Ben, Please ensure that each of the node CNs is added to users.xml as a user and that the corresponding user entry has the /proxy resource available to it in authorizations.xml. See a full example here [1]. I subbed the UUIDs for simple string identifiers to make it easier to match in the example below.
users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier=“abc" identity="[email protected],
CN=bmichau1, CN=Users, DC=ms, DC=ds, DC=uhc, DC=com"/>
<user identifier=“def" identity="CN=common.name.server.company.com,
O=UnitedHealth Group Inc., L=Plymouth, ST=Minnesota, C=US"/> ... repeat for all
nodes in cluster ...
</users>
</tenants>
authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier=“1" resource="/flow" action="R">
<user identifier=“abc"/>
</policy>
...
<policy identifier=“9" resource="/proxy" action="R">
<user identifier=“def"/>
</policy>
<policy identifier=“10" resource="/proxy" action="W">
<user identifier=“def"/>
</policy>
</policies>
</authorizations>
[1]
http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy
<http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy>
Andy LoPresto
[email protected]
[email protected]
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Jan 24, 2017, at 8:15 AM, bmichaud <[email protected]> wrote:
>
> Andy LoPresto-2 wrote
>> The instructions by Pierre that I mentioned were linked at the bottom of
>> my email as [1] (for 1.1.0) and [2] (for 1.0.0).
>
> Thanks those are helpful.
>
> The logs contain internal server names and IP addresses. The nifi-app.log
> does not seem to have any more information, only an unrelated error repeated
> over and over.
>
> Here is the nifi-user.log error (obfuscated-IP 1.2.3.4 is my PC connecting
> to the server GUI, 5.6.7.8 is the node IP, server name
> "common.name.server.company.com" is the common name of the certificate in
> the keystore file, and server name "this.server.company.com" is the current
> server node.):
>
> ====
> GUI:
> ====
> Access Denied
> home
> Untrusted proxy CN=common.name.server.company.com, O=UnitedHealth Group
> Inc., L=Plymouth, ST=Minnesota, C=US
>
> ==============
> nifi-user.log:
> ==============
> 2017-01-24 08:35:47,051 INFO [NiFi Web Server-81306]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for
> ([email protected], CN=bmichau1, CN=Users, DC=ms, DC=ds,
> DC=uhc, DC=com) GET
> https://this.server.company.com:9443/nifi-api/flow/current-user (source ip:
> 1.2.3.4)
> 2017-01-24 08:35:47,051 INFO [NiFi Web Server-81306]
> o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
> [email protected], CN=bmichau1, CN=Users, DC=ms, DC=ds,
> DC=uhc, DC=com
> 2017-01-24 08:35:47,127 INFO [NiFi Web Server-81360]
> o.a.n.w.s.NiFiAuthenticationFilter Attempting request for
> (<[email protected], CN=bmichau1, CN=Users, DC=ms, DC=ds,
> DC=uhc, DC=com><CN=common.name.server.company.com, O=UnitedHealth Group
> Inc., L=Plymouth, ST=Minnesota, C=US>) GET
> https://this.server.company.com:9443/nifi-api/flow/current-user (source ip:
> 5.6.7.8)
> 2017-01-24 08:35:47,129 INFO [NiFi Web Server-81360]
> o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted
> proxy CN=common.name.server.company.com, O=UnitedHealth Group Inc.,
> L=Plymouth, ST=Minnesota, C=US
> [email protected]:/app_2/runtime/nifi/logs
>
>
>
> --
> View this message in context:
> http://apache-nifi-developer-list.39713.n7.nabble.com/NiFi-1-1-1-can-t-start-as-a-cluster-OverlappingFileLockException-tp14486p14508.html
> Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
signature.asc
Description: Message signed with OpenPGP using GPGMail
