I am trying to setup a simple https security using certificates for my Nifi server. I am able to setup the secure connection by setting
nifi.security.keystore=.../nifiuser.jks and installing certifcates etc.
When I access through Web UI , i get :
No applicable policies could be found. Contact the system administrator.
I think i need to configure "authorizers.xml" but I dont know how. I just want "nifiuser" to have all admin rights.
Please help! Thank you
There are a lot of docs and posts that describe how to do this:
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizer-configuration
https://bryanbende.com/development/2018/10/23/apache-nifi-secure-cluster-setup
https://pierrevillard.com/2016/11/29/apache-nifi-1-1-0-secured-cluster-setup/
Related
I can not connect to Google Services from client application if it is trying to communicate with oauth2.googleapis.com (which is probably blocked in my corporate network - I dont know how to test it for sure).
I tried BigQuery with JDBC driver in Dbeaver. With basic settings.
User-based login does this:
It generates link for OAUTH. I open the browser and login with the right google account. Then I insert generated code into the Dbeaver and I recieve that AUTH has failed.
Service-based login does this:
It does not want me to visit any webpage. It just tells me:
[Simba][BigQueryJDBCDriver](100004) HttpTransport IO error : oauth2.googleapis.com.
I also tried to use ODBC, where PROXY can be filled in. But no luck.
When I take a look into 'Proxy Options' the proxy port is always rewritten by proxy host. Weird.
This is what happens when i click on 'catalog' or 'dataset' drop-down field. I cant do any further steps.
BUT!
When I set my HTTP PROXY in GCLOUD CLI APP then communication works. And I can call BQ from it.
Does it mean that GCLOUD communicates through HTTP Proxy and DBeaver or ODBC does not? Or does it mean that GCLOUD does not need oauth2.googleapis.com but ODBC and JDBC do and it is blacklisted? I am confused.
We need to migrate from our internal environment to GCP. We would love to use various applications. I would ask for whitelisting oauth2.googleapis.com but i am not sure this is the only problem as GCLOUD app works without any flaws.
I am not-experienced with networking so i am more than happy to update / correct this question or add any info (if you need) to help me understand this issue. Thank you
According to your description, your corporate network is using a Proxy to reach out Internet, this is the reason why gcloud is capable to reach out BigQuery service when Proxy settings are configured in your system; through Cloud SDK Proxy settings or HTTP PROXY environment variable.
You require to setup the proxy settings within the JDBC connection string as described in Simba JDBC driver documentation, e.g.:
jdbc:bigquery:DataSetId=MyDataSetId;ProjectId=MyProjectId;OAuthType=1;ProxyHost=MyProxyHost;ProxyPort=MyProxyPort;ProxyUID=MyProxyUsername;ProxyPWD=MyProxyPassword
This connection string will indicate the Proxy settings to Simba JDBC driver.
I tried to setup jelastic cloud in intellij idea plugin but cannot login.
I have checked carefully my credentials are correct, i can login in the browser but not in intellij idea.
In Jelastic provider field, it says "Unable to get provider list."
Also it is not clear what to provide in Custom host.
I have followed instructions: https://docs.jelastic.com/idea-plugin
Does anyone had similar issue?
Most probably you have two-factor authentication enabled, in this case a dedicated IDE Plugins access token should be used instead of the password. Please check note in next documentation.
I am currently doing a Load Testing of a website using Jmeter. This website uses Windows authentication. Because of this, I need to pass login credentials to the server.
How do I configure JMeter to login to the server using windows authentication?
I came to know that for windows authentication we need to use Http Authorization manager above the Http Request element.
This is the input I have given in Http Authorization manager
Base url: Website URL
username: Username
password: password
I am still not able to resolve the issue. I would be great if someone could help me in resolving the above issue in JMeter.
For Windows authentication types you need to provide at least:
for NTLM: Domain
for Kerberos:
Realm
Kerberos mechanism
Perform JAAS configuration in krb5.conf and jaas.conf files (both in /bin folder of your JMeter installation)
See Windows Authentication with Apache JMeter guide for configuration details.
Add the sql_auth dll into the JRE\bin folder. This solves the problem and makes JMeter run the SQL Queries with integrated security
I have setup a secure(Kerberos) Oozie environment in CentOS 6.3 using CDH 4.1.2. I am able to view the Oozie web console from CentOS machine which is hosted in server. But is there a way to view the webconsole from my local Windows machine.
I have tried creating a HTTP principal with my windows machine as hostname. I am able to get a valid ticket for HTTP principal. But when I open the Oozie Web Console, I get the following error
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Am I missing something. Help me guys.
Thanks,
Vishnu Ganth
This error occurs because your browser sends request for NTLM authentication instead of kerberos.
In internet explorer follow below steps,
go to Internet Options
In security tab, select Local intranet.
Click Custom Level in the below, Make sure Automatic logon only in intranet zone under the User Authentication section.
In the Internet Options, select Advanced tab and make sure enable Integrated Windows Authentication selected under security section.
Once the above steps done, it will work on both internet explorer and google chrome.
If you are accesing it from the Cross realm, your widows-based clients should know the KDC location to create proper SPNEGO token. You need either create a separate policy in your AD for that type of users or you can manually from command line add mappings in client machine's registeries so that they would know about your Hadoop realm KDC:
ksetup /addkdc HADOOP.DOMAIN.COM hadoop.nodewithkdc.com
ksetup /addhosttorealmmap hadoop.nodewithkdc.com HADOOP.DOMAIN.COM
I'm building an internal website in Perl and I would like to get it to use Windows credentials for authentication. My research so far has turned up a lot of keywords: Kerberos, LDAP, NTLM, etc, but no solid information. Anyone got pointers or good tutorials?
Thanks.
Are your servers part of a Microsoft Active Directory?
Active Directory is LDAP-compliant. Therefore, you can setup LDAP to authenticate your users
Are you using Apache? If so, there is a module that allows you to authenticate to an Active Directory directory: mod_ auth_sspi
Finally, Microsoft has created Active Directory Service Interfaces (ASDI) to solve these types of problems. There is a lot of information at MSDN. For example, this is how the open-source Hudson CI server authenticates to Active Directory.
I hope one of these suggestions help you.
We've been using Mod NTML for Apache. It fetches the windows credentials of the user logged in. But you're probably not interested in the SSO?
http://modntlm.sourceforge.net/
I've been looking into this topic myself. I'm still not sure what the right answer is because the topic is out of my domain of knowledge & experience. But here are some possibilities that I've come up with by searching the Internet:
An Apache LDAP module: http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
A Perl Module for Apache LDAP authentication: Apache2::AuthNetLDAP
NT authentication using an Apache Perl Module: Apache2::AuthenSmb
Using NIS for Apache user authentication: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html#NIS
An article describing ActiveDirectory authentication using Apache: http://www.le.ac.uk/cc/sh23/adldap.html
An open source ActiveDirectory solution from a business: http://www.likewise.com/
For Tomcat on Windows you can use Waffle, both SSO and form-based/basic/digest auth.