You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by "Mr. Spock" <mg...@gmail.com> on 2021/05/18 17:03:12 UTC
S2S Bulletins -- Error 403
Hi All!
I'm trying to develop a process group to capture & and process bulletins,
but I'm receiving this error:
Unable to refresh remote group peers due to: response code
403:Forbidden with explanation: null
What I've done so far:
* Created the Restricted SSL context, using the keystore + truststore
that I'm using at cluster level. It works properly.
[image: Screenshot from 2021-05-18 12-33-02.png]
* Created the S2SBulletinReportingTask
[image: Screenshot from 2021-05-18 13-58-10.png]
( I've also tried with HTTP transport protocol).
I also did:
* Created a security group which contains every cluster node (group name:
ClusterMembers).
* At Canvas Root Level, give "view component" permission.
* At ProcessGroup Level, I've created the Remote Input Port.
* At Remote Input Port, set the "Receive Site to Site Permission" to my
ClusterMembers group.
Any Idea of what I'm missing?
Thanks in advance!
Re: S2S Bulletins -- Error 403
Posted by "Mr. Spock" <mg...@gmail.com>.
Hi Chris! It worked!!!! :)
Thank you!
On Tue, May 18, 2021 at 5:19 PM Chris Sampson <ch...@naimuri.com>
wrote:
> Have you granted the global "retrieve site-to-site details" policy[1] to
> your ClusterMembers group in the target instance?
>
> This is needed so the sending instance/cluster members can obtain a list
> of target instances.
>
> The "Receive Site-to-Site" policy (which you've already set) is then set
> on individual Remote Ports to allow data to be received from the same
> instance(s).
>
> Don't think you need to grant "View Component" to your group (but I might
> be wrong).
>
> [1]
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#global-access-policies
>
>
> Cheers,
>
> Chris Sampson
>
> On Tue, 18 May 2021, 20:35 Mr. Spock, <mg...@gmail.com> wrote:
>
>> Hi Pierre, I did configure site 2 site properties, but I'm using HTTP
>> protocol.
>> My nifi-user.log doesn't shows nothing but my user logged on the UI.
>> But, the error is present on nifi-app.log:
>> 2021-05-18 16:33:16,659 WARN [Http Site-to-Site PeerSelector]
>> o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from
>> https://g100603sv23e.cencosud.corp:8443/nifi-api due to
>> org.apache.nifi.remote.util.SiteToSiteRestApiClient$HttpGetFailedException:
>> response code 403:Forbidden with explanation: null
>>
>> I'm running a nifi cluster runs at 1.12.1 version.
>>
>> Best Regards!
>>
>> On Tue, May 18, 2021 at 2:45 PM Pierre Villard <
>> pierre.villard.fr@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Transport protocol would need to be HTTP most likely unless you
>>> configured the right properties for S2S over RAW.
>>> Then did you make sure the input port is for site to site (not sure what
>>> version of NiFi you're using)?
>>> Also you can check in the nifi-user.log file, that's usually useful for
>>> any 403 HTTP error.
>>> The port would need to be started.
>>>
>>> HTH,
>>> Pierre
>>>
>>> Le mar. 18 mai 2021 à 19:20, Mr. Spock <mg...@gmail.com> a écrit :
>>>
>>>> Hi All!
>>>> I'm trying to develop a process group to capture & and process
>>>> bulletins, but I'm receiving this error:
>>>>
>>>> Unable to refresh remote group peers due to: response code 403:Forbidden with explanation: null
>>>>
>>>> What I've done so far:
>>>>
>>>> * Created the Restricted SSL context, using the keystore + truststore that I'm using at cluster level. It works properly.
>>>>
>>>> [image: Screenshot from 2021-05-18 12-33-02.png]
>>>> * Created the S2SBulletinReportingTask
>>>> [image: Screenshot from 2021-05-18 13-58-10.png]
>>>> ( I've also tried with HTTP transport protocol).
>>>>
>>>> I also did:
>>>> * Created a security group which contains every cluster node (group
>>>> name: ClusterMembers).
>>>> * At Canvas Root Level, give "view component" permission.
>>>> * At ProcessGroup Level, I've created the Remote Input Port.
>>>> * At Remote Input Port, set the "Receive Site to Site Permission" to my
>>>> ClusterMembers group.
>>>>
>>>> Any Idea of what I'm missing?
>>>>
>>>> Thanks in advance!
>>>>
>>>>
>>>>
Re: S2S Bulletins -- Error 403
Posted by Chris Sampson <ch...@naimuri.com>.
Have you granted the global "retrieve site-to-site details" policy[1] to
your ClusterMembers group in the target instance?
This is needed so the sending instance/cluster members can obtain a list of
target instances.
The "Receive Site-to-Site" policy (which you've already set) is then set on
individual Remote Ports to allow data to be received from the same
instance(s).
Don't think you need to grant "View Component" to your group (but I might
be wrong).
[1]
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#global-access-policies
Cheers,
Chris Sampson
On Tue, 18 May 2021, 20:35 Mr. Spock, <mg...@gmail.com> wrote:
> Hi Pierre, I did configure site 2 site properties, but I'm using HTTP
> protocol.
> My nifi-user.log doesn't shows nothing but my user logged on the UI.
> But, the error is present on nifi-app.log:
> 2021-05-18 16:33:16,659 WARN [Http Site-to-Site PeerSelector]
> o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from
> https://g100603sv23e.cencosud.corp:8443/nifi-api due to
> org.apache.nifi.remote.util.SiteToSiteRestApiClient$HttpGetFailedException:
> response code 403:Forbidden with explanation: null
>
> I'm running a nifi cluster runs at 1.12.1 version.
>
> Best Regards!
>
> On Tue, May 18, 2021 at 2:45 PM Pierre Villard <
> pierre.villard.fr@gmail.com> wrote:
>
>> Hi,
>>
>> Transport protocol would need to be HTTP most likely unless you
>> configured the right properties for S2S over RAW.
>> Then did you make sure the input port is for site to site (not sure what
>> version of NiFi you're using)?
>> Also you can check in the nifi-user.log file, that's usually useful for
>> any 403 HTTP error.
>> The port would need to be started.
>>
>> HTH,
>> Pierre
>>
>> Le mar. 18 mai 2021 à 19:20, Mr. Spock <mg...@gmail.com> a écrit :
>>
>>> Hi All!
>>> I'm trying to develop a process group to capture & and process
>>> bulletins, but I'm receiving this error:
>>>
>>> Unable to refresh remote group peers due to: response code 403:Forbidden with explanation: null
>>>
>>> What I've done so far:
>>>
>>> * Created the Restricted SSL context, using the keystore + truststore that I'm using at cluster level. It works properly.
>>>
>>> [image: Screenshot from 2021-05-18 12-33-02.png]
>>> * Created the S2SBulletinReportingTask
>>> [image: Screenshot from 2021-05-18 13-58-10.png]
>>> ( I've also tried with HTTP transport protocol).
>>>
>>> I also did:
>>> * Created a security group which contains every cluster node (group
>>> name: ClusterMembers).
>>> * At Canvas Root Level, give "view component" permission.
>>> * At ProcessGroup Level, I've created the Remote Input Port.
>>> * At Remote Input Port, set the "Receive Site to Site Permission" to my
>>> ClusterMembers group.
>>>
>>> Any Idea of what I'm missing?
>>>
>>> Thanks in advance!
>>>
>>>
>>>
Re: S2S Bulletins -- Error 403
Posted by "Mr. Spock" <mg...@gmail.com>.
Hi Pierre, I did configure site 2 site properties, but I'm using HTTP
protocol.
My nifi-user.log doesn't shows nothing but my user logged on the UI.
But, the error is present on nifi-app.log:
2021-05-18 16:33:16,659 WARN [Http Site-to-Site PeerSelector]
o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from
https://g100603sv23e.cencosud.corp:8443/nifi-api due to
org.apache.nifi.remote.util.SiteToSiteRestApiClient$HttpGetFailedException:
response code 403:Forbidden with explanation: null
I'm running a nifi cluster runs at 1.12.1 version.
Best Regards!
On Tue, May 18, 2021 at 2:45 PM Pierre Villard <pi...@gmail.com>
wrote:
> Hi,
>
> Transport protocol would need to be HTTP most likely unless you configured
> the right properties for S2S over RAW.
> Then did you make sure the input port is for site to site (not sure what
> version of NiFi you're using)?
> Also you can check in the nifi-user.log file, that's usually useful for
> any 403 HTTP error.
> The port would need to be started.
>
> HTH,
> Pierre
>
> Le mar. 18 mai 2021 à 19:20, Mr. Spock <mg...@gmail.com> a écrit :
>
>> Hi All!
>> I'm trying to develop a process group to capture & and process bulletins,
>> but I'm receiving this error:
>>
>> Unable to refresh remote group peers due to: response code 403:Forbidden with explanation: null
>>
>> What I've done so far:
>>
>> * Created the Restricted SSL context, using the keystore + truststore that I'm using at cluster level. It works properly.
>>
>> [image: Screenshot from 2021-05-18 12-33-02.png]
>> * Created the S2SBulletinReportingTask
>> [image: Screenshot from 2021-05-18 13-58-10.png]
>> ( I've also tried with HTTP transport protocol).
>>
>> I also did:
>> * Created a security group which contains every cluster node (group name:
>> ClusterMembers).
>> * At Canvas Root Level, give "view component" permission.
>> * At ProcessGroup Level, I've created the Remote Input Port.
>> * At Remote Input Port, set the "Receive Site to Site Permission" to my
>> ClusterMembers group.
>>
>> Any Idea of what I'm missing?
>>
>> Thanks in advance!
>>
>>
>>
Re: S2S Bulletins -- Error 403
Posted by Pierre Villard <pi...@gmail.com>.
Hi,
Transport protocol would need to be HTTP most likely unless you configured
the right properties for S2S over RAW.
Then did you make sure the input port is for site to site (not sure what
version of NiFi you're using)?
Also you can check in the nifi-user.log file, that's usually useful for any
403 HTTP error.
The port would need to be started.
HTH,
Pierre
Le mar. 18 mai 2021 à 19:20, Mr. Spock <mg...@gmail.com> a écrit :
> Hi All!
> I'm trying to develop a process group to capture & and process bulletins,
> but I'm receiving this error:
>
> Unable to refresh remote group peers due to: response code 403:Forbidden with explanation: null
>
> What I've done so far:
>
> * Created the Restricted SSL context, using the keystore + truststore that I'm using at cluster level. It works properly.
>
> [image: Screenshot from 2021-05-18 12-33-02.png]
> * Created the S2SBulletinReportingTask
> [image: Screenshot from 2021-05-18 13-58-10.png]
> ( I've also tried with HTTP transport protocol).
>
> I also did:
> * Created a security group which contains every cluster node (group name:
> ClusterMembers).
> * At Canvas Root Level, give "view component" permission.
> * At ProcessGroup Level, I've created the Remote Input Port.
> * At Remote Input Port, set the "Receive Site to Site Permission" to my
> ClusterMembers group.
>
> Any Idea of what I'm missing?
>
> Thanks in advance!
>
>
>
Re: S2S Bulletins -- Error 403
Posted by "Mr. Spock" <mg...@gmail.com>.
Hi Mark!
It was that option.
I've paid attention to several items, but that one..., hehehe
Thank you all for your time and comments!!
On Tue, May 18, 2021 at 5:59 PM Mark Payne <ma...@hotmail.com> wrote:
> You’ll also want to go to the Global Menu (hamburger menu) -> Policies and
> make sure that your nodes have access to fetch site-to-site details there.
> I forget the exact name of the policy but it should be pretty obvious
> looking through that list.
>
> If that is setup properly and you’re still seeing the issue, I would
> recommend taking a look at the nifi-user.log and it should show you exactly
> which endpoint is returning the 403 and the exact username that is being
> used. So that’ll help to clarify what permissions may be missing.
>
> Thanks
> -Mark
>
>
> On May 18, 2021, at 1:03 PM, Mr. Spock <mg...@gmail.com> wrote:
>
> Hi All!
> I'm trying to develop a process group to capture & and process bulletins,
> but I'm receiving this error:
>
> Unable to refresh remote group peers due to: response code 403:Forbidden with explanation: null
>
> What I've done so far:
>
> * Created the Restricted SSL context, using the keystore + truststore that I'm using at cluster level. It works properly.
>
> <Screenshot from 2021-05-18 12-33-02.png>
> * Created the S2SBulletinReportingTask
> <Screenshot from 2021-05-18 13-58-10.png>
> ( I've also tried with HTTP transport protocol).
>
> I also did:
> * Created a security group which contains every cluster node (group name:
> ClusterMembers).
> * At Canvas Root Level, give "view component" permission.
> * At ProcessGroup Level, I've created the Remote Input Port.
> * At Remote Input Port, set the "Receive Site to Site Permission" to my
> ClusterMembers group.
>
> Any Idea of what I'm missing?
>
> Thanks in advance!
>
>
>
>
Re: S2S Bulletins -- Error 403
Posted by Mark Payne <ma...@hotmail.com>.
You’ll also want to go to the Global Menu (hamburger menu) -> Policies and make sure that your nodes have access to fetch site-to-site details there. I forget the exact name of the policy but it should be pretty obvious looking through that list.
If that is setup properly and you’re still seeing the issue, I would recommend taking a look at the nifi-user.log and it should show you exactly which endpoint is returning the 403 and the exact username that is being used. So that’ll help to clarify what permissions may be missing.
Thanks
-Mark
On May 18, 2021, at 1:03 PM, Mr. Spock <mg...@gmail.com>> wrote:
Hi All!
I'm trying to develop a process group to capture & and process bulletins, but I'm receiving this error:
Unable to refresh remote group peers due to: response code 403:Forbidden with explanation: null
What I've done so far:
* Created the Restricted SSL context, using the keystore + truststore that I'm using at cluster level. It works properly.
<Screenshot from 2021-05-18 12-33-02.png>
* Created the S2SBulletinReportingTask
<Screenshot from 2021-05-18 13-58-10.png>
( I've also tried with HTTP transport protocol).
I also did:
* Created a security group which contains every cluster node (group name: ClusterMembers).
* At Canvas Root Level, give "view component" permission.
* At ProcessGroup Level, I've created the Remote Input Port.
* At Remote Input Port, set the "Receive Site to Site Permission" to my ClusterMembers group.
Any Idea of what I'm missing?
Thanks in advance!