Thanks Kawamura-san. -----Original Message----- From: Koji Kawamura [mailto:[email protected]] Sent: Monday, September 12, 2016 2:08 AM To: [email protected] Subject: Re: Interesting Site-to-Site quirk with nifi.security.identity.mapping.pattern.dn
Hello Peter, Thanks for reporting this! I agree with you and feel this needs to be fixed. I'm going to work on this. Koji On Mon, Sep 12, 2016 at 12:41 PM, Peter Wicks (pwicks) <[email protected]> wrote: > I’ve been playing with site-to-site and found an interesting quirk. I > had the full DN’s from my certificates for my usernames, but decided > to setup nifi.security.identity.mapping patterns for both the DN’s and > for Kerberos; which by the way works great for normal users. > > > > I renamed just my own account in users.xml so I could login. I was > getting site-to-site login errors so I renamed the user accounts to be > just the CN name, and in nifi-user.log I started seeing successful > authentications. > > > > Then I started seeing this message in the nifi-app.log and eventually > it started showing up as bulletin messages: > > > > EndpointConnectionPool[Cluster URL=https://host1:8443/nifi] failed to > communicate with Peer[url=nifi://host1:8500,CLOSED] due to > org.apache.nifi.remote.exception.HandshakeException: Received > unexpected response > > User Not Authorized: > StandardRootGroupPort[id=1c60dcc0-0157-1000-c554-002d2b3e3702] > authorization failed for user [email protected], > CN=host2, OU=ou, O=Micron Technology Inc., L=Boise, ST=ID, C=US > because Unknown user with identity '[email protected], > CN=host2, OU=ou, O=Micron Technology Inc., L=Boise, ST=ID, C=US'. > > > > I worked around my site-to-site auth issue by adding a second account > with the full DN from the certificate. This allowed site-to-site to > start working again. > > > > This feels like a bug in Site-to-Site (StandardRootGroupPort). I cut a > Jira for it: https://issues.apache.org/jira/browse/NIFI-2757. > > > > If I’m missing something from a configuration perspective please let > me know.
