Closed celsomarques closed 3 years ago
Describe the bug I'm trying to config OIDC but the users.xml file doesn't reflect the auth.admin config and I'm unable to authenticate to Nifi. Inside conf/authorizers.xml seems to be ok.
Version of Helm and Kubernetes: Helm:
version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"clean", GoVersion:"go1.16.5"}
Kubernetes:
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.7", GitCommit:"132a687512d7fb058d0f5890f07d4121b3f0a2e2", GitTreeState:"clean", BuildDate:"2021-05-12T12:40:09Z", GoVersion:"go1.15.12", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.8-gke.900", GitCommit:"28ab8501be88ea42e897ca8514d7cd0b436253d9", GitTreeState:"clean", BuildDate:"2021-06-30T09:23:36Z", GoVersion:"go1.15.13b5", Compiler:"gc", Platform:"linux/amd64"}
What happened: UI shows that I've insufficient permission and auth-conf/users.xml as follows:
nifi@nifi-0:/opt/nifi/nifi-current/auth-conf$ cat users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="CN=admin, OU=NIFI"/> <user identifier="5ac2302b-365e-3d9a-a24e-f17565d2ca08" identity="CN=nifi-0.nifi-headless.nifi.svc.cluster.local, OU=NIFI"/> <user identifier="802187fa-2f40-30b4-8554-c32b425ab945" identity="CN=nifi-1.nifi-headless.nifi.svc.cluster.local, OU=NIFI"/> </users> </tenants>
What you expected to happen: I expected that my email address was filled inside first user identifier as follows:
nifi@nifi-0:/opt/nifi/nifi-current/auth-conf$ cat users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="47c717db-75da-3d54-8ab3-1731497291c7" identity="xxx@xxx.com"/> <user identifier="5ac2302b-365e-3d9a-a24e-f17565d2ca08" identity="CN=nifi-0.nifi-headless.nifi.svc.cluster.local, OU=NIFI"/> <user identifier="802187fa-2f40-30b4-8554-c32b425ab945" identity="CN=nifi-1.nifi-headless.nifi.svc.cluster.local, OU=NIFI"/> </users> </tenants>
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know:
Here are some information that help troubleshooting:
values.yaml
replicaCount: 2 image: repository: apache/nifi tag: 1.12.1 properties: # use externalSecure for when inbound SSL is provided by nginx-ingress or other external mechanism externalSecure: false isNode: true # set to false if ldap is enabled httpPort: null # set to null if ldap is enabled httpsPort: 8443 # set to 9443 if ldap is enabled webProxyHost: host.com:8443 clusterPort: 6007 clusterSecure: true # set to true if ldap is enabled needClientAuth: false provenanceStorage: "8 GB" siteToSite: port: 10000 authorizer: managed-authorizer # use properties.safetyValve to pass explicit 'key: value' pairs that overwrite other configuration safetyValve: nifi.web.http.network.interface.default: eth0 nifi.web.http.network.interface.lo: lo service: type: LoadBalancer httpsPort: 443 loadBalancerIP: xxx.xxx.xxx.xxx ingress: enabled: true annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-test nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/affinity: cookie nginx.ingress.kubernetes.io/session-cookie-name: route nginx.ingress.kubernetes.io/session-cookie-expires: "172800" nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" nginx.ingress.kubernetes.io/session-cookie-path: / path: / hosts: - host.com tls: - hosts: - host.com secretName: host-tls persistence: enabled: true auth: admin: xxx@xxxx.com oidc: enabled: true discoveryUrl: https://accounts.google.com/.well-known/openid-configuration clientId: xxxxx clientSecret: xxxx zookeeper: enabled: false url: zookeeper.zookeeper port: 2181 registry: enabled: false url: nifi-registry port: 18080
conf/authorizers.xml
nifi@nifi-0:/opt/nifi/nifi-current$ cat conf/authorizers.xml |more <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./auth-conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 0">CN=nifi-0.nifi-headless.nifi.svc.cluster.local, OU=NIFI</property> <property name="Initial User Identity 1">CN=nifi-1.nifi-headless.nifi.svc.cluster.local, OU=NIFI</property> <property name="Initial User Identity admin">xxx@xxx.com</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./auth-conf/authorizations.xml</property> <property name="Initial Admin Identity">xxx@xxx.com</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 0">CN=nifi-0.nifi-headless.nifi.svc.cluster.local, OU=NIFI</property> <property name="Node Identity 1">CN=nifi-1.nifi-headless.nifi.svc.cluster.local, OU=NIFI</property> <property name="Node Identity"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>
Related: https://github.com/cetic/helm-nifi/pull/166
I recreated GKE cluster and I was not able to reproduce the issue
Describe the bug I'm trying to config OIDC but the users.xml file doesn't reflect the auth.admin config and I'm unable to authenticate to Nifi. Inside conf/authorizers.xml seems to be ok.
Version of Helm and Kubernetes: Helm:
version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"clean", GoVersion:"go1.16.5"}
Kubernetes:
What happened: UI shows that I've insufficient permission and auth-conf/users.xml as follows:
What you expected to happen: I expected that my email address was filled inside first user identifier as follows:
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know:
Here are some information that help troubleshooting:
values.yaml
conf/authorizers.xml