[
https://issues.apache.org/jira/browse/NIFI-2550?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15452708#comment-15452708
]
ASF GitHub Bot commented on NIFI-2550:
--------------------------------------
Github user ijokarumawak commented on the issue:
https://github.com/apache/nifi/pull/971
## Accessibility test of NiFi.Q based on Policies on NiFi.P
NiFi.Q (RPG) <--pulls data from-- NiFi.P (output-port)
I've done following test with output port. I did the same test for input
port, too, got the same behavior.
### 'retrieve site-to-site details' policy
1. OK: Without NiFi.Q group: RPG can't retrieve site-to-site info [1]
2. OK: With NiFi.Q group: RPG can retrieve site-to-site info, but since
NiFi.Q is not allowed to access NiFi.P's port, it can't see any port [2]
### 'send data via site-to-site' policy
1. OK: Without NiFi.Q group: NiFi.Q can't see any port [2]
2. OK: With NiFi.Q group: NiFi.Q can see the output port [3]
3. OK: By enabling transmission, NiFi.Q can receive data from the output
port [4]
4. What if the NiFi.Q group is removed from this policy at this point?
NiFi.Q started receiving 403, but no indication on the UI, other than the read
warning mark on the relationship [5] Adding NiFi.Q group to the policy recovers
data transfer. [6]
5. How about RAW socket? "User not authorized" error is shown on bulletin
board, output port reports error, too [7]
### Result
Confirmed that this PR relaxes SiteToSiteResource authorization check, and
addresses policy setting issue reported by
[NIFI-2550](https://issues.apache.org/jira/browse/NIFI-2550).
By doing step, 4 and 5, I noticed there's a difference on the UI in terms
of how NiFi UI reports auth error to end user. I will submit another JIRA for
this.
### Evidences:
[1]
Policies on NiFi.P
```
2016-08-31 01:56:39,479 INFO [NiFi Web Server-292]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine,
C=US, CN=0.q.nifi.aws.mine) GET
https://0.p.nifi.aws.mine:8443/nifi-api/site-to-site (source ip: 172.31.28.33)
2016-08-31 01:56:39,479 INFO [NiFi Web Server-292]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
2016-08-31 01:56:39,479 INFO [NiFi Web Server-292]
o.a.n.w.a.c.AccessDeniedExceptionMapper L=0.q.nifi.aws.mine, C=US,
CN=0.q.nifi.aws.mine does not have permission to access the requested resource.
Returning Forbidden response.
```
RPG on NiFi.Q
[2]
```
2016-08-31 01:59:29,223 INFO [NiFi Web Server-289]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine,
C=US, CN=0.q.nifi.aws.mine) GET
https://0.p.nifi.aws.mine:8443/nifi-api/site-to-site (source ip: 172.31.28.33)
2016-08-31 01:59:29,223 INFO [NiFi Web Server-289]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
2016-08-31 01:59:29,230 INFO [NiFi Web Server-292]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for
(<L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine><L=0.p.nifi.aws.mine, C=US,
CN=0.p.nifi.aws.mine>) GET https://0.p.nifi.aws.mine:8443/nifi-api/site-to-site
(source ip: 172.31.28.12)
2016-08-31 01:59:29,231 INFO [NiFi Web Server-292]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
```
NiFi.Q can access the port
[3]
[4]
```
2016-08-31 02:08:03,474 INFO [NiFi Web Server-335]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine,
C=US, CN=0.q.nifi.aws.mine) POST
https://0.p.nifi.aws.mine:8443/nifi-api/data-transfer/output-ports/f46f3046-c250-1f1b-0000-0000029f9794/transactions
(source ip: 172.31.28.33)
2016-08-31 02:08:03,479 INFO [NiFi Web Server-292]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine,
C=US, CN=0.q.nifi.aws.mine) GET
https://0.p.nifi.aws.mine:8443/nifi-api/data-transfer/output-ports/f46f3046-c250-1f1b-0000-0000029f9794/transactions/f6caf1f3-846c-42f6-8084-51f1883c07b2/flow-files
(source ip: 172.31.28.33)
2016-08-31 02:08:05,841 INFO [NiFi Web Server-443]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine,
C=US, CN=0.q.nifi.aws.mine) DELETE
https://0.p.nifi.aws.mine:8443/nifi-api/data-transfer/output-ports/f46f3046-c250-1f1b-0000-0000029f9794/transactions/f6caf1f3-846c-42f6-8084-51f1883c07b2
(source ip: 172.31.28.33)
2016-08-31 02:08:05,841 INFO [NiFi Web Server-443]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
```
[5]
NiFi.P's log
```
2016-08-31 02:22:26,449 INFO [NiFi Web Server-292]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (L=0.q.nifi.aws.mine,
C=US, CN=0.q.nifi.aws.mine) POST https://0.p.nifi.aws.mine:8443/nifi-api/
data-transfer/output-ports/f46f3046-c250-1f1b-0000-0000029f9794/transactions
(source ip: 172.31.28.33)
2016-08-31 02:22:26,449 INFO [NiFi Web Server-292]
o.a.n.w.s.NiFiAuthenticationFilter Authentication success for
L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine
2016-08-31 02:22:26,449 INFO [NiFi Web Server-292]
o.a.n.w.a.c.AccessDeniedExceptionMapper L=0.q.nifi.aws.mine, C=US,
CN=0.q.nifi.aws.mine does not have permission to access the requested resource.
Return
ing Forbidden response.
```
NiFi.Q's log
```
2016-08-31 02:22:26,445 DEBUG [Timer-Driven Process Thread-3]
o.a.n.r.util.SiteToSiteRestApiClient initiateTransaction responseCode=403
2016-08-31 02:22:26,445 DEBUG [Timer-Driven Process Thread-3]
o.a.n.r.util.SiteToSiteRestApiClient readResponse responseMessage=Unable to
perform the desired action due to insufficient permissions. Contact the system
administrator.
```
[6]
[7]
RAW socket transfer protocol
```
2016-08-31 02:44:12,080 ERROR [Timer-Driven Process Thread-7]
o.a.nifi.remote.StandardRemoteGroupPort
org.apache.nifi.remote.exception.HandshakeException: Received unexpected
response User Not Authorized:
StandardRootGroupPort[id=f46f3046-c250-1f1b-0000-0000029f9794] authorization
failed for user L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine because Access
is denied
at
org.apache.nifi.remote.protocol.socket.SocketClientProtocol.handshake(SocketClientProtocol.java:179)
~[nifi-site-to-site-client-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at
org.apache.nifi.remote.protocol.socket.SocketClientProtocol.handshake(SocketClientProtocol.java:105)
~[nifi-site-to-site-client-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
```
```
2016-08-31 02:48:16,499 WARN [Site-to-Site Worker Thread-46]
o.a.nifi.remote.StandardRootGroupPort
StandardRootGroupPort[id=f46f3046-c250-1f1b-0000-0000029f9794] authorization
failed for user L=0.q.nifi.aws.mine, C=US, CN=0.q.nifi.aws.mine because Access
is denied
```
> Input port requires 'receive data via site-to-site' policy for both ends
> ------------------------------------------------------------------------
>
> Key: NIFI-2550
> URL: https://issues.apache.org/jira/browse/NIFI-2550
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0
> Environment: Site-to-Site, Secure Cluster to Secure Cluster
> Reporter: Koji Kawamura
> Attachments: screenshot-1.png, screenshot-2.png
>
>
> I'm trying to setup a Site-to-Site connection between two NiFi clusters (P
> and Q). Both secured.
> At NiFi Q, there's an input-port, then NiFi P sends data to it.
> NiFi P -> https -> NiFi Q
> NiFi P has two nodes, so I created a group 'p-nifi' having the nodes identity
> on NiFi Q. Then add 'p-nifi' group to 'retrieve site-to-site detail' policy.
> Confirmed that NiFi P Remote Process Group can get site-to-site detail.
> [screenshot-1|https://issues.apache.org/jira/secure/attachment/12823222/screenshot-1.png]
> However, it couldn't access input-port.
> I've added 'p-nifi' group to 'receive data via site-to-site' policy of the
> input-port, but still it can't accessed.
> [screenshot-2|https://issues.apache.org/jira/secure/attachment/12823223/screenshot-2.png]
> I found that
> org.apache.nifi.authorization.resource.DataAuthorizable.checkAuthorization
> checks all the DN chain. By debugging, I found that it checks not only NiFi P
> nodes, but also NiFi Q nodes. The DN chain looked like below:
> [L=1.p.nifi, C=US, CN=1.p.nifi, L=0.q.nifi, C=US, CN=0.q.nifi, L=1.q.nifi,
> C=US, CN=1.q.nifi]
> After adding 'q-nifi' group to the input port policy, NiFi P can access the
> remote input port.
> There maybe some reason for doing this, but as an user, I didn't expect that
> I need to add NiFi Q to that policy.
> Is this an expected behavior?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
