nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milan Das <m...@interset.com>
Subject Re: Unable to List Queue
Date Mon, 15 Oct 2018 21:50:10 GMT
Hi Brian,
Yes that was the problem.
I didn’t know that cluster node identity also need to be added. After adding it worked.

Thanks a lot.

Thanks,
Milan Das

On 10/15/18, 5:44 PM, "Bryan Bende" <bbende@gmail.com> wrote:

    Just to confirm, the cluster nodes are also granted access to "view the data"?
    
    That is the main difference between clustered vs non-clustered, so I
    would think something is not correct with the access policies for the
    nodes.
    On Mon, Oct 15, 2018 at 5:29 PM Milan Das <mdas@interset.com> wrote:
    >
    > Hi Bryan
    > Thanks for your response.
    > The user have all access including view the data at root processor level. It works
when is.cluster is false. It doesn’t work when is.cluster is true.
    >
    > Thanks,
    > Milan Das
    >
    >
    > On 10/15/18, 2:56 PM, "Bryan Bende" <bbende@gmail.com> wrote:
    >
    >     The error message is saying your user does not have permission to view
    >     the data for the given processor.
    >
    >     There is a specific policy for viewing data which is described in the
    >     admin guide component policies [1], the policy named "view the data".
    >
    >     I think you should be able to create the "view the data" policy on the
    >     root process group to allow the user to see all data, but I can't
    >     remember off the top of my head.
    >
    >     I think the users representing the nodes also might need to be in that
    >     policy as well, since in a cluster the requests are being proxied and
    >     it needs to ensure the node proxying the user is also authorized to
    >     receive the data.
    >
    >     [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
    >     On Mon, Oct 15, 2018 at 2:20 PM Milan Das <mdas@interset.com> wrote:
    >     >
    >     > Hello Nifi Team,
    >     >
    >     > I am having an issue only when cluster mode is on.
    >     >
    >     >
    >     >
    >     > Issue is, I am unable to list Queue on secured cluster. It is communicating
on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
    >     >
    >     >
    >     >
    >     >  Queue on Success Queue: My flow is simple GenerateFlowFile (success) -->
Funnel.
    >     >
    >     >
    >     >
    >     > Yes I added all policies at root level to user nifiadmin1. This works when
I set the cluster to false.
    >     >
    >     >
    >     >
    >     > NIFI version : 1.6.0
    >     >
    >     >
    >     >
    >     >
    >     >
    >     >
    >     >
    >     > Error:
    >     >
    >     >
    >     >
    >     > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter
Authentication success for nifiadmin1@INTERSET.COM
    >     >
    >     > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper
identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested
resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3.
Returning Forbidden response.
    >     >
    >     > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper
identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested
resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to:
Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact
the system administrator. Returning Forbidden response.
    >     >
    >     > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter
Attempting request for (<nifiadmin1@INTERSET.COM><CN=ip-172-30-1-235.ec2.internal,
O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests
(source ip: 172.30.1.235)
    >     >
    >     > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter
Authentication success for nifiadmin1@
    >     >
    >     >
    >     >
    >     > Thanks,
    >     >
    >     > Milan Das
    >     >
    >
    >
    >
    



Mime
View raw message