Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id A2254200CB4 for ; Tue, 27 Jun 2017 15:06:39 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id A0928160BE9; Tue, 27 Jun 2017 13:06:39 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id BFFAE160BDC for ; Tue, 27 Jun 2017 15:06:38 +0200 (CEST) Received: (qmail 57001 invoked by uid 500); 27 Jun 2017 13:06:37 -0000 Mailing-List: contact dev-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list dev@nifi.apache.org Received: (qmail 56989 invoked by uid 99); 27 Jun 2017 13:06:37 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Jun 2017 13:06:37 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 477461AA2A6 for ; Tue, 27 Jun 2017 13:06:37 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.88 X-Spam-Level: * X-Spam-Status: No, score=1.88 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id PrxqsKNqd8Oe for ; Tue, 27 Jun 2017 13:06:34 +0000 (UTC) Received: from mail-wm0-f49.google.com (mail-wm0-f49.google.com [74.125.82.49]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 02E095F642 for ; Tue, 27 Jun 2017 13:06:33 +0000 (UTC) Received: by mail-wm0-f49.google.com with SMTP id b184so26049935wme.1 for ; Tue, 27 Jun 2017 06:06:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=JP5RpEYXlZmxgM06L+t+lrDPunzS3AKw8ijqD7vtpnM=; b=Ny2Hfz/R4wQI6LOMsgrMrm2Q4GpxOfwN1bLOFZAYS2OUKNhHBahLETCKvrJkRCABsF EAfXVv3OEeCJ+3eSZlLs1dyoCBej0BN9M9GqGpgFWNkZji7QZzifR3YE79aL48d8wBrS lg/FbORDSNPaAOoecp/jBFjVfZZFbCiOVxv9uxgM6lz4xlvz6RxwGRDOu1ocl2UNNzBu y9tXpchJobWjn2m+N2Jp8JCGRbXg9Hibp+ZJhJB8QFtZt39LGEkblFxmGXnAyOjgrtY4 G5/4CklYq/lz9mTESS0UuV5AYxYLCH1gE21/ZUIt+fd47Ce9rjGLHEKIVZUTfszKZiTL rfug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=JP5RpEYXlZmxgM06L+t+lrDPunzS3AKw8ijqD7vtpnM=; b=F8ht8aZN3UkYrFKmmX5xCE0kKt04KiNh0xn0pHGM2+NGUNOYZmt0e15BwrnYPeBBH2 DYTV9KQZ1O6pOLDtzFQddFZgzj5v1bwt9KSbyGm0UexxQ/IuTNZHM+hC4Mod5lNpUo50 8iMIehpf8W1sTfVZ4oxxXjp0jPnBXy7XvDm/ltbXX1uXv/U/KCaqJa+h+pfz2KPAdR03 CbcM8WOsjuwmIlP41s739STAMgk8TN/+x/+n7IfzX3PsDnRZFKbTxMylUPc2cB4SmVEF xnrcSHEXpSXNIImfXUUPPTDhQLfThX77sG1SrdR8/Sn5CUiilG5+Nj8IHVx6xP4Xp9e1 BhUg== X-Gm-Message-State: AKS2vOxjjjqk/oqK+2HBrE2CL6ihSmwsCez8CzXY33h2z2m6bGrwHW6G Bp+c00pt/jZY1sO1ryIxnXH92ksfsBcc X-Received: by 10.28.236.19 with SMTP id k19mr3252621wmh.30.1498568786957; Tue, 27 Jun 2017 06:06:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.168.108 with HTTP; Tue, 27 Jun 2017 06:06:26 -0700 (PDT) Received: by 10.223.168.108 with HTTP; Tue, 27 Jun 2017 06:06:26 -0700 (PDT) In-Reply-To: References: From: Koji Kawamura Date: Tue, 27 Jun 2017 22:06:26 +0900 Message-ID: Subject: Re: Authorization problems of NiFi secured cluster To: dev Content-Type: multipart/alternative; boundary="001a1146a6ce37de9a0552f0bc61" archived-at: Tue, 27 Jun 2017 13:06:39 -0000 --001a1146a6ce37de9a0552f0bc61 Content-Type: text/plain; charset="UTF-8" Thanks Matt for clarification. My cluster had an existing flow.xml I happened copied from another NiFi instance. On Jun 27, 2017 9:14 PM, "Matt Gilman" wrote: Takanobu, The dataflow-specific policies (any policies on the root Process Group) are only granted for new instances when there is an existing flow.xml.gz in your /conf directory. When there is no flow and the NiFi instance is joining a cluster the policies cannot be granted at start up because the components technically do not exist yet. However, your Initial Admin is given the required permissions to grant those dataflow-specific policies once the nodes have all joined the cluster. There is a short snippet in the Admin guide describing this behavior [1] (if you scroll down a little bit looking for the little info (i) icon on the left). Hope that clears it up. Matt [1] https://nifi.apache.org/docs/nifi-docs/html/administration- guide.html#authorizer-configuration On Tue, Jun 27, 2017 at 6:03 AM, Takanobu Asanuma wrote: > Hi Koji, > > Thank you very much for the confirmation. Hmm... I will continue to > investigate why my cluster does not work correctly. > > Thanks again, > Takanobu > > -----Original Message----- > From: Koji Kawamura [mailto:ijokarumawak@gmail.com] > Sent: Tuesday, June 27, 2017 5:59 PM > To: dev > Subject: Re: Authorization problems of NiFi secured cluster > > I just created a brand-new secured cluster now. NiFi automatically created > a policy "view the data" (and others) with the user defined as "Initial > Admin Identity" and "Node Identity" in conf/authorizers.xml. > It seems working as expected. > > Koji > > On Tue, Jun 27, 2017 at 5:26 PM, Koji Kawamura > wrote: > > Hi Takanobu, > > > > Glad to hear that you have it fixed. > > > >> Although I defined the Node Identity before stating the cluster at the > first time, it seemed NiFi did not automatically create the policies and I > needed to add the Node Identity to the policy explicitly. > > > > Thanks for sharing, ideally NiFi cluster should work without adding > > the policy manually. > > I will try to setup a brand-new secured NiFi cluster to see what > > initial policy setting will look like. > > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html# > > cluster-node-identities > > > > Thanks, > > Koji > > > > On Tue, Jun 27, 2017 at 5:08 PM, Takanobu Asanuma > > wrote: > >> Hi Koji, > >> > >> Thank you for your quick and valuable answer! That's exactly what I > need. After adding "Node Identity" of authorizers.xml to the "view the > data" policy, the authorized user can list the queue. > >> > >>>> IIRC, if you define the Node Identity before starting the secured > cluster at the first time, NiFi automatically creates necessary policies > for each node to proxy user request (I maybe wrong on this..). > >> > >> Although I defined the Node Identity before stating the cluster at the > first time, it seemed NiFi did not automatically create the policies and I > needed to add the Node Identity to the policy explicitly. > >> > >> Thanks again! > >> Takanobu > >> > >> -----Original Message----- > >> From: Koji Kawamura [mailto:ijokarumawak@gmail.com] > >> Sent: Tuesday, June 27, 2017 2:32 PM > >> To: dev > >> Subject: Re: Authorization problems of NiFi secured cluster > >> > >> Hello Takanobu, > >> > >> If the issue doesn't happen with standalone mode, I assume it happens > because the security policy does not allow NiFi node to "view the data". > >> > >> When a user sends a request to a node within a cluster, the node > proxies the request to other nodes within the same cluster. > >> I'd recommend to check if conf/authorizers.xml has Node Identity > properties, looks like this: > >> > >> > >> ... > >> CN=localhost, OU=NIFI > >> > >> > >> IIRC, if you define the Node Identity before starting the secured > cluster at the first time, NiFi automatically creates necessary policies > for each node to proxy user request (I maybe wrong on this..). If you > already have the cluster started, then you can add NiFi node as a user then > add it to the "view the data" policy manually (probably at the root PG's > policy would be the most appropriate place). > >> > >> I confirmed that the issue can be reproduced by removing NiFi node user > from "view the data" policy. > >> > >> Please try above and let us know if it addresses your issue. > >> > >> Thanks, > >> Koji > >> > >> On Tue, Jun 27, 2017 at 1:12 PM, Takanobu Asanuma < > tasanuma@yahoo-corp.jp> wrote: > >>> Hello experts, > >>> > >>> When I created a NiFi cluster with security, any users can't list any > queues due to "insufficient permissions" though the users have the > permissions. > >>> > >>> For example, there is a dataflow which contains processor-A and > processor-B, and processor-A is connecting to processor-B. In this case, > even if user1 has the policies which are view/modify the component/data of > processor-A and processor-B, he can't list the queue of the processors. > >>> > >>> This problem only occurs when the secured NiFi instance is clustering > mode (nifi.cluster.is.node=true). If secured NiFi instance is standalone > mode, the problem doesn't happen. I have faced this problem with the latest > release version, 1.3.0. > >>> > >>> Do you have any thoughts? > >>> > >>> Thanks, > >>> Takanobu Asanuma > --001a1146a6ce37de9a0552f0bc61--