I just created a brand-new secured cluster now. NiFi automatically created a policy "view the data" (and others) with the user defined as "Initial Admin Identity" and "Node Identity" in conf/authorizers.xml. It seems working as expected.
Koji On Tue, Jun 27, 2017 at 5:26 PM, Koji Kawamura <[email protected]> wrote: > Hi Takanobu, > > Glad to hear that you have it fixed. > >> Although I defined the Node Identity before stating the cluster at the first >> time, it seemed NiFi did not automatically create the policies and I needed >> to add the Node Identity to the policy explicitly. > > Thanks for sharing, ideally NiFi cluster should work without adding > the policy manually. > I will try to setup a brand-new secured NiFi cluster to see what > initial policy setting will look like. > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#cluster-node-identities > > Thanks, > Koji > > On Tue, Jun 27, 2017 at 5:08 PM, Takanobu Asanuma > <[email protected]> wrote: >> Hi Koji, >> >> Thank you for your quick and valuable answer! That's exactly what I need. >> After adding "Node Identity" of authorizers.xml to the "view the data" >> policy, the authorized user can list the queue. >> >>>> IIRC, if you define the Node Identity before starting the secured cluster >>>> at the first time, NiFi automatically creates necessary policies for each >>>> node to proxy user request (I maybe wrong on this..). >> >> Although I defined the Node Identity before stating the cluster at the first >> time, it seemed NiFi did not automatically create the policies and I needed >> to add the Node Identity to the policy explicitly. >> >> Thanks again! >> Takanobu >> >> -----Original Message----- >> From: Koji Kawamura [mailto:[email protected]] >> Sent: Tuesday, June 27, 2017 2:32 PM >> To: dev <[email protected]> >> Subject: Re: Authorization problems of NiFi secured cluster >> >> Hello Takanobu, >> >> If the issue doesn't happen with standalone mode, I assume it happens >> because the security policy does not allow NiFi node to "view the data". >> >> When a user sends a request to a node within a cluster, the node proxies the >> request to other nodes within the same cluster. >> I'd recommend to check if conf/authorizers.xml has Node Identity properties, >> looks like this: >> >> <authorizer> >> ... >> <property name="Node Identity 1">CN=localhost, OU=NIFI</property> >> </authorizer> >> >> IIRC, if you define the Node Identity before starting the secured cluster at >> the first time, NiFi automatically creates necessary policies for each node >> to proxy user request (I maybe wrong on this..). If you already have the >> cluster started, then you can add NiFi node as a user then add it to the >> "view the data" policy manually (probably at the root PG's policy would be >> the most appropriate place). >> >> I confirmed that the issue can be reproduced by removing NiFi node user from >> "view the data" policy. >> >> Please try above and let us know if it addresses your issue. >> >> Thanks, >> Koji >> >> On Tue, Jun 27, 2017 at 1:12 PM, Takanobu Asanuma <[email protected]> >> wrote: >>> Hello experts, >>> >>> When I created a NiFi cluster with security, any users can't list any >>> queues due to "insufficient permissions" though the users have the >>> permissions. >>> >>> For example, there is a dataflow which contains processor-A and >>> processor-B, and processor-A is connecting to processor-B. In this case, >>> even if user1 has the policies which are view/modify the component/data of >>> processor-A and processor-B, he can't list the queue of the processors. >>> >>> This problem only occurs when the secured NiFi instance is clustering mode >>> (nifi.cluster.is.node=true). If secured NiFi instance is standalone mode, >>> the problem doesn't happen. I have faced this problem with the latest >>> release version, 1.3.0. >>> >>> Do you have any thoughts? >>> >>> Thanks, >>> Takanobu Asanuma
