[
https://issues.apache.org/jira/browse/NIFI-2550?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Koji Kawamura updated NIFI-2550:
--------------------------------
Description:
I'm trying to setup a Site-to-Site connection between two NiFi clusters (P and
Q). Both secured.
At NiFi Q, there's an input-port, then NiFi P sends data to it.
NiFi P -> https -> NiFi Q
NiFi P has two nodes, so I created a group 'p-nifi' having the nodes identity
on NiFi Q. Then add 'p-nifi' group to 'retrieve site-to-site detail' policy.
Confirmed that NiFi P Remote Process Group can get site-to-site detail.
[screenshot-1|https://issues.apache.org/jira/secure/attachment/12823222/screenshot-1.png]
However, it couldn't access input-port.
I've added 'p-nifi' group to 'receive data via site-to-site' policy of the
input-port, but still it can't accessed.
[screenshot-2|https://issues.apache.org/jira/secure/attachment/12823223/screenshot-2.png]
I found that
org.apache.nifi.authorization.resource.DataAuthorizable.checkAuthorization
checks all the DN chain. By debugging, I found that it checks not only NiFi P
nodes, but also NiFi Q nodes. The DN chain looked like below:
[L=1.p.nifi, C=US, CN=1.p.nifi, L=0.q.nifi, C=US, CN=0.q.nifi, L=1.q.nifi,
C=US, CN=1.q.nifi]
After adding 'q-nifi' group to the input port policy, NiFi P can access the
remote input port.
There maybe some reason for doing this, but as an user, I didn't expect that I
need to add NiFi Q to that policy.
Is this an expected behavior?
was:
I'm trying to setup a Site-to-Site connection between two NiFi clusters (P and
Q). Both secured.
At NiFi Q, there's an input-port, then NiFi P sends data to it.
NiFi P -> https -> NiFi Q
NiFi P has two nodes, so I created a group 'p-nifi' having the nodes identity
on NiFi Q. Then add 'p-nifi' group to 'retrieve site-to-site detail' policy.
Confirmed that NiFi P Remote Process Group can get site-to-site detail.
[screenshot-1|https://issues.apache.org/jira/secure/attachment/12823222/screenshot-1.png]
However, it couldn't access input-port.
I've added 'p-nifi' group to 'receive data via site-to-site' policy of the
input-port, but still it can't accessed.
I found that
org.apache.nifi.authorization.resource.DataAuthorizable.checkAuthorization
checks all the DN chain. By debugging, I found that it checks not only NiFi P
nodes, but also NiFi Q nodes. The DN chain looked like below:
[L=1.p.nifi, C=US, CN=1.p.nifi, L=0.q.nifi, C=US, CN=0.q.nifi, L=1.q.nifi,
C=US, CN=1.q.nifi]
After adding 'q-nifi' group to the input port policy, NiFi P can access the
remote input port.
There maybe some reason for doing this, but as an user, I didn't expect that I
need to add NiFi Q to that policy.
Is this an expected behavior?
> Input port requires 'receive data via site-to-site' policy for both ends
> ------------------------------------------------------------------------
>
> Key: NIFI-2550
> URL: https://issues.apache.org/jira/browse/NIFI-2550
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0
> Environment: Site-to-Site, Secure Cluster to Secure Cluster
> Reporter: Koji Kawamura
> Attachments: screenshot-1.png, screenshot-2.png
>
>
> I'm trying to setup a Site-to-Site connection between two NiFi clusters (P
> and Q). Both secured.
> At NiFi Q, there's an input-port, then NiFi P sends data to it.
> NiFi P -> https -> NiFi Q
> NiFi P has two nodes, so I created a group 'p-nifi' having the nodes identity
> on NiFi Q. Then add 'p-nifi' group to 'retrieve site-to-site detail' policy.
> Confirmed that NiFi P Remote Process Group can get site-to-site detail.
> [screenshot-1|https://issues.apache.org/jira/secure/attachment/12823222/screenshot-1.png]
> However, it couldn't access input-port.
> I've added 'p-nifi' group to 'receive data via site-to-site' policy of the
> input-port, but still it can't accessed.
> [screenshot-2|https://issues.apache.org/jira/secure/attachment/12823223/screenshot-2.png]
> I found that
> org.apache.nifi.authorization.resource.DataAuthorizable.checkAuthorization
> checks all the DN chain. By debugging, I found that it checks not only NiFi P
> nodes, but also NiFi Q nodes. The DN chain looked like below:
> [L=1.p.nifi, C=US, CN=1.p.nifi, L=0.q.nifi, C=US, CN=0.q.nifi, L=1.q.nifi,
> C=US, CN=1.q.nifi]
> After adding 'q-nifi' group to the input port policy, NiFi P can access the
> remote input port.
> There maybe some reason for doing this, but as an user, I didn't expect that
> I need to add NiFi Q to that policy.
> Is this an expected behavior?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
