[cetic/nifi] OIDC Untrusted proxy CN=localhost, OU=NIFI

[kyouch]

Hello,

I'm trying to use OIDC with this chart and have been failing getting the error Untrusted proxy CN=localhost, OU=NIFI after successful login in Keycloak.

I noticed that when i use helm template nifi-dev . it spills this: OBS: I removed all the <!-- --> for better visualization

 # Source: nifi/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: nifi-dev-nifi-config
  labels:
    app: "nifi"
    chart: "nifi-1.0.6"
    release: "nifi-dev"
    heritage: "Helm"
data:
  authorizers.xml: |
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <authorizers>

        <userGroupProvider>
            <identifier>file-user-group-provider</identifier>
            <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
            <property name="Users File">./auth-conf/users.xml</property>
            <property name="Legacy Authorized Users File"></property>
            <property name="Initial User Identity 0">CN=nifi-dev-0.nifi-dev-headless.default.svc.cluster.local, OU=NIFI</property>
            <property name="Initial User Identity admin">CN=admin, OU=NIFI</property>
        </userGroupProvider>

        <accessPolicyProvider>
            <identifier>file-access-policy-provider</identifier>
            <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
            <property name="User Group Provider">file-user-group-provider</property>
            <property name="Authorizations File">./auth-conf/authorizations.xml</property>
            <property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
            <property name="Legacy Authorized Users File"></property>
            <property name="Node Identity 0">CN=nifi-dev-0.nifi-dev-headless.default.svc.cluster.local, OU=NIFI</property>
        </accessPolicyProvider>

        <authorizer>
            <identifier>managed-authorizer</identifier>
            <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
            <property name="Access Policy Provider">file-access-policy-provider</property>
        </authorizer>

    </authorizers>

But after I deploy the chart, enter the pod, enter the container "server" and finally cat /conf/authorizers.xml it prints this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<authorizers>

  <userGroupProvider>
    <identifier>file-user-group-provider</identifier>
    <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
    <property name="Users File">./conf/users.xml</property>
    <property name="Legacy Authorized Users File"/>
    <property name="Initial User Identity 1">admin@test.com</property>
  </userGroupProvider>

  <accessPolicyProvider>
    <identifier>file-access-policy-provider</identifier>
    <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
    <property name="User Group Provider">file-user-group-provider</property>
    <property name="Authorizations File">./conf/authorizations.xml</property>
    <property name="Initial Admin Identity">admin@test.com</property>
    <property name="Legacy Authorized Users File"/>
    <property name="Node Identity 1"/>
    <property name="Node Group"/>
  </accessPolicyProvider>

  <authorizer>
    <identifier>managed-authorizer</identifier>
    <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
    <property name="Access Policy Provider">file-access-policy-provider</property>
  </authorizer>

</authorizers>

I can't seem to figure it out, would appreciate any help.

Thanks, Yann

[kyouch]

I'm trying to see all kinds of logs and trying to figure it out. The logs from the container "user-log" is as follows:

tail: /var/log/nifi-user.log has appeared; following end of new file
2022-05-13 17:02:37,600 INFO [main] o.a.n.a.FileUserGroupProvider Creating new users file at /opt/nifi/nifi-current/./conf/users.xml
2022-05-13 17:02:37,622 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Fri May 13 17:02:37 UTC 2022
2022-05-13 17:02:37,622 INFO [main] o.a.n.a.FileAccessPolicyProvider Creating new authorizations file at /opt/nifi/nifi-current/./conf/authorizations.xml
2022-05-13 17:02:37,624 INFO [main] o.a.n.a.FileAccessPolicyProvider Added mapped node CN=nifi-testing.ddns.net, OU=NIFI (raw node identity CN=nifi-testing.ddns.net, OU=NIFI)
2022-05-13 17:02:37,669 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: admin@test.com
2022-05-13 17:02:37,678 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Fri May 13 17:02:37 UTC 2022
2022-05-13 17:02:44,387 INFO [main] o.a.n.w.s.o.StandardOidcIdentityProvider OpenId Connect: Available clientAuthenticationMethods [private_key_jwt, client_secret_basic, client_secret_post, tls_client_auth, client_secret_jwt] 
2022-05-13 17:04:14,587 INFO [NiFi Web Server-121] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 127.0.0.1 [<admin@test.com><CN=localhost>] GET https://localhost:8443/nifi-api/flow/current-user
2022-05-13 17:04:14,593 WARN [NiFi Web Server-121] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 127.0.0.1 GET https://localhost:8443/nifi-api/flow/current-user [Untrusted proxy CN=localhost]

[wknickless]

@kyouch OIDC does not work with the current released chart (v1.0.4). Pull request #218 is ready for merging and includes OIDC support and testing.

[kyouch]

@wknickless Thank you for your response, I will pull your PR and provide feedback.

[kyouch]

@wknickless Thank you, thank you so much. I've advanced like I've never have before. But, not everything is roses. I've deployed Keycloak, CA from the helm-nifi chart and CM from your Pull Request. I could login in nifi normally with my Initial Admin, but then I created an account in Keycloak and in Nifi with the same email, added the user to a group and added some policies to that account. Then I've logged out and tried to login with that user and got this:

Insufficient Permissions Unknown user with identity 'kyouch@test.com'. Contact the system administrator.

Could you know what may be happening?

[wknickless]

@kyouch LOL I've done exactly the same thing! I'm still learning what each of the NiFi policies do, and have locked myself out of key NiFi functions several times. The lesson I took was to keep the Initial Administrator account untouched and in reserve until everything is fully functional for a different account.

[kyouch]

@wknickless haha, that's amazing. I've never used Nifi before and took an assignment to migrate everything (and update nifi version) to GKE in GCP. Been going crazy with all the new stuff that been happening and thank you very much for your work, you did an incredible job. What was happening was exactly policies, been sniffing around and been doing just fine after giving correct permissions. I thank you again, you did so great! I guess it's enough to close this issue.

[wknickless]

@banzo @zakaria2905 I've added this to the list of issues that will be resolved by merging #218.

[kyouch]

@wknickless heey, I've got some other problem and thought about asking you if you could help me find a path. I've setup CA and CM with your PR and using OIDC with Keycloak. And then I'm trying to use https://github.com/Chaffelson/nipyapi to login and do stuff programatically, if I use nipyapi.security.service_login(service="nifi", username="<myuser>", password="<mypassword>", bool_response=True) i get: DEBUG:nipyapi.nifi.rest:response body: Username/Password login not supported by this NiFi. when I try to login providing username and password

Or if I try to use nipyapi.security.set_service_ssl_context() and pass some keys I've created I get: urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='<myhost>', port=8443): Max retries exceeded with url: /nifi-api/access/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))) I'm probably creating and using the keys wrong in the second case, but I also don't know where/how to create it properly, trying to discover it with google. Would you know any kind of solution? Or maybe how to simulate a login with the redirection and get the token from headers or something?