Search code examples
jwtldaptokenapache-nifi

user cannot long into NIFI 1.21.0 cluster with a token error

I installed nifi 1.21.0 cluster with ldap authentication in k8s. Upon start up, 3 zk instances are started then if I only start a single nifi container, user log in via ldap works ok. However if I start more than one nifi then try to log in from webgui, I get the following errors:

Unauthorized error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Some configurations related to security and web:

grep security  ../conf/nifi.properties 
    # security properties #
    nifi.security.keystore=/opt/nifi/nifi-current/cert/keystore.jks
    nifi.security.keystoreType=jks
    nifi.security.keystorePasswd=############
    nifi.security.keyPasswd=############
    nifi.security.truststore=/opt/nifi/nifi-current/cert/truststore.jks
    nifi.security.truststoreType=jks
    nifi.security.truststorePasswd=############
    nifi.security.user.authorizer=file-provider
    nifi.security.user.login.identity.provider=ldap-provider
    nifi.security.needClientAuth=
    nifi.security.user.knox.url=
    nifi.security.user.knox.publicKey=
    nifi.security.user.knox.cookieName=hadoop-jwt
    nifi.security.user.knox.audiences=
    # nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$
    # nifi.security.identity.mapping.value.dn=$1@$2
    # nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
    # nifi.security.identity.mapping.value.kerb=$1@$2
    

 grep web  ../conf/nifi.properties 
    # web properties #
    nifi.web.war.directory=./lib
    nifi.web.https.host=0.0.0.0
    nifi.web.https.network.interface.default=
    nifi.web.https.port=9443
    nifi.web.http.host=
    nifi.web.http.network.interface.default=eth0
    nifi.web.jetty.working.directory=./work/jetty
    nifi.web.jetty.threads=200
    nifi.web.proxy.host=############
    nifi.web.proxy.context.path=/nifi,/nifi-api
    nifi.web.max.header.size=16 KB
    nifi.web.http.network.interface.lo=lo

Can you please give me some pointers of where to look into/change?

Solution

  • It turns out to be a load balancer issue. Add these annotations to ingress to enable sticky session fixed the issue:

    annotations:
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS
     nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/affinity: "cookie"
+    nginx.ingress.kubernetes.io/session-cookie-name: "route"
+    nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"
+    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
+    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
+    nginx.ingress.kubernetes.io/affinity-mode: persistent
   tls:
     - hosts:
       - ##############