Mark, I believe whichever node receives the request from the UI, it will replicate to the other nodes, and the other nodes will see an incoming request with two entities (the end user, and the node replicating the request). Those two entities then need to be authorized to see if they are allowed to perform the action.
A similar scenario in stand-alone mode would be if another system passed along a proxied user in the X-ProxiedEntitiesChain header, then NiFi would see the identity of the system making the request, as well as the proxied user, and would have to authorize them both. Did you happen to be using the UI from the node that was the cluster coordinator? If so maybe all of your list/clear operations succeeded with only that node in the policies, but if you went to the UI from another node maybe it wouldn't work? -Bryan On Mon, Mar 20, 2017 at 3:53 PM, Mark Bean <mark.o.b...@gmail.com> wrote: > I observed that only the Cluster Coordinator Node (which also happens to be > the Primary Node) needed to be on the Access Policy, not all Nodes. > > More to the point, why do the Node(s) themselves need to be on the policy? > When not Clustered, the machine does not need to be on the policy. Perhaps > this is necessary in a Cluster because one Node propagates the request the > remaining Nodes.. so it is the Node making the request, not the individual > User? > > Looking for clarification. > > Thanks, > Mark > > > On Mon, Mar 20, 2017 at 3:45 PM, Arpit Gupta <ar...@hortonworks.com> wrote: > >> Hi Mark >> >> One needs to make sure all nodes in your cluster are added to the policy >> and not just the cluster coordinator. >> >> -- >> Arpit >> >> On Mar 20, 2017, at 12:05 PM, Mark Bean <mark.o.b...@gmail.com<mailto: >> mark.o.b...@gmail.com>> wrote: >> >> In order to successfully 'List queue', a user must be part of the 'view the >> data' access policy. Similarly, in order to successfully 'Empty queue', a >> user must be part of the 'modify the data'. However, in a Cluster >> configuration, it appears the Cluster Coordinator must also be in the >> relevant policy in order to be successful. >> >> Is this expected behavior? >> >> Apache NiFi 1.1.2 >> >>
