Just to confirm, the cluster nodes are also granted access to "view the data"?
That is the main difference between clustered vs non-clustered, so I would think something is not correct with the access policies for the nodes. On Mon, Oct 15, 2018 at 5:29 PM Milan Das <[email protected]> wrote: > > Hi Bryan > Thanks for your response. > The user have all access including view the data at root processor level. It > works when is.cluster is false. It doesn’t work when is.cluster is true. > > Thanks, > Milan Das > > > On 10/15/18, 2:56 PM, "Bryan Bende" <[email protected]> wrote: > > The error message is saying your user does not have permission to view > the data for the given processor. > > There is a specific policy for viewing data which is described in the > admin guide component policies [1], the policy named "view the data". > > I think you should be able to create the "view the data" policy on the > root process group to allow the user to see all data, but I can't > remember off the top of my head. > > I think the users representing the nodes also might need to be in that > policy as well, since in a cluster the requests are being proxied and > it needs to ensure the node proxying the user is also authorized to > receive the data. > > [1] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies > On Mon, Oct 15, 2018 at 2:20 PM Milan Das <[email protected]> wrote: > > > > Hello Nifi Team, > > > > I am having an issue only when cluster mode is on. > > > > > > > > Issue is, I am unable to list Queue on secured cluster. It is > communicating on sasl with Zookeeper and the cluster is configured with TLS > encryption and nifi.security.user.login.identity.provider=kerberos-provider > > > > > > > > Queue on Success Queue: My flow is simple GenerateFlowFile (success) > --> Funnel. > > > > > > > > Yes I added all policies at root level to user nifiadmin1. This works > when I set the cluster to false. > > > > > > > > NIFI version : 1.6.0 > > > > > > > > > > > > > > > > Error: > > > > > > > > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for > [email protected] > > > > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[email protected]], > groups[] does not have permission to access the requested resource. Unable to > view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. > Returning Forbidden response. > > > > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[email protected]], > groups[] does not have permission to access the requested resource. Node > ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: > Unable to view the data for Processor with ID > 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. > Returning Forbidden response. > > > > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for > (<[email protected]><CN=ip-172-30-1-235.ec2.internal, O=Interset, > ST=California, C=US>) POST > https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests > (source ip: 172.30.1.235) > > > > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@ > > > > > > > > Thanks, > > > > Milan Das > > > > >
