You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Milan Das <md...@interset.com> on 2018/10/15 18:20:36 UTC
Unable to List Queue
Hello Nifi Team,
I am having an issue only when cluster mode is on.
Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
NIFI version : 1.6.0
Error:
2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@INTERSET.COM
2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<ni...@INTERSET.COM><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
Thanks,
Milan Das
Re: Unable to List Queue
Posted by Milan Das <md...@interset.com>.
Hi Brian,
Yes that was the problem.
I didn’t know that cluster node identity also need to be added. After adding it worked.
Thanks a lot.
Thanks,
Milan Das
On 10/15/18, 5:44 PM, "Bryan Bende" <bb...@gmail.com> wrote:
Just to confirm, the cluster nodes are also granted access to "view the data"?
That is the main difference between clustered vs non-clustered, so I
would think something is not correct with the access policies for the
nodes.
On Mon, Oct 15, 2018 at 5:29 PM Milan Das <md...@interset.com> wrote:
>
> Hi Bryan
> Thanks for your response.
> The user have all access including view the data at root processor level. It works when is.cluster is false. It doesn’t work when is.cluster is true.
>
> Thanks,
> Milan Das
>
>
> On 10/15/18, 2:56 PM, "Bryan Bende" <bb...@gmail.com> wrote:
>
> The error message is saying your user does not have permission to view
> the data for the given processor.
>
> There is a specific policy for viewing data which is described in the
> admin guide component policies [1], the policy named "view the data".
>
> I think you should be able to create the "view the data" policy on the
> root process group to allow the user to see all data, but I can't
> remember off the top of my head.
>
> I think the users representing the nodes also might need to be in that
> policy as well, since in a cluster the requests are being proxied and
> it needs to ensure the node proxying the user is also authorized to
> receive the data.
>
> [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> On Mon, Oct 15, 2018 at 2:20 PM Milan Das <md...@interset.com> wrote:
> >
> > Hello Nifi Team,
> >
> > I am having an issue only when cluster mode is on.
> >
> >
> >
> > Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
> >
> >
> >
> > Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
> >
> >
> >
> > Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
> >
> >
> >
> > NIFI version : 1.6.0
> >
> >
> >
> >
> >
> >
> >
> > Error:
> >
> >
> >
> > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@INTERSET.COM
> >
> > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
> >
> > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
> >
> > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<ni...@INTERSET.COM><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
> >
> > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
> >
> >
> >
> > Thanks,
> >
> > Milan Das
> >
>
>
>
Re: Unable to List Queue
Posted by Bryan Bende <bb...@gmail.com>.
Just to confirm, the cluster nodes are also granted access to "view the data"?
That is the main difference between clustered vs non-clustered, so I
would think something is not correct with the access policies for the
nodes.
On Mon, Oct 15, 2018 at 5:29 PM Milan Das <md...@interset.com> wrote:
>
> Hi Bryan
> Thanks for your response.
> The user have all access including view the data at root processor level. It works when is.cluster is false. It doesn’t work when is.cluster is true.
>
> Thanks,
> Milan Das
>
>
> On 10/15/18, 2:56 PM, "Bryan Bende" <bb...@gmail.com> wrote:
>
> The error message is saying your user does not have permission to view
> the data for the given processor.
>
> There is a specific policy for viewing data which is described in the
> admin guide component policies [1], the policy named "view the data".
>
> I think you should be able to create the "view the data" policy on the
> root process group to allow the user to see all data, but I can't
> remember off the top of my head.
>
> I think the users representing the nodes also might need to be in that
> policy as well, since in a cluster the requests are being proxied and
> it needs to ensure the node proxying the user is also authorized to
> receive the data.
>
> [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> On Mon, Oct 15, 2018 at 2:20 PM Milan Das <md...@interset.com> wrote:
> >
> > Hello Nifi Team,
> >
> > I am having an issue only when cluster mode is on.
> >
> >
> >
> > Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
> >
> >
> >
> > Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
> >
> >
> >
> > Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
> >
> >
> >
> > NIFI version : 1.6.0
> >
> >
> >
> >
> >
> >
> >
> > Error:
> >
> >
> >
> > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@INTERSET.COM
> >
> > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
> >
> > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
> >
> > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<ni...@INTERSET.COM><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
> >
> > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
> >
> >
> >
> > Thanks,
> >
> > Milan Das
> >
>
>
>
Re: Unable to List Queue
Posted by Milan Das <md...@interset.com>.
Hi Bryan
Thanks for your response.
The user have all access including view the data at root processor level. It works when is.cluster is false. It doesn’t work when is.cluster is true.
Thanks,
Milan Das
On 10/15/18, 2:56 PM, "Bryan Bende" <bb...@gmail.com> wrote:
The error message is saying your user does not have permission to view
the data for the given processor.
There is a specific policy for viewing data which is described in the
admin guide component policies [1], the policy named "view the data".
I think you should be able to create the "view the data" policy on the
root process group to allow the user to see all data, but I can't
remember off the top of my head.
I think the users representing the nodes also might need to be in that
policy as well, since in a cluster the requests are being proxied and
it needs to ensure the node proxying the user is also authorized to
receive the data.
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
On Mon, Oct 15, 2018 at 2:20 PM Milan Das <md...@interset.com> wrote:
>
> Hello Nifi Team,
>
> I am having an issue only when cluster mode is on.
>
>
>
> Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
>
>
>
> Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
>
>
>
> Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
>
>
>
> NIFI version : 1.6.0
>
>
>
>
>
>
>
> Error:
>
>
>
> 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@INTERSET.COM
>
> 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
>
> 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
>
> 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<ni...@INTERSET.COM><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
>
> 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
>
>
>
> Thanks,
>
> Milan Das
>
Re: Unable to List Queue
Posted by Bryan Bende <bb...@gmail.com>.
The error message is saying your user does not have permission to view
the data for the given processor.
There is a specific policy for viewing data which is described in the
admin guide component policies [1], the policy named "view the data".
I think you should be able to create the "view the data" policy on the
root process group to allow the user to see all data, but I can't
remember off the top of my head.
I think the users representing the nodes also might need to be in that
policy as well, since in a cluster the requests are being proxied and
it needs to ensure the node proxying the user is also authorized to
receive the data.
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
On Mon, Oct 15, 2018 at 2:20 PM Milan Das <md...@interset.com> wrote:
>
> Hello Nifi Team,
>
> I am having an issue only when cluster mode is on.
>
>
>
> Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
>
>
>
> Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
>
>
>
> Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
>
>
>
> NIFI version : 1.6.0
>
>
>
>
>
>
>
> Error:
>
>
>
> 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@INTERSET.COM
>
> 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
>
> 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[nifiadmin1@INTERSET.COM], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
>
> 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<ni...@INTERSET.COM><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
>
> 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
>
>
>
> Thanks,
>
> Milan Das
>