Clever Geek Handbook

Receiving an untrusted proxy message when trying to set up a secure NIFI cluster

I am using nifi V-1.3 and trying to install a 3 node secure NIFI cluster.

I added all the required properties, I can see nodes sending heartbeats in logs in all nodes, but on screen, I get Untrusted proxy for all nodes. screen shot.

Error log like NiFiAuthenticationFilter Web api access denied : Invalid proxy CN = hostname

Can you tell me if anyone is winning.

Thank.

  Find the nifi properties below:
<authorizer>
            <identifier>file-provider</identifier>
            <class>org.apache.nifi.authorization.FileAuthorizer</class>
            <property name="AuthorizationsFile">./conf/authorizations.xml</property>
            <property name="Users File">./conf/users.xml</property>
            <property name="Initial Admin Identity">Mathes@example.com</property>
            <property name="Legacy Authorized Users File"></property>
            <property name="Node Identity 1">CN=node1@example.com, OU=NIFI</property>
            <property name="Node Identity 2">CN=CN=node2@example.com, OU=NIFI</property>
            <property name="Node Identity 3">CN=CN=node3@example.com, OU=NIFI</property>
    </authorizer>
+3


source to share


2 answers


It looks like your node proxy values ​​might be wrong. You have an extra CN=

in DN.

Edit

<property name="Node Identity 1">CN=node1@example.com, OU=NIFI</property>
<property name="Node Identity 2">CN=CN=node2@example.com, OU=NIFI</property>
<property name="Node Identity 3">CN=CN=node3@example.com, OU=NIFI</property>


to

<property name="Node Identity 1">CN=node1@example.com, OU=NIFI</property>
<property name="Node Identity 2">CN=node2@example.com, OU=NIFI</property>
<property name="Node Identity 3">CN=node3@example.com, OU=NIFI</property>

If you look at the full output logs/nifi-app.log

and logs/nifi-user.log

stacktrace, you should be able to see the provided hostname in the connection and compare it with the actual DN of the certificates provided.

0


source


I had the same problem and my workaround was like this:

Edit the nifi.properties mapping so that when you try to connect to nifi using a certificate, it maps you to the original admin user:

nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)
nifi.security.identity.mapping.value.dn=<Initial Admin Identity>, OU=


Then you have to edit the authorizations.xml file and add this line:

<policy identifier="nifi-cluster-write" resource="/proxy" action="W">
        <user identifier="HASH OF INITIAL ADMIN"/>
</policy>

Obviously the problem is that the original administrator identity does not have a "/ proxy" policy.

0


source






More articles:


All Articles