Reputation: 343
Getting untrusted proxy message while trying to setup secure NIFI cluster
I am using nifi V-1.3, and trying to setup 3 node secure NIFI cluster.
I have added all the required properties, I can see nodes sending heartbeats in logs in all the nodes but on screen I'm getting Untrusted proxy message for all nodes. error screen shot attached.
Error log getting as NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=hostname
could you please tell if anybody overcomes it.
Thanks.
Find the nifi properties below:
<authorizer>
<identifier>file-provider</identifier>
<class>org.apache.nifi.authorization.FileAuthorizer</class>
<property name="AuthorizationsFile">./conf/authorizations.xml</property>
<property name="Users File">./conf/users.xml</property>
<property name="Initial Admin Identity">[email protected]</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">[email protected], OU=NIFI</property>
<property name="Node Identity 2">[email protected], OU=NIFI</property>
<property name="Node Identity 3">[email protected], OU=NIFI</property>
</authorizer>
Upvotes: 4
Views: 2315
Answers (2)
Reputation: 101
I had the same problem and my workarround was this:
Edit nifi.properties maping so when you try to connect to nifi using a certificate it map you to the initial admin user:
nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)
nifi.security.identity.mapping.value.dn=<Initial Admin Identity>, OU=
Then you have to edit the authorizations.xml and add this line:
<policy identifier="nifi-cluster-write" resource="/proxy" action="W">
<user identifier="HASH OF INITIAL ADMIN"/>
</policy>
Aparently the problem is that the initial admin identity does not have the "/proxy" policy.
Upvotes: 2
Reputation: 14194
It appears that your proxy node values may be incorrect. You have an extra CN= in the DN.
Change
<property name="Node Identity 1">[email protected], OU=NIFI</property>
<property name="Node Identity 2">[email protected], OU=NIFI</property>
<property name="Node Identity 3">[email protected], OU=NIFI</property>
to
<property name="Node Identity 1">[email protected], OU=NIFI</property>
<property name="Node Identity 2">[email protected], OU=NIFI</property>
<property name="Node Identity 3">[email protected], OU=NIFI</property>
If you examine the complete logs/nifi-app.log and logs/nifi-user.log stacktrace output, you should be able to see the provided hostname on the connection and compare this with the actual DN of the certificates you have provided.
Upvotes: 1
Related Questions
- NiFi: Failed to connect node to cluster because local flow is different than cluster flow
- Apache Nifi secured cluster: Unable to locate node CN=<hostname>, OU=NIFI to seed policies
- How to configure "Proxy user request" for NiFi CLI
- how to configure apache nifi on https
- Issue while setting up nifi cluster
- Nifi 1.5 Untrusted Proxy on cluster
- NiFi 1.3.X Secure Cluster Setup Issue: HTTPS Wrong Hostname wrong should be: <my.ip.address>
- Secured Nifi Cluster Setup
- NiFi HA-Proxy configuration instructions
- Nifi cluster configuration