nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: Unable to List Queue
Date Mon, 15 Oct 2018 21:44:23 GMT
Just to confirm, the cluster nodes are also granted access to "view the data"?

That is the main difference between clustered vs non-clustered, so I
would think something is not correct with the access policies for the
nodes.
On Mon, Oct 15, 2018 at 5:29 PM Milan Das <mdas@interset.com> wrote:
>
> Hi Bryan
> Thanks for your response.
> The user have all access including view the data at root processor level. It works when
is.cluster is false. It doesn’t work when is.cluster is true.
>
> Thanks,
> Milan Das
>
>
> On 10/15/18, 2:56 PM, "Bryan Bende" <bbende@gmail.com> wrote:
>
>     The error message is saying your user does not have permission to view
>     the data for the given processor.
>
>     There is a specific policy for viewing data which is described in the
>     admin guide component policies [1], the policy named "view the data".
>
>     I think you should be able to create the "view the data" policy on the
>     root process group to allow the user to see all data, but I can't
>     remember off the top of my head.
>
>     I think the users representing the nodes also might need to be in that
>     policy as well, since in a cluster the requests are being proxied and
>     it needs to ensure the node proxying the user is also authorized to
>     receive the data.
>
>     [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
>     On Mon, Oct 15, 2018 at 2:20 PM Milan Das <mdas@interset.com> wrote:
>     >
>     > Hello Nifi Team,
>     >
>     > I am having an issue only when cluster mode is on.
>     >
>     >
>     >
>     > Issue is, I am unable to list Queue on secured cluster. It is communicating
on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
>     >
>     >
>     >
>     >  Queue on Success Queue: My flow is simple GenerateFlowFile (success) -->
Funnel.
>     >
>     >
>     >
>     > Yes I added all policies at root level to user nifiadmin1. This works when I
set the cluster to false.
>     >
>     >
>     >
>     > NIFI version : 1.6.0
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     > Error:
>     >
>     >
>     >
>     > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter
Authentication success for nifiadmin1@INTERSET.COM
>     >
>     > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper
identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested
resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3.
Returning Forbidden response.
>     >
>     > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper
identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested
resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to:
Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact
the system administrator. Returning Forbidden response.
>     >
>     > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter
Attempting request for (<nifiadmin1@INTERSET.COM><CN=ip-172-30-1-235.ec2.internal,
O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests
(source ip: 172.30.1.235)
>     >
>     > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter
Authentication success for nifiadmin1@
>     >
>     >
>     >
>     > Thanks,
>     >
>     > Milan Das
>     >
>
>
>

Mime
View raw message