There was a bug in the 0.5.0 release that caused group-based policies to not work correctly for proxies [1].
Can you try adding the user that represents the nifi instance directly to the Proxy policy in registry? [1] https://issues.apache.org/jira/browse/NIFIREG-358 On Thu, Mar 5, 2020 at 1:19 PM Joseph Wheeler <j.wheeler...@gmail.com> wrote: > Hello! > > I am having issues getting NiFi Registry to work properly. > > I have NiFi and NiFi Registry running, both configured to use SSL, both > using the same keystore.jks and truststore.jks files, and both with user > accounts mapped to PKI certificate FQDNs. I have no issue logging into the > interfaces for either NiFi or NiFi Registry. > > I have added the NiFi registry URL in NiFi under nifi settings -> Registry > Clients. > > I have created a bucket in nifi registry. It is set to be publicly visible > and has a policy created that gives the user group (which I created in nifi > registry and has all users in it) all permission options. > > In Nifi, I have a user group created with all users in it that have > maximum permissions for all options in Nifi and on the particular nifi flow > we're working on. > > The issue I have is: > > 1.) I log in to NiFi, right-click a process group (doesn't seem to matter > which one) and click Version -> Start version control. > 2.) The Save Flow Version wizard pops up, automatically populated with the > registry name and the bucket name I created in nifi-registry. I enter > random characters in the 3 empty fields and click Save. > 3.) Error message appears: > "Failed to register flow with Flow Registry due to Error creating flow: > Untrusted proxy [*<NIFI SSL CERTIFICATE FQDN>*] for write operation. > Contact the system administrator." > > In the nifi-registry-app.log, I see this message: > 2020-03-05 18:16:11,272 INFO [NiFi Registry Web Server-17] > o.a.n.r.w.m.AccessDeniedExceptionMapper identity[*<MY CERTIFICATE FQDN>*], > groups[*<MY NIFI GROUP>]* does not have permission to access the > requested resource. Untrusted proxy [*<NIFI SSL CERTIFICATE FQDN>*] for > write operation. Returning Forbidden response. > > However, my account has every permission available in both Nifi and > Nifi-registry. > > Any idea where to start? >