helm-nifi icon indicating copy to clipboard operation
helm-nifi copied to clipboard

Published 20 hours ago verified publisher icon cetic

[cetic/nifi] Untrusted proxy using OIDC integration in cluster mode

Open ggerla opened this issue 3 years ago • 0 comments
trafficstars

Describe the bug Using Helm NiFi v1.1.1, I deployed nifi in cluster mode with 3 nodes. I configured NiFi to use keycloak for user authentication. All certificated are generated and injected in each node. After the login on keycloak NiFi UI show an "Untrusted proxy" error.

Searching on google I found some posts that helped me to solve the issue. In the values.yaml I added:

properties:
  safetyValve:
    nifi.security.identity.mapping.pattern.dn: CN=([^,]*)(?:, (?:O|OU)=.*)?
    nifi.security.identity.mapping.value.dn: \$1
    nifi.security.identity.mapping.transform.dn: NONE

In statefulset.yaml, I added the following section

{{- if .Values.auth.oidc.enabled }}
          xmlstarlet ed --inplace --delete "authorizers/accessPolicyProvider/property[@name='Node Identity 1']" "${NIFI_HOME}/conf/authorizers.xml"
{{ range untilStep 0 (int .Values.replicaCount) 1 }}
          xmlstarlet ed --inplace \
                        --subnode "authorizers/accessPolicyProvider" --type 'elem' -n 'property' \
                          --value "CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.certManager.clusterDomain }}, OU=NIFI" \
                        --insert "authorizers/accessPolicyProvider/property[not(@name)]" --type attr -n name \
                          --value "Node Identity {{ . }}" \
                        "${NIFI_HOME}/conf/authorizers.xml"
          xmlstarlet ed --inplace \
                        --subnode "authorizers/userGroupProvider" --type 'elem' -n 'property' \
                          --value "CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.certManager.clusterDomain }}, OU=NIFI" \
                        --insert "authorizers/userGroupProvider/property[not(@name)]" --type attr -n name \
                          --value "Initial User Identity {{ . }}" \
                        "${NIFI_HOME}/conf/authorizers.xml"
{{/* range untilStep 0 (int .Values.replicaCount ) 1 */}}{{ end }}
{{- end }}

Is it possible to add this section to the official repo? Can I create a pull request?

ggerla avatar Sep 19 '22 11:09 ggerla