Hello Peter, Thanks for reporting this! I agree with you and feel this needs to be fixed. I'm going to work on this.
Koji On Mon, Sep 12, 2016 at 12:41 PM, Peter Wicks (pwicks) <pwi...@micron.com> wrote: > I’ve been playing with site-to-site and found an interesting quirk. I had > the full DN’s from my certificates for my usernames, but decided to setup > nifi.security.identity.mapping patterns for both the DN’s and for Kerberos; > which by the way works great for normal users. > > > > I renamed just my own account in users.xml so I could login. I was getting > site-to-site login errors so I renamed the user accounts to be just the CN > name, and in nifi-user.log I started seeing successful authentications. > > > > Then I started seeing this message in the nifi-app.log and eventually it > started showing up as bulletin messages: > > > > EndpointConnectionPool[Cluster URL=https://host1:8443/nifi] failed to > communicate with Peer[url=nifi://host1:8500,CLOSED] due to > org.apache.nifi.remote.exception.HandshakeException: Received unexpected > response > > User Not Authorized: > StandardRootGroupPort[id=1c60dcc0-0157-1000-c554-002d2b3e3702] authorization > failed for user EMAILADDRESS=pwi...@micron.com, CN=host2, OU=ou, O=Micron > Technology Inc., L=Boise, ST=ID, C=US because Unknown user with identity > 'EMAILADDRESS=pwi...@micron.com, CN=host2, OU=ou, O=Micron Technology Inc., > L=Boise, ST=ID, C=US'. > > > > I worked around my site-to-site auth issue by adding a second account with > the full DN from the certificate. This allowed site-to-site to start > working again. > > > > This feels like a bug in Site-to-Site (StandardRootGroupPort). I cut a Jira > for it: https://issues.apache.org/jira/browse/NIFI-2757. > > > > If I’m missing something from a configuration perspective please let me > know.
