nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koji Kawamura <ijokaruma...@gmail.com>
Subject Re: Authorization problems of NiFi secured cluster
Date Tue, 27 Jun 2017 08:26:49 GMT
Hi Takanobu,

Glad to hear that you have it fixed.

> Although I defined the Node Identity before stating the cluster at the first time, it
seemed NiFi did not automatically create the policies and I needed to add the Node Identity
to the policy explicitly.

Thanks for sharing, ideally NiFi cluster should work without adding
the policy manually.
I will try to setup a brand-new secured NiFi cluster to see what
initial policy setting will look like.
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#cluster-node-identities

Thanks,
Koji

On Tue, Jun 27, 2017 at 5:08 PM, Takanobu Asanuma
<tasanuma@yahoo-corp.jp> wrote:
> Hi Koji,
>
> Thank you for your quick and valuable answer! That's exactly what I need. After adding
"Node Identity" of authorizers.xml to the "view the data" policy, the authorized user can
list the queue.
>
>>> IIRC, if you define the Node Identity before starting the secured cluster at
the first time, NiFi automatically creates necessary policies for each node to proxy user
request (I maybe wrong on this..).
>
> Although I defined the Node Identity before stating the cluster at the first time, it
seemed NiFi did not automatically create the policies and I needed to add the Node Identity
to the policy explicitly.
>
> Thanks again!
> Takanobu
>
> -----Original Message-----
> From: Koji Kawamura [mailto:ijokarumawak@gmail.com]
> Sent: Tuesday, June 27, 2017 2:32 PM
> To: dev <dev@nifi.apache.org>
> Subject: Re: Authorization problems of NiFi secured cluster
>
> Hello Takanobu,
>
> If the issue doesn't happen with standalone mode, I assume it happens because the security
policy does not allow NiFi node to "view the data".
>
> When a user sends a request to a node within a cluster, the node proxies the request
to other nodes within the same cluster.
> I'd recommend to check if conf/authorizers.xml has Node Identity properties, looks like
this:
>
> <authorizer>
>   ...
>   <property name="Node Identity 1">CN=localhost, OU=NIFI</property> </authorizer>
>
> IIRC, if you define the Node Identity before starting the secured cluster at the first
time, NiFi automatically creates necessary policies for each node to proxy user request (I
maybe wrong on this..). If you already have the cluster started, then you can add NiFi node
as a user then add it to the "view the data" policy manually (probably at the root PG's policy
would be the most appropriate place).
>
> I confirmed that the issue can be reproduced by removing NiFi node user from "view the
data" policy.
>
> Please try above and let us know if it addresses your issue.
>
> Thanks,
> Koji
>
> On Tue, Jun 27, 2017 at 1:12 PM, Takanobu Asanuma <tasanuma@yahoo-corp.jp> wrote:
>> Hello experts,
>>
>> When I created a NiFi cluster with security, any users can't list any queues due
to "insufficient permissions" though the users have the permissions.
>>
>> For example, there is a dataflow which contains processor-A and processor-B, and
processor-A is connecting to processor-B. In this case, even if user1 has the policies which
are view/modify the component/data of processor-A and processor-B, he can't list the queue
of the processors.
>>
>> This problem only occurs when the secured NiFi instance is clustering mode (nifi.cluster.is.node=true).
If secured NiFi instance is standalone mode, the problem doesn't happen. I have faced this
problem with the latest release version, 1.3.0.
>>
>> Do you have any thoughts?
>>
>> Thanks,
>> Takanobu Asanuma

Mime
View raw message