Hi Takanobu, Glad to hear that you have it fixed.
> Although I defined the Node Identity before stating the cluster at the first > time, it seemed NiFi did not automatically create the policies and I needed > to add the Node Identity to the policy explicitly. Thanks for sharing, ideally NiFi cluster should work without adding the policy manually. I will try to setup a brand-new secured NiFi cluster to see what initial policy setting will look like. https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#cluster-node-identities Thanks, Koji On Tue, Jun 27, 2017 at 5:08 PM, Takanobu Asanuma <tasan...@yahoo-corp.jp> wrote: > Hi Koji, > > Thank you for your quick and valuable answer! That's exactly what I need. > After adding "Node Identity" of authorizers.xml to the "view the data" > policy, the authorized user can list the queue. > >>> IIRC, if you define the Node Identity before starting the secured cluster >>> at the first time, NiFi automatically creates necessary policies for each >>> node to proxy user request (I maybe wrong on this..). > > Although I defined the Node Identity before stating the cluster at the first > time, it seemed NiFi did not automatically create the policies and I needed > to add the Node Identity to the policy explicitly. > > Thanks again! > Takanobu > > -----Original Message----- > From: Koji Kawamura [mailto:ijokaruma...@gmail.com] > Sent: Tuesday, June 27, 2017 2:32 PM > To: dev <dev@nifi.apache.org> > Subject: Re: Authorization problems of NiFi secured cluster > > Hello Takanobu, > > If the issue doesn't happen with standalone mode, I assume it happens because > the security policy does not allow NiFi node to "view the data". > > When a user sends a request to a node within a cluster, the node proxies the > request to other nodes within the same cluster. > I'd recommend to check if conf/authorizers.xml has Node Identity properties, > looks like this: > > <authorizer> > ... > <property name="Node Identity 1">CN=localhost, OU=NIFI</property> > </authorizer> > > IIRC, if you define the Node Identity before starting the secured cluster at > the first time, NiFi automatically creates necessary policies for each node > to proxy user request (I maybe wrong on this..). If you already have the > cluster started, then you can add NiFi node as a user then add it to the > "view the data" policy manually (probably at the root PG's policy would be > the most appropriate place). > > I confirmed that the issue can be reproduced by removing NiFi node user from > "view the data" policy. > > Please try above and let us know if it addresses your issue. > > Thanks, > Koji > > On Tue, Jun 27, 2017 at 1:12 PM, Takanobu Asanuma <tasan...@yahoo-corp.jp> > wrote: >> Hello experts, >> >> When I created a NiFi cluster with security, any users can't list any queues >> due to "insufficient permissions" though the users have the permissions. >> >> For example, there is a dataflow which contains processor-A and processor-B, >> and processor-A is connecting to processor-B. In this case, even if user1 >> has the policies which are view/modify the component/data of processor-A and >> processor-B, he can't list the queue of the processors. >> >> This problem only occurs when the secured NiFi instance is clustering mode >> (nifi.cluster.is.node=true). If secured NiFi instance is standalone mode, >> the problem doesn't happen. I have faced this problem with the latest >> release version, 1.3.0. >> >> Do you have any thoughts? >> >> Thanks, >> Takanobu Asanuma
