Hi Mark, There are two policies needed for secure site-to-site...
In the global policies there needs to be a policy for "retrieve site-to-site details" with the user of the server added. In the policies for the port (from the palette on the left when the port is selected) there needs to be a policy for "receive data via site-to-site" with user of the server added. Thanks, Bryan On Thu, Feb 23, 2017 at 12:34 PM, Mark Bean <mark.o.b...@gmail.com> wrote: > I am attempting to setup secure site-to-site using NiFi 1.1.1. I have > secured NiFi, and am able to access the UI securely via HTTPS. I have set > the following security-related properties: > > nifi.sensitive.props.key=<key-value> > nifi.sensitive.props.key.protected= > nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL > nifi.sensitive.props.provider=BC > nifi.sensitive.props.aditional.keys= > > nifi.security.keystore=<keystore-file> > nifi.security.keystoreType=JKS > nifi.security.keystorePasswd=<password> > nifi.security.keyPasswd=<password> > nifi.security.truststore=<truststore-file> > nifi.security.truststoreType=JKS > nifi.security.trsustorePasswd=<password> > nifi.security.needClientAuth=true > nifi.security.user.authorizer=file-provider > nifi.security.user.login.identity.provider= > > I also set the site-to-site properties: > nifi.remote.input.host=<host-fqdn> > nifi.remote.input.secure=true > nifi.remote.input.socket.port=<port, different from https UI port> > nifi.remote.input.http.enabled=true > nifi.remote.input.http.tansaction.ttl=30 sec > > The authorizers.xml has been setup to import the legacy > authorized-users.xml. And, this correctly populated the users.xml to > include the remote server for the site-to-site. It also added users to the > authorizations.xml file to include the user (i.e.server ) with site-to-site > resource (both R and W). > > Despite this setup, the Input Port on the UI does not show an Access > Control tab as in NiFi 0.x. I am not sure how to authorize the remote > server such that the Input Port will be displayed in the remote server's > Remote Process Group's list of ports. > > Have I missed a step in the security and/or user authentication setup? > > Thanks, > Mark
