You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Joseph Wheeler <j....@gmail.com> on 2020/03/05 18:19:30 UTC
NiFi to NiFi Registry error: "Untrusted proxy ... for write operation"
Hello!
I am having issues getting NiFi Registry to work properly.
I have NiFi and NiFi Registry running, both configured to use SSL, both
using the same keystore.jks and truststore.jks files, and both with user
accounts mapped to PKI certificate FQDNs. I have no issue logging into the
interfaces for either NiFi or NiFi Registry.
I have added the NiFi registry URL in NiFi under nifi settings -> Registry
Clients.
I have created a bucket in nifi registry. It is set to be publicly visible
and has a policy created that gives the user group (which I created in nifi
registry and has all users in it) all permission options.
In Nifi, I have a user group created with all users in it that have maximum
permissions for all options in Nifi and on the particular nifi flow we're
working on.
The issue I have is:
1.) I log in to NiFi, right-click a process group (doesn't seem to matter
which one) and click Version -> Start version control.
2.) The Save Flow Version wizard pops up, automatically populated with the
registry name and the bucket name I created in nifi-registry. I enter
random characters in the 3 empty fields and click Save.
3.) Error message appears:
"Failed to register flow with Flow Registry due to Error creating flow:
Untrusted proxy [*<NIFI SSL CERTIFICATE FQDN>*] for write operation.
Contact the system administrator."
In the nifi-registry-app.log, I see this message:
2020-03-05 18:16:11,272 INFO [NiFi Registry Web Server-17]
o.a.n.r.w.m.AccessDeniedExceptionMapper identity[*<MY CERTIFICATE FQDN>*],
groups[*<MY NIFI GROUP>]* does not have permission to access the requested
resource. Untrusted proxy [*<NIFI SSL CERTIFICATE FQDN>*] for write
operation. Returning Forbidden response.
However, my account has every permission available in both Nifi and
Nifi-registry.
Any idea where to start?
Re: NiFi to NiFi Registry error: "Untrusted proxy ... for write operation"
Posted by Bryan Bende <bb...@gmail.com>.
There was a bug in the 0.5.0 release that caused group-based policies to
not work correctly for proxies [1].
Can you try adding the user that represents the nifi instance directly to
the Proxy policy in registry?
[1] https://issues.apache.org/jira/browse/NIFIREG-358
On Thu, Mar 5, 2020 at 1:19 PM Joseph Wheeler <j....@gmail.com>
wrote:
> Hello!
>
> I am having issues getting NiFi Registry to work properly.
>
> I have NiFi and NiFi Registry running, both configured to use SSL, both
> using the same keystore.jks and truststore.jks files, and both with user
> accounts mapped to PKI certificate FQDNs. I have no issue logging into the
> interfaces for either NiFi or NiFi Registry.
>
> I have added the NiFi registry URL in NiFi under nifi settings -> Registry
> Clients.
>
> I have created a bucket in nifi registry. It is set to be publicly visible
> and has a policy created that gives the user group (which I created in nifi
> registry and has all users in it) all permission options.
>
> In Nifi, I have a user group created with all users in it that have
> maximum permissions for all options in Nifi and on the particular nifi flow
> we're working on.
>
> The issue I have is:
>
> 1.) I log in to NiFi, right-click a process group (doesn't seem to matter
> which one) and click Version -> Start version control.
> 2.) The Save Flow Version wizard pops up, automatically populated with the
> registry name and the bucket name I created in nifi-registry. I enter
> random characters in the 3 empty fields and click Save.
> 3.) Error message appears:
> "Failed to register flow with Flow Registry due to Error creating flow:
> Untrusted proxy [*<NIFI SSL CERTIFICATE FQDN>*] for write operation.
> Contact the system administrator."
>
> In the nifi-registry-app.log, I see this message:
> 2020-03-05 18:16:11,272 INFO [NiFi Registry Web Server-17]
> o.a.n.r.w.m.AccessDeniedExceptionMapper identity[*<MY CERTIFICATE FQDN>*],
> groups[*<MY NIFI GROUP>]* does not have permission to access the
> requested resource. Untrusted proxy [*<NIFI SSL CERTIFICATE FQDN>*] for
> write operation. Returning Forbidden response.
>
> However, my account has every permission available in both Nifi and
> Nifi-registry.
>
> Any idea where to start?
>