Have you added each Node's identity to the Authorizers list (see https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#cluster-node-identities )?
Note that the Nodes have to appear in the userGroupProvider section as an "Initial User Identity" as well as in the accessPolicyProvider as "Node Identity" elements. These additions should mark each of the NiFi nodes as having "Proxy" permissions within the cluster, which means users can then connect through any of the nodes (where they will be identified and granted any assigned policies). --- *Chris Sampson* IT Consultant [email protected] <https://www.naimuri.com/> On Tue, 22 Dec 2020 at 13:41, MUTHUKRISHNAN, KARTHIKEYAN <[email protected]> wrote: > Hi Team, > > I have created a NiFi cluster with 3 nodes and configured SSL for all 3 > eith self signed certs generated for all 3 nodes and a admin user cert. I > have also configured authorization.xml and nifi.properties acordingly as > prescribed. I can see users.xml and authorizers.xml getting generated > properly with Initial Admin configured with cert admin id. All looks good > in my config files. But i am getting following error in ui : Insufficient > Permissions Untrusted proxy CN=XXXX.YY.ZZ.com, OU=NIFI > > nifi-user Logs looks as with below errors, > > 2020-12-22 13:05:27,375 INFO [NiFi Web Server-61] > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=nifi-admin) > GET https://XXXX.YY.ZZ.com:9443/nifi-api/flow/current-user (source ip: > xx.xx.xx.xxx) > 2020-12-22 13:05:27,380 INFO [NiFi Web Server-61] > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifi-admin > 2020-12-22 13:05:53,219 INFO [NiFi Web Server-61] > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for > (<CN=nifi-admin><CN=XXXX.YY.ZZ.com, OU=NIFI>) GET > https://XXXX.YY.ZZ.com:9443/nifi-api/flow/current-user (source ip: > 130.6.168.62) > 2020-12-22 13:05:53,226 WARN [NiFi Web Server-61] > o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted > proxy CN=XXXX.YY.ZZ.com, OU=NIFI > > Could you please help me to narrow down if i am missing anything other > than specified on documentations ? > > > Thanks & Regards, > M.Karthikeyan. > >
