Receiving an untrusted proxy message when trying to set up a secure NIFI cluster
I am using nifi V-1.3 and trying to install a 3 node secure NIFI cluster.
I added all the required properties, I can see nodes sending heartbeats in logs in all nodes, but on screen, I get Untrusted proxy for all nodes. screen shot.
Error log like NiFiAuthenticationFilter Web api access denied : Invalid proxy CN = hostname
Can you tell me if anyone is winning.
Thank.
Find the nifi properties below:
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="AuthorizationsFile">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">Mathes@example.com</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=node1@example.com, OU=NIFI</property>
<property name="Node Identity 2">CN=CN=node2@example.com, OU=NIFI</property>
<property name="Node Identity 3">CN=CN=node3@example.com, OU=NIFI</property>
</authorizer>
source to share
It looks like your node proxy values might be wrong. You have an extra CN=
in DN.
Edit
<property name="Node Identity 1">CN=node1@example.com, OU=NIFI</property>
<property name="Node Identity 2">CN=CN=node2@example.com, OU=NIFI</property>
<property name="Node Identity 3">CN=CN=node3@example.com, OU=NIFI</property>
to
<property name="Node Identity 1">CN=node1@example.com, OU=NIFI</property>
<property name="Node Identity 2">CN=node2@example.com, OU=NIFI</property>
<property name="Node Identity 3">CN=node3@example.com, OU=NIFI</property>
If you look at the full output logs/nifi-app.log
and logs/nifi-user.log
stacktrace, you should be able to see the provided hostname in the connection and compare it with the actual DN of the certificates provided.
source to share
I had the same problem and my workaround was like this:
Edit the nifi.properties mapping so that when you try to connect to nifi using a certificate, it maps you to the original admin user:
nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)
nifi.security.identity.mapping.value.dn=<Initial Admin Identity>, OU=
Then you have to edit the authorizations.xml file and add this line:
<policy identifier="nifi-cluster-write" resource="/proxy" action="W">
<user identifier="HASH OF INITIAL ADMIN"/>
</policy>
Obviously the problem is that the original administrator identity does not have a "/ proxy" policy.
source to share