Koji Kawamura created NIFI-2550: ----------------------------------- Summary: Input port requires 'receive data via site-to-site' policy for both ends Key: NIFI-2550 URL: https://issues.apache.org/jira/browse/NIFI-2550 Project: Apache NiFi Issue Type: Bug Components: Core Framework Affects Versions: 1.0.0 Environment: Site-to-Site, Secure Cluster to Secure Cluster Reporter: Koji Kawamura
I'm trying to setup a Site-to-Site connection between two NiFi clusters (P and Q). Both secured. At NiFi Q, there's an input-port, then NiFi P sends data to it. NiFi P -> https -> NiFi Q NiFi P has two nodes, so I created a group 'p-nifi' having the nodes identity on NiFi Q. Then add 'p-nifi' group to 'retrieve site-to-site detail' policy. Confirmed that NiFi P Remote Process Group can get site-to-site detail. However, it couldn't access input-port. I've added 'p-nifi' group to 'receive data via site-to-site' policy of the input-port, but still it can't accessed. I found that org.apache.nifi.authorization.resource.DataAuthorizable.checkAuthorization checks all the DN chain. By debugging, I found that it checks not only NiFi P nodes, but also NiFi Q nodes. The DN chain looked like below: [L=1.p.nifi, C=US, CN=1.p.nifi, L=0.q.nifi, C=US, CN=0.q.nifi, L=1.q.nifi, C=US, CN=1.q.nifi] After adding 'q-nifi' group to the input port policy, NiFi P can access the remote input port. There maybe some reason for doing this, but as an user, I didn't expect that I need to add NiFi Q to that policy. Is this an expected behavior? -- This message was sent by Atlassian JIRA (v6.3.4#6332)