Hi Brian, Yes that was the problem. I didn’t know that cluster node identity also need to be added. After adding it worked. Thanks a lot.
Thanks, Milan Das On 10/15/18, 5:44 PM, "Bryan Bende" <[email protected]> wrote: Just to confirm, the cluster nodes are also granted access to "view the data"? That is the main difference between clustered vs non-clustered, so I would think something is not correct with the access policies for the nodes. On Mon, Oct 15, 2018 at 5:29 PM Milan Das <[email protected]> wrote: > > Hi Bryan > Thanks for your response. > The user have all access including view the data at root processor level. It works when is.cluster is false. It doesn’t work when is.cluster is true. > > Thanks, > Milan Das > > > On 10/15/18, 2:56 PM, "Bryan Bende" <[email protected]> wrote: > > The error message is saying your user does not have permission to view > the data for the given processor. > > There is a specific policy for viewing data which is described in the > admin guide component policies [1], the policy named "view the data". > > I think you should be able to create the "view the data" policy on the > root process group to allow the user to see all data, but I can't > remember off the top of my head. > > I think the users representing the nodes also might need to be in that > policy as well, since in a cluster the requests are being proxied and > it needs to ensure the node proxying the user is also authorized to > receive the data. > > [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies > On Mon, Oct 15, 2018 at 2:20 PM Milan Das <[email protected]> wrote: > > > > Hello Nifi Team, > > > > I am having an issue only when cluster mode is on. > > > > > > > > Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider > > > > > > > > Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel. > > > > > > > > Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false. > > > > > > > > NIFI version : 1.6.0 > > > > > > > > > > > > > > > > Error: > > > > > > > > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for [email protected] > > > > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[email protected]], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response. > > > > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[email protected]], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response. > > > > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<[email protected]><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235) > > > > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@ > > > > > > > > Thanks, > > > > Milan Das > > > > >
