Koji Kawamura created NIFI-2550:
-----------------------------------
Summary: Input port requires 'receive data via site-to-site'
policy for both ends
Key: NIFI-2550
URL: https://issues.apache.org/jira/browse/NIFI-2550
Project: Apache NiFi
Issue Type: Bug
Components: Core Framework
Affects Versions: 1.0.0
Environment: Site-to-Site, Secure Cluster to Secure Cluster
Reporter: Koji Kawamura
I'm trying to setup a Site-to-Site connection between two NiFi clusters (P and
Q). Both secured.
At NiFi Q, there's an input-port, then NiFi P sends data to it.
NiFi P -> https -> NiFi Q
NiFi P has two nodes, so I created a group 'p-nifi' having the nodes identity
on NiFi Q. Then add 'p-nifi' group to 'retrieve site-to-site detail' policy.
Confirmed that NiFi P Remote Process Group can get site-to-site detail.
However, it couldn't access input-port.
I've added 'p-nifi' group to 'receive data via site-to-site' policy of the
input-port, but still it can't accessed.
I found that
org.apache.nifi.authorization.resource.DataAuthorizable.checkAuthorization
checks all the DN chain. By debugging, I found that it checks not only NiFi P
nodes, but also NiFi Q nodes. The DN chain looked like below:
[L=1.p.nifi, C=US, CN=1.p.nifi, L=0.q.nifi, C=US, CN=0.q.nifi, L=1.q.nifi,
C=US, CN=1.q.nifi]
After adding 'q-nifi' group to the input port policy, NiFi P can access the
remote input port.
There maybe some reason for doing this, but as an user, I didn't expect that I
need to add NiFi Q to that policy.
Is this an expected behavior?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
