0          79m

app-log: 2021-06-25 16:27:01,638 WARN [NiFi Web Server-115] o.a.nifi.web.server.HostHeaderHandler Request host header [nifi.xxx.net:9443] different from web hostname [localhost(:9443)]. Overriding to [localhost:9443/favicon.ico]

bmgante commented 3 years ago

Below my config:

properties:
  # use externalSecure for when inbound SSL is provided by nginx-ingress or other external mechanism
  externalSecure: false
  isNode: false # set to false if ldap is enabled
  httpPort: null # set to null if ldap is enabled
  httpsPort: 9443 # set to 9443 if ldap is enabled
  webProxyHost:
  clusterPort: 6007
  clusterSecure: true # set to true if ldap is enabled
  needClientAuth: false
  provenanceStorage: "8 GB"
  siteToSite:
    port: 10000
  authorizer: managed-authorizer
  # use properties.safetyValve to pass explicit 'key: value' pairs that overwrite other configuration
  safetyValve:
    #nifi.variable.registry.properties: "${NIFI_HOME}/example1.properties, ${NIFI_HOME}/example2.properties"
    nifi.web.http.network.interface.default: eth0
    # listen to loopback interface so "kubectl port-forward ..." works
    nifi.web.http.network.interface.lo: lo

# Nifi User Authentication
auth:
  admin: CN=admin, OU=NIFI
  SSL:
    keystorePasswd: env:PASS
    truststorePasswd: env:PASS
  ldap:
    enabled: true
    host: ldaps://xxx.com:636
    searchBase: OU=AADDC Users,DC=xxx,DC=com
    admin: cn=xxx.xxx,OU=AADDC Users,DC=xxx,DC=com
    pass: xxxx
    searchFilter: (sAMAccountName=%s)
    userIdentityAttribute: cn
    authStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
    identityStrategy: USE_DN
    authExpiration: 12 hours
# ca server details
# Setting this true would create a nifi-toolkit based ca server
# The ca server will be used to generate self-signed certificates required setting up secured cluster
ca:
  ## If true, enable the nifi-toolkit certificate authority
  enabled: true
  persistence:
    enabled: true
  server: ""
  service:
    port: 9090
  token: sixteenCharacters
  admin:
    cn: admin
  serviceAccount:
    create: false
    #name: nifi-ca
  openshift:
    scc:
      enabled: false
bmgante commented 3 years ago

This is the error i got when truing to access https url: image

I am wondering if i may have some misconfiguration on values.yml. Does anyone know what could be missing?

banzo commented 3 years ago

There are some instructions and examples here: https://github.com/cetic/fadi/blob/develop/doc/USERMANAGEMENT.md#nifi

bmgante commented 3 years ago

Even following those instruction I get the same error. Nifi toolkit generates the certificates for this address and I need to reach the ui on the load balancer external address nifi.staging.xxx.net which is defined in lb config below.

From Certificate: DNS Name nifi-nifi-0.nifi-nifi-headless.xxx.svc.cluster.local

Deployed services:

kubectl get svc -n xxx --kubeconfig=$HOME/.kube/config-files/xxx.yml | grep nifi
nifi                              LoadBalancer   172.20.52.169    internal-a27ee58c5feb2487e9902a71bec18189-888972753.eu-west-1.elb.amazonaws.com   9443:30236/TCP               11d
nifi-ca                           ClusterIP      172.20.130.19    <none>                                                                            9090/TCP                     4m23s
nifi-headless                     ClusterIP      None             <none>                                                                            9443/TCP,6007/TCP            11d
nifi-metrics                      ClusterIP      172.20.12.155    <none>                                                                            9092/TCP                     10d
nifi-redis                        ClusterIP      172.20.225.208   <none>                                                                            6379/TCP,26379/TCP           10d
nifi-redis-headless               ClusterIP      None             <none>                                                                            6379/TCP,26379/TCP           10d
nifi-registry                     ClusterIP      172.20.108.47    <none>                                                                            80/TCP                       11d
nifi-zookeeper                    ClusterIP      172.20.95.65     <none>                                                                            2181/TCP,2888/TCP,3888/TCP   11d
nifi-zookeeper-headless           ClusterIP      None             <none>                                                                            2181/TCP,2888/TCP,3888/TCP   11d

UI service config:

service:
  type: LoadBalancer
  httpPort: 8080
  httpsPort: 9443
  nodePort: 30236
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=staging,Function=xxx,Service=nifi
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    #external-dns.alpha.kubernetes.io/hostname: nifi.xxx.net
    external-dns.alpha.kubernetes.io/hostname: nifi.staging.xxx.net
    external-dns.alpha.kubernetes.io/ttl: "60"
bmgante commented 3 years ago

Was able to reach the UI with https and ldap enabled. To achieve added webProxyHost as the DNS entry and with the https port: webProxyHost: nifi.xxx.net:9443

However cannot login with the admin account I´ve configured:

Error: Unknown user with identity 'cn=nifi,ou=AADDC Users,dc=xxx,dc=com'. Contact the system administrator.

Logs:

2021-07-09 14:16:22,427 INFO [NiFi Web Server-179] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.xxx.net:9443/nifi-api/flow/current-user (source ip: 10.218.3.151)

2021-07-09 14:16:22,430 INFO [NiFi Web Server-179] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for cn=nifi,ou=AADDC Users,dc=xxx,dc=com

2021-07-09 14:16:22,431 INFO [NiFi Web Server-179] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[cn=nifi,ou=AADDC Users,dc=xxx,dc=com], groups[] does not have permission to access the requested resource. Unknown user with identity 'cn=nifi,ou=AADDC Users,dc=xxx,dc=com'. Returning Forbidden response.

But in te config I´ve ldap admin account to this nifi user. In the authoriser.xml indeed the configuration seems to be ok:

    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        **<property name="Initial Admin Identity">cn=nifi,OU=AADDC Users,DC=xxx,DC=com</property>**
        <property name="Legacy Authorized Users File"></property>

    </authorizer>
bmgante commented 3 years ago

one step closer... the problem was that ldap was returning "cn=nifi,ou=AADDC Users,dc=xxx,dc=com" and I set "cn=nifi,OU=AADDC Users,DC=xxx,DC=com" and it seems to be case sensitive. After changing to lower case I was able to login with that account but only 1x, seconds after started having another kind of errors and now I am getting them all the time:

2021-07-09 17:45:24,672 INFO [NiFi Web Server-154] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.xxx.net:9443/nifi-api/flow/controller-service-types (source ip: 10.218.0.113)

2021-07-09 17:45:24,675 ERROR [NiFi Web Server-154] o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT

2021-07-09 17:45:24,675 ERROR [NiFi Web Server-154] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
    Caused by: Unable to determine signing key for cn=nifi,ou=AADDC Users,dc=xxx,dc=com [kid: 2]

2021-07-09 17:45:24,675 WARN [NiFi Web Server-154] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.

2021-07-09 17:45:25,325 INFO [NiFi Web Server-117] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.xxx.net:9443/nifi-api/flow/controller/bulletins (source ip: 10.218.0.113)

2021-07-09 17:45:25,327 ERROR [NiFi Web Server-117] o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT
2021-07-09 17:45:25,327 ERROR [NiFi Web Server-117] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
    Caused by: Unable to determine signing key for cn=nifi,ou=AADDC Users,dc=xxx,dc=com [kid: 2]

2021-07-09 17:45:25,327 WARN [NiFi Web Server-117] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.

2021-07-09 17:45:25,481 INFO [NiFi Web Server-132] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://nifi.xxx.net:9443/nifi-api/flow/cluster/summary (source ip: 10.218.2.220)

2021-07-09 17:45:25,487 ERROR [NiFi Web Server-132] o.a.nifi.web.security.jwt.JwtService There was an error validating the JWT

2021-07-09 17:45:25,487 ERROR [NiFi Web Server-132] o.a.nifi.web.security.jwt.JwtService Unable to validate the access token.
    Caused by: Unable to determine signing key for cn=nifi,ou=AADDC Users,dc=xxx,dc=com [kid: 2]

2021-07-09 17:45:25,487 WARN [NiFi Web Server-132] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Unable to validate the access token.

Any idea?

bmgante commented 3 years ago

Sorry guys, the problem was the sticky session that was required to be configured on load balancer. Now that I am able to connect with ldap users noticed that my 3 nodes cluster does not appear on UI... it shows 0... in the backend flow files are being processed but using only one node (nifi-0). I should be missing some configuration for sure, does anyone know how to figure it out? if I disable https+ldap, 3xnodes cluster sync and work properly. @banzo can you provide some guidance here pls?

image

Below the pods running where we can confirm the 3x nifi nodes:

image
github-actions[bot] commented 3 years ago

This issue is stale because it has not seen recent activity. Remove stale label or comment or this will be closed.