cetic/helm-nifi

[cetic/nifi] Untrusted proxy using OIDC integration in cluster mode

ggerla opened this issue · 2 comments

ggerla commented

Describe the bug
Using Helm NiFi v1.1.1, I deployed nifi in cluster mode with 3 nodes. I configured NiFi to use keycloak for user authentication. All certificated are generated and injected in each node. After the login on keycloak NiFi UI show an "Untrusted proxy" error.

Searching on google I found some posts that helped me to solve the issue.
In the values.yaml I added:

properties:
  safetyValve:
    nifi.security.identity.mapping.pattern.dn: CN=([^,]*)(?:, (?:O|OU)=.*)?
    nifi.security.identity.mapping.value.dn: \$1
    nifi.security.identity.mapping.transform.dn: NONE

In statefulset.yaml, I added the following section

{{- if .Values.auth.oidc.enabled }}
          xmlstarlet ed --inplace --delete "authorizers/accessPolicyProvider/property[@name='Node Identity 1']" "${NIFI_HOME}/conf/authorizers.xml"
{{ range untilStep 0 (int .Values.replicaCount) 1 }}
          xmlstarlet ed --inplace \
                        --subnode "authorizers/accessPolicyProvider" --type 'elem' -n 'property' \
                          --value "CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.certManager.clusterDomain }}, OU=NIFI" \
                        --insert "authorizers/accessPolicyProvider/property[not(@name)]" --type attr -n name \
                          --value "Node Identity {{ . }}" \
                        "${NIFI_HOME}/conf/authorizers.xml"
          xmlstarlet ed --inplace \
                        --subnode "authorizers/userGroupProvider" --type 'elem' -n 'property' \
                          --value "CN={{ template "apache-nifi.fullname" $ }}-{{ . }}.{{ template "apache-nifi.fullname" $ }}-headless.{{ $.Release.Namespace }}.svc.{{ $.Values.certManager.clusterDomain }}, OU=NIFI" \
                        --insert "authorizers/userGroupProvider/property[not(@name)]" --type attr -n name \
                          --value "Initial User Identity {{ . }}" \
                        "${NIFI_HOME}/conf/authorizers.xml"
{{/* range untilStep 0 (int .Values.replicaCount ) 1 */}}{{ end }}
{{- end }}

Is it possible to add this section to the official repo? Can I create a pull request?

hbartti commented

I am experiencing the same issue trying to switch from singleuser to oidc. Are there plans to merge this soon?

banzo commented

@hbartti it should be ok now, please reopen the issue if not