You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Koji Kawamura (JIRA)" <ji...@apache.org> on 2016/09/06 04:57:20 UTC

[jira] [Resolved] (NIFI-2550) Input port requires 'receive data via site-to-site' policy for both ends

     [ https://issues.apache.org/jira/browse/NIFI-2550?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Koji Kawamura resolved NIFI-2550.
---------------------------------
    Resolution: Resolved

> Input port requires 'receive data via site-to-site' policy for both ends
> ------------------------------------------------------------------------
>
>                 Key: NIFI-2550
>                 URL: https://issues.apache.org/jira/browse/NIFI-2550
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.0.0
>         Environment: Site-to-Site, Secure Cluster to Secure Cluster
>            Reporter: Koji Kawamura
>         Attachments: screenshot-1.png, screenshot-2.png
>
>
> I'm trying to setup a Site-to-Site connection between two NiFi clusters (P and Q). Both secured.
> At NiFi Q, there's an input-port, then NiFi P sends data to it.
> NiFi P -> https -> NiFi Q
> NiFi P has two nodes, so I created a group 'p-nifi' having the nodes identity on NiFi Q. Then add 'p-nifi' group to 'retrieve site-to-site detail' policy. Confirmed that NiFi P Remote Process Group can get site-to-site detail. [screenshot-1|https://issues.apache.org/jira/secure/attachment/12823222/screenshot-1.png]
> However, it couldn't access input-port.
> I've added 'p-nifi' group to 'receive data via site-to-site' policy of the input-port, but still it can't accessed. [screenshot-2|https://issues.apache.org/jira/secure/attachment/12823223/screenshot-2.png]
> I found that org.apache.nifi.authorization.resource.DataAuthorizable.checkAuthorization checks all the DN chain. By debugging, I found that it checks not only NiFi P nodes, but also NiFi Q nodes. The DN chain looked like below:
> [L=1.p.nifi, C=US, CN=1.p.nifi, L=0.q.nifi, C=US, CN=0.q.nifi, L=1.q.nifi, C=US, CN=1.q.nifi]
> After adding 'q-nifi' group to the input port policy, NiFi P can access the remote input port.
> There maybe some reason for doing this, but as an user, I didn't expect that I need to add NiFi Q to that policy.
> Is this an expected behavior?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)