Hi Koji, Thank you for your quick and valuable answer! That's exactly what I need. After adding "Node Identity" of authorizers.xml to the "view the data" policy, the authorized user can list the queue.
>> IIRC, if you define the Node Identity before starting the secured cluster at >> the first time, NiFi automatically creates necessary policies for each node >> to proxy user request (I maybe wrong on this..). Although I defined the Node Identity before stating the cluster at the first time, it seemed NiFi did not automatically create the policies and I needed to add the Node Identity to the policy explicitly. Thanks again! Takanobu -----Original Message----- From: Koji Kawamura [mailto:ijokaruma...@gmail.com] Sent: Tuesday, June 27, 2017 2:32 PM To: dev <dev@nifi.apache.org> Subject: Re: Authorization problems of NiFi secured cluster Hello Takanobu, If the issue doesn't happen with standalone mode, I assume it happens because the security policy does not allow NiFi node to "view the data". When a user sends a request to a node within a cluster, the node proxies the request to other nodes within the same cluster. I'd recommend to check if conf/authorizers.xml has Node Identity properties, looks like this: <authorizer> ... <property name="Node Identity 1">CN=localhost, OU=NIFI</property> </authorizer> IIRC, if you define the Node Identity before starting the secured cluster at the first time, NiFi automatically creates necessary policies for each node to proxy user request (I maybe wrong on this..). If you already have the cluster started, then you can add NiFi node as a user then add it to the "view the data" policy manually (probably at the root PG's policy would be the most appropriate place). I confirmed that the issue can be reproduced by removing NiFi node user from "view the data" policy. Please try above and let us know if it addresses your issue. Thanks, Koji On Tue, Jun 27, 2017 at 1:12 PM, Takanobu Asanuma <tasan...@yahoo-corp.jp> wrote: > Hello experts, > > When I created a NiFi cluster with security, any users can't list any queues > due to "insufficient permissions" though the users have the permissions. > > For example, there is a dataflow which contains processor-A and processor-B, > and processor-A is connecting to processor-B. In this case, even if user1 has > the policies which are view/modify the component/data of processor-A and > processor-B, he can't list the queue of the processors. > > This problem only occurs when the secured NiFi instance is clustering mode > (nifi.cluster.is.node=true). If secured NiFi instance is standalone mode, the > problem doesn't happen. I have faced this problem with the latest release > version, 1.3.0. > > Do you have any thoughts? > > Thanks, > Takanobu Asanuma
