[jira] [Created] (NIFI-11775) NiFi CLI is unauthorized with GCP load balancer

Pierre Villard (Jira) Mon, 03 Jul 2023 09:10:04 -0700

Pierre Villard created NIFI-11775:
-------------------------------------

             Summary: NiFi CLI is unauthorized with GCP load balancer
                 Key: NIFI-11775
                 URL: https://issues.apache.org/jira/browse/NIFI-11775
             Project: Apache NiFi
          Issue Type: Bug
          Components: Tools and Build
    Affects Versions: 1.22.0
         Environment: openjdk version "17.0.7" 2023-04-18 LTS
OpenJDK Runtime Environment Zulu17.42+19-CA (build 17.0.7+7-LTS)
OpenJDK 64-Bit Server VM Zulu17.42+19-CA (build 17.0.7+7-LTS, mixed mode, 
sharing)
            Reporter: Pierre Villard



* 3 nodes cluster on GCP behind load balancer
 * Certs for nodes and LB generated with NiFi CA
 * Load balancer is configured with sticky session

When using the CLI through the LB:
{code:java}
./nifi-toolkit-1.22.0/bin/cli.sh nifi get-nodes -p ./nifi-cli.properties 
-verbose

ERROR: Error executing command 'get-nodes' : Error retrieving node status: 
Unauthorized


org.apache.nifi.toolkit.cli.api.CommandException: Error executing command 
'get-nodes' : Error retrieving node status: Unauthorized
        at 
org.apache.nifi.toolkit.cli.impl.command.nifi.AbstractNiFiCommand.doExecute(AbstractNiFiCommand.java:65)
        at 
org.apache.nifi.toolkit.cli.impl.command.AbstractPropertyCommand.execute(AbstractPropertyCommand.java:74)
        at 
org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.processCommand(CommandProcessor.java:252)
        at 
org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.processGroupCommand(CommandProcessor.java:233)
        at 
org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.process(CommandProcessor.java:188)
        at 
org.apache.nifi.toolkit.cli.CLIMain.runSingleCommand(CLIMain.java:145)
        at org.apache.nifi.toolkit.cli.CLIMain.main(CLIMain.java:72)
Caused by: org.apache.nifi.toolkit.cli.impl.client.nifi.NiFiClientException: 
Error retrieving node status: Unauthorized
        at 
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:90)
        at 
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyControllerClient.getNodes(JerseyControllerClient.java:191)
        at 
org.apache.nifi.toolkit.cli.impl.command.nifi.nodes.GetNodes.doExecute(GetNodes.java:49)
        at 
org.apache.nifi.toolkit.cli.impl.command.nifi.nodes.GetNodes.doExecute(GetNodes.java:34)
        at 
org.apache.nifi.toolkit.cli.impl.command.nifi.AbstractNiFiCommand.doExecute(AbstractNiFiCommand.java:63)
        ... 6 more
Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
        at 
org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:942)
        at 
org.glassfish.jersey.client.JerseyInvocation.translate(JerseyInvocation.java:755)
        at 
org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:675)
        at 
org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:697)
        at 
org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:691)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
        at 
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390)
        at 
org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:691)
        at 
org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:674)
        at 
org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:422)
        at 
org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:318)
        at 
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyControllerClient.lambda$getNodes$8(JerseyControllerClient.java:194)
        at 
org.apache.nifi.toolkit.cli.impl.client.nifi.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:76)
 {code}
When using the CLI with direct access to a node:
{code:java}
./nifi-toolkit-1.22.0/bin/cli.sh nifi get-nodes -p ./nifi-cli.properties 
-verbose
#   Node ID                                Node Address   API Port   Node 
Status   
-   ------------------------------------   ------------   --------   
-----------   
0   1e1f3c33-0378-4de3-81b7-7c1edd333f8e   nifi-1         8443       CONNECTED  
   
1   e7cb1ff8-7c15-4911-9d91-e0080ae42baf   nifi-2         8443       CONNECTED  
   
2   d86e4cc6-0a1c-496e-aca2-8803df17319e   nifi-3         8443       CONNECTED  
    {code}
When the request is unauthorized, the only log I have in nifi-request.log:
{code:java}
35.191.13.212 - - [01/Jul/2023:23:08:35 +0000] "GET 
/nifi-api/controller/cluster HTTP/1.1" 401 12 "-" "Jersey/2.39.1 
(HttpUrlConnection 11.0.18)" {code}
If switching logging to DEBUG on org.springframework.security, I get one 
additional log:
{code:java}
2023-07-03 15:13:39,232 DEBUG [NiFi Web Server-24] 
o.s.security.web.FilterChainProxy Securing GET /controller/cluster {code}
In addition to solving this issue (could be related to how the CLI is dealing 
with custom HTTP headers and the XSRF Token cookie), it could be nice to have 
more logs when something like this happens.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (NIFI-11775) NiFi CLI is unauthorized with GCP load balancer

Reply via email to