'Nifi cluster Untrusted proxy CN=server2.abc.tr, O=ABC, L=Ankara, ST=Ankara, C=TR problem
I am trying to do 3 nodes cluster with 2 of them are clones of currently active standalone nifi node. Firstly i wanted to build a cluster with 2 clone nodes and then if everything is ok i will add original node aswell but I have some problems and i couldnt find what is wrong with configurations. My authorizers.xml file
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
<userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=server2.abc.tr,O=ABC,L=Ankara,ST=Ankara,C=TR</property>
<property name="Initial User Identity 2">CN=server3.abc.tr,O=ABC,L=Ankara,ST=Ankara,C=TR</property>
</userGroupProvider>
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">LDAPS</property>
<property name="Manager DN">CN=mnguser,CN=Users,DC=ABC,DC=gov,DC=tr</property>
<property name="Manager Password">mngpwd</property>
<property name="TLS - Keystore">./conf/nifitest2keystore.jks</property>
<property name="TLS - Keystore Password">nifitest2</property>
<property name="TLS - Keystore Type">JKS</property>
<property name="TLS - Truststore">./conf/nifitest2truststore.jks</property>
<property name="TLS - Truststore Password">nifitest2</property>
<property name="TLS - Truststore Type">JKS</property>
<property name="TLS - Client Auth">WANT</property>
<property name="TLS - Protocol">TLS</property>
<property name="TLS - Shutdown Gracefully">true</property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldaps://ldaps.abc.tr:636</property>
<property name="Page Size">500</property>
<property name="Sync Interval">30 mins</property>
<property name="Group Membership - Enforce Case Sensitivity">false</property>
<property name="User Search Base">CN=Users,DC=ABC,DC=gov,DC=tr</property>
<property name="User Object Class">person</property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter">(cn=*)</property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute">memberOf</property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">CN=Users,DC=ABC,DC=gov,DC=tr</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(cn=*)</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property>
</userGroupProvider>
<userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">ldap-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">mnguser</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity
1">CN=server2.abc.tr,O=ABC,L=Ankara,ST=Ankara,C=TR</property>
<property name="Node Identity
2">CN=server3.abc.tr,O=ABC,L=Ankara,ST=Ankara,C=TR</property>
<property name="Node Group"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow"
action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="0005d80d-a6e9-33a9-b9c2-b76af02a0b77"
resource="/data/process-groups/9860c729-017c-1000-a6ce-771f96f0e174" action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="c9813a3f-eb39-30f7-a509-5fc2022ce53e"
resource="/data/process-groups/9860c729-017c-1000-a6ce-771f96f0e174" action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="5cd4342d-4988-37d0-b37e-d223e3fd46aa" resource="/process-
groups/9860c729-017c-1000-a6ce-771f96f0e174" action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="1c18b17c-1596-3bd1-92c7-7b5025cbdfb3" resource="/process-
groups/9860c729-017c-1000-a6ce-771f96f0e174" action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-
components" action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants"
action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants"
action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies"
action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies"
action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller"
action="R">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller"
action="W">
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="efeb048a-a6ce-3e7d-89c2-9fd2417b8059" resource="/proxy"
action="R">
<user identifier="adec56c1-29ed-30f0-af36-10c513b1d843"/>
<user identifier="b2f95239-353c-3a12-80ab-2b2112da1b98"/>
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
<policy identifier="20a75180-0463-393f-9bc6-b6dee87c174f" resource="/proxy"
action="W">
<user identifier="adec56c1-29ed-30f0-af36-10c513b1d843"/>
<user identifier="b2f95239-353c-3a12-80ab-2b2112da1b98"/>
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555"/>
</policy>
</policies>
my users.xml file
enter code here
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="dbd82ce3-7330-3f75-b201-bcc00c0bc555" identity="k016416"/>
<user identifier="adec56c1-29ed-30f0-af36-10c513b1d843"
identity="CN=server2.abc.tr, O=ABC, L=Ankara, ST=Ankara, C=TR"/>
<user identifier="b2f95239-353c-3a12-80ab-2b2112da1b98"
identity="CN=server3.abc.tr, O=ABC, L=Ankara, ST=Ankara, C=TR"/>
</users>
</tenants>
I also created a key store and trust store with certificates CN=server2.abc.tr, O=ABC,L=Ankara, ST=Ankara, C=TR/ CN=server3.abc.tr, O=ABC, L=Ankara, ST=Ankara, C=TR per node.
When I tried to start nifi here is some of my logs. The original standalone node was connected to nifi registry so these clones had some errors about it too but in my opinion its not the real issue .
nifi-user.log
2022-04-28 14:40:57,861 WARN [NiFi Web Server-22] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.255.1.213 GET https://server2.abc.tr:8443/nifi-api/flow/current-user [Untrusted proxy CN=server2.abc.tr, O=TCMB, L=Ankara, ST=Ankara, C=TR]
Lastly my browser UI:
thanks for your help in advance
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|