Paul, Clustering is not a requirement for site-to-site... This sounds strange since "anonymous" is used to represent a user when NiFi is not secured.
Can you double-check all your configs and make sure you have the following properties set... nifi.remote.input.secure=true nifi.web.https.host= nifi.web.https.port= nifi.security.keystore= nifi.security.keystoreType= nifi.security.keystorePasswd= nifi.security.keyPasswd= nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd=<your password> After your question the other day I went through the steps of setting secure site-to-site to make sure I knew what I was talking about :) I wrote up the steps here: http://bryanbende.com/development/2016/08/30/apache-nifi-1.0.0-secure-site-to-site Thanks, Bryan On Thu, Sep 1, 2016 at 10:44 AM, Paul Gibeault (pagibeault) < [email protected]> wrote: > Bryan, > > > > Thanks for the reply. After increasing the log level for Authentication I > saw the target NiFi instance used the account “anonymous” for the > Site-to-Site connection. After creating a policy for “anonymous”, I was > able to view the remote ports and connect to them. > > > > Obviously this is not ideal. We would prefer to make policies for remote > hosts/users rather than anonymous. > > > > We are using the same SSL Certificate for both Key Store and Trust Store > on a NiFi Instance. This is likely the cause of the “anonymous” user as it > doesn’t have a DN. We are working to correct this. > > > > However, after getting my work flow set up across NiFi instances I see > this error: > > > > Unable to refresh Remote Group's peers due to Unable to communicate with > remote NiFi cluster in order to determine which nodes exist in the remote > cluster > > > > Our NiFi servers are not set up for clustering. Is clustering required to > perform Site-to-Site? > > > > Thanks, > > Paul Gibeault > > > > *From:* Bryan Bende [mailto:[email protected]] > *Sent:* Tuesday, August 30, 2016 5:09 PM > *To:* [email protected] > *Subject:* Re: I need help configuring Site-to-Site in Secure Mode. > > > > Paul, > > > > It sounds like you probably have the certificates/truststores setup > correctly and just need to create the appropriate policies... > > > > Lets say you have nifi-1 with an Remote Process Group pointing at the URL > of nifi-2, and nifi-2 has an Input port to receive data. > > > > In nifi-2 there needs to be a user for the certificate of nifi-1, and then > in the global policies of nifi-2 (top right menu) there needs to be a > policy for "retrieve site-to-site details" with the nifi-1 user added to > the policy. I think this is what is causing the error message you are > seeing since nifi-1 is not authorized to query nifi-2 for site-to-site > information (available ports, etc). > > > > I believe you also need to create a policy on the Input Port on nifi-2... > select the input port and use the lock icon in the left palette and choose > "receive data over site-to-site" and add the user of nifi-1. This gives > nifi-1 access to the specific port. > > > > Let us know if that works. If so we should definitely look at updating > some of the documentation to explain this. > > > > Thanks, > > > > Bryan > > > > > > On Tue, Aug 30, 2016 at 6:28 PM, Paul Gibeault (pagibeault) < > [email protected]> wrote: > > Hello, > > > > We have been attempting to set up Site-to-Site for NiFi in secure mode and > have not been successful. > > > > When I create a Remote Process Group, and enter the URL* > https://servername:8443/nifi I receive an error icon. The hover status > is “Unauthorized” > > ** - servername is the actual hostname running NiFi* > > > > Things I have tried without success: > > - Closely followed the instructions in the NiFi System Administrator’s > Guide > <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html> > > - Enabled SSL Security and Kerberos User Authentication (no self-signed > certs) > > - Imported public keys of remote NiFi servers into the local keystores for > each instance > > - Created policies on each instance to allow for full permissions to the > accounts in use. > > - Tried various combinations of Linux & Windows instances of NiFi. > > - Connected a Site-to-Site process group to itself > > - Used both 1.0.0-BETA and 1.1.0-SNAPSHOT NiFi versions > > > > There are no warnings or errors in the log files when I attempt to connect > a NiFi instance running on Linux to another instance on Linux. However, I > did see something when attempting to connect a NiFi instance running on > Windows to an instance running on Linux > > From log of NiFi on Windows: > > 2016-08-30 16:11:21,173 ERROR [Remote Process Group > dd2e3ac9-0156-1000-4543-5ba3d10c6130: https://servername:8443/nifi > Thread-1] o.a.n.remote.StandardRemoteProcessGroup org.apache.nifi.remote. > StandardRemoteProcessGroup$InitializationTask@19bde1f3 Failed to request > account: got unexpected response code of 404:Not Found > > > > From log of NiFi on Linux: > > nifi-user.log:2016-08-30 16:39:53,973 INFO [NiFi Web Server-465] > o.a.n.w.s.NiFiAuthenticationFilter > Attempting request for (CN=pagibeault) GET https://servername:8443/nifi- > api/site-to-site (source ip: 137.201.48.150) > > nifi-user.log:2016-08-30 16:39:53,973 INFO [NiFi Web Server-465] > o.a.n.w.s.NiFiAuthenticationFilter > Authentication success for CN=pagibeault > > nifi-user.log:2016-08-30 16:39:53,974 INFO [NiFi Web Server-465] > o.a.n.w.a.c.AccessDeniedExceptionMapper CN=pagibeault does not have > permission to access the requested resource. Returning Forbidden response. > > > > Any guidance would be grand. > > > > Thanks, > > > > [image: http://collab.micron.com/corp/brand/SiteAssets/Micron.png] > <http://www.micron.com/> > > *Paul Gibeault* > Sr. Software Engineer, Big Data > Enterprise Analytics & Data > Micron Technology, Inc. > > *Office* (208) 363-3238 <%28208%29%20363-3238> > > > [email protected] > [image: http://collab.micron.com/corp/brand/SiteAssets/LinkedIn.png] > linkedin.com/in/paulgibeault > <https://www.linkedin.com/in/linkedin.com/in/paulgibeault> > > > > > > >
