Bryan, Thanks for the reply. After increasing the log level for Authentication I saw the target NiFi instance used the account “anonymous” for the Site-to-Site connection. After creating a policy for “anonymous”, I was able to view the remote ports and connect to them.
Obviously this is not ideal. We would prefer to make policies for remote hosts/users rather than anonymous. We are using the same SSL Certificate for both Key Store and Trust Store on a NiFi Instance. This is likely the cause of the “anonymous” user as it doesn’t have a DN. We are working to correct this. However, after getting my work flow set up across NiFi instances I see this error: Unable to refresh Remote Group's peers due to Unable to communicate with remote NiFi cluster in order to determine which nodes exist in the remote cluster Our NiFi servers are not set up for clustering. Is clustering required to perform Site-to-Site? Thanks, Paul Gibeault From: Bryan Bende [mailto:[email protected]] Sent: Tuesday, August 30, 2016 5:09 PM To: [email protected] Subject: Re: I need help configuring Site-to-Site in Secure Mode. Paul, It sounds like you probably have the certificates/truststores setup correctly and just need to create the appropriate policies... Lets say you have nifi-1 with an Remote Process Group pointing at the URL of nifi-2, and nifi-2 has an Input port to receive data. In nifi-2 there needs to be a user for the certificate of nifi-1, and then in the global policies of nifi-2 (top right menu) there needs to be a policy for "retrieve site-to-site details" with the nifi-1 user added to the policy. I think this is what is causing the error message you are seeing since nifi-1 is not authorized to query nifi-2 for site-to-site information (available ports, etc). I believe you also need to create a policy on the Input Port on nifi-2... select the input port and use the lock icon in the left palette and choose "receive data over site-to-site" and add the user of nifi-1. This gives nifi-1 access to the specific port. Let us know if that works. If so we should definitely look at updating some of the documentation to explain this. Thanks, Bryan On Tue, Aug 30, 2016 at 6:28 PM, Paul Gibeault (pagibeault) <[email protected]<mailto:[email protected]>> wrote: Hello, We have been attempting to set up Site-to-Site for NiFi in secure mode and have not been successful. When I create a Remote Process Group, and enter the URL* https://servername:8443/nifi I receive an error icon. The hover status is “Unauthorized” * - servername is the actual hostname running NiFi Things I have tried without success: - Closely followed the instructions in the NiFi System Administrator’s Guide<https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html> - Enabled SSL Security and Kerberos User Authentication (no self-signed certs) - Imported public keys of remote NiFi servers into the local keystores for each instance - Created policies on each instance to allow for full permissions to the accounts in use. - Tried various combinations of Linux & Windows instances of NiFi. - Connected a Site-to-Site process group to itself - Used both 1.0.0-BETA and 1.1.0-SNAPSHOT NiFi versions There are no warnings or errors in the log files when I attempt to connect a NiFi instance running on Linux to another instance on Linux. However, I did see something when attempting to connect a NiFi instance running on Windows to an instance running on Linux From log of NiFi on Windows: 2016-08-30 16:11:21,173 ERROR [Remote Process Group dd2e3ac9-0156-1000-4543-5ba3d10c6130: https://servername:8443/nifi Thread-1] o.a.n.remote.StandardRemoteProcessGroup org.apache.nifi.remote.StandardRemoteProcessGroup$InitializationTask@19bde1f3<mailto:org.apache.nifi.remote.StandardRemoteProcessGroup$InitializationTask@19bde1f3> Failed to request account: got unexpected response code of 404:Not Found From log of NiFi on Linux: nifi-user.log:2016-08-30 16:39:53,973 INFO [NiFi Web Server-465] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=pagibeault) GET https://servername:8443/nifi-api/site-to-site (source ip: 137.201.48.150) nifi-user.log:2016-08-30 16:39:53,973 INFO [NiFi Web Server-465] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=pagibeault nifi-user.log:2016-08-30 16:39:53,974 INFO [NiFi Web Server-465] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=pagibeault does not have permission to access the requested resource. Returning Forbidden response. Any guidance would be grand. Thanks, [http://collab.micron.com/corp/brand/SiteAssets/Micron.png]<http://www.micron.com/> Paul Gibeault Sr. Software Engineer, Big Data Enterprise Analytics & Data Micron Technology, Inc. Office (208) 363-3238<tel:%28208%29%20363-3238> [email protected]<mailto:[email protected]> [http://collab.micron.com/corp/brand/SiteAssets/LinkedIn.png] linkedin.com/in/paulgibeault<https://www.linkedin.com/in/linkedin.com/in/paulgibeault>
