[
https://issues.apache.org/jira/browse/NIFI-11775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pierre Villard resolved NIFI-11775.
-----------------------------------
Resolution: Feedback Received
Apache NiFi 1.x is no longer maintained and no new release is planned on the
1.x release line. Marking as resolved as part of a cleanup operation. Please
open a new one with an updated description if this is still relevant for NiFi
2.x.
> NiFi CLI is unauthorized with GCP load balancer
> -----------------------------------------------
>
> Key: NIFI-11775
> URL: https://issues.apache.org/jira/browse/NIFI-11775
> Project: Apache NiFi
> Issue Type: Bug
> Components: Tools and Build
> Affects Versions: 1.22.0
> Environment: openjdk version "17.0.7" 2023-04-18 LTS
> OpenJDK Runtime Environment Zulu17.42+19-CA (build 17.0.7+7-LTS)
> OpenJDK 64-Bit Server VM Zulu17.42+19-CA (build 17.0.7+7-LTS, mixed mode,
> sharing)
> Reporter: Pierre Villard
> Priority: Major
>
> * 3 nodes cluster on GCP behind load balancer
> * Certs for nodes and LB generated with NiFi CA
> * Load balancer is configured with sticky session
> When using the CLI through the LB:
> {code:java}
> ./nifi-toolkit-1.22.0/bin/cli.sh nifi get-nodes -p ./nifi-cli.properties
> -verbose
> ERROR: Error executing command 'get-nodes' : Error retrieving node status:
> Unauthorized
> org.apache.nifi.toolkit.cli.api.CommandException: Error executing command
> 'get-nodes' : Error retrieving node status: Unauthorized
> at
> org.apache.nifi.toolkit.cli.impl.command.nifi.AbstractNiFiCommand.doExecute(AbstractNiFiCommand.java:65)
> at
> org.apache.nifi.toolkit.cli.impl.command.AbstractPropertyCommand.execute(AbstractPropertyCommand.java:74)
> at
> org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.processCommand(CommandProcessor.java:252)
> at
> org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.processGroupCommand(CommandProcessor.java:233)
> at
> org.apache.nifi.toolkit.cli.impl.command.CommandProcessor.process(CommandProcessor.java:188)
> at
> org.apache.nifi.toolkit.cli.CLIMain.runSingleCommand(CLIMain.java:145)
> at org.apache.nifi.toolkit.cli.CLIMain.main(CLIMain.java:72)
> Caused by: org.apache.nifi.toolkit.cli.impl.client.nifi.NiFiClientException:
> Error retrieving node status: Unauthorized
> at
> org.apache.nifi.toolkit.cli.impl.client.nifi.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:90)
> at
> org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyControllerClient.getNodes(JerseyControllerClient.java:191)
> at
> org.apache.nifi.toolkit.cli.impl.command.nifi.nodes.GetNodes.doExecute(GetNodes.java:49)
> at
> org.apache.nifi.toolkit.cli.impl.command.nifi.nodes.GetNodes.doExecute(GetNodes.java:34)
> at
> org.apache.nifi.toolkit.cli.impl.command.nifi.AbstractNiFiCommand.doExecute(AbstractNiFiCommand.java:63)
> ... 6 more
> Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
> at
> org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:942)
> at
> org.glassfish.jersey.client.JerseyInvocation.translate(JerseyInvocation.java:755)
> at
> org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$1(JerseyInvocation.java:675)
> at
> org.glassfish.jersey.client.JerseyInvocation.call(JerseyInvocation.java:697)
> at
> org.glassfish.jersey.client.JerseyInvocation.lambda$runInScope$3(JerseyInvocation.java:691)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> at org.glassfish.jersey.internal.Errors.process(Errors.java:205)
> at
> org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:390)
> at
> org.glassfish.jersey.client.JerseyInvocation.runInScope(JerseyInvocation.java:691)
> at
> org.glassfish.jersey.client.JerseyInvocation.invoke(JerseyInvocation.java:674)
> at
> org.glassfish.jersey.client.JerseyInvocation$Builder.method(JerseyInvocation.java:422)
> at
> org.glassfish.jersey.client.JerseyInvocation$Builder.get(JerseyInvocation.java:318)
> at
> org.apache.nifi.toolkit.cli.impl.client.nifi.impl.JerseyControllerClient.lambda$getNodes$8(JerseyControllerClient.java:194)
> at
> org.apache.nifi.toolkit.cli.impl.client.nifi.impl.AbstractJerseyClient.executeAction(AbstractJerseyClient.java:76)
> {code}
> When using the CLI with direct access to a node:
> {code:java}
> ./nifi-toolkit-1.22.0/bin/cli.sh nifi get-nodes -p ./nifi-cli.properties
> -verbose
> # Node ID Node Address API Port Node
> Status
> - ------------------------------------ ------------ --------
> -----------
> 0 1e1f3c33-0378-4de3-81b7-7c1edd333f8e nifi-1 8443
> CONNECTED
> 1 e7cb1ff8-7c15-4911-9d91-e0080ae42baf nifi-2 8443
> CONNECTED
> 2 d86e4cc6-0a1c-496e-aca2-8803df17319e nifi-3 8443
> CONNECTED {code}
> When the request is unauthorized, the only log I have in nifi-request.log:
> {code:java}
> 35.191.13.212 - - [01/Jul/2023:23:08:35 +0000] "GET
> /nifi-api/controller/cluster HTTP/1.1" 401 12 "-" "Jersey/2.39.1
> (HttpUrlConnection 11.0.18)" {code}
> If switching logging to DEBUG on org.springframework.security, I get one
> additional log:
> {code:java}
> 2023-07-03 15:13:39,232 DEBUG [NiFi Web Server-24]
> o.s.security.web.FilterChainProxy Securing GET /controller/cluster {code}
> In addition to solving this issue (could be related to how the CLI is dealing
> with custom HTTP headers and the XSRF Token cookie), it could be nice to have
> more logs when something like this happens.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
