Unable to List Queue

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to List Queue

Milan Das
Hello Nifi Team,

I am having an issue only when cluster mode is on.

 

Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider

 

 Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.

 

Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.

 

NIFI version : 1.6.0

 

 

 

Error:

 

2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for [hidden email]

2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.

2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.

2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<[hidden email]><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)

2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@

 

Thanks,

Milan Das

Reply | Threaded
Open this post in threaded view
|

Re: Unable to List Queue

Bryan Bende
The error message is saying your user does not have permission to view
the data for the given processor.

There is a specific policy for viewing data which is described in the
admin guide component policies [1], the policy named "view the data".

I think you should be able to create the "view the data" policy on the
root process group to allow the user to see all data, but I can't
remember off the top of my head.

I think the users representing the nodes also might need to be in that
policy as well, since in a cluster the requests are being proxied and
it needs to ensure the node proxying the user is also authorized to
receive the data.

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
On Mon, Oct 15, 2018 at 2:20 PM Milan Das <[hidden email]> wrote:

>
> Hello Nifi Team,
>
> I am having an issue only when cluster mode is on.
>
>
>
> Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
>
>
>
>  Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
>
>
>
> Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
>
>
>
> NIFI version : 1.6.0
>
>
>
>
>
>
>
> Error:
>
>
>
> 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for [hidden email]
>
> 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
>
> 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
>
> 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<[hidden email]><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
>
> 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
>
>
>
> Thanks,
>
> Milan Das
>
Reply | Threaded
Open this post in threaded view
|

Re: Unable to List Queue

Milan Das
Hi Bryan
Thanks for your response.
The user have all access including view the data at root processor level. It works when is.cluster is false. It doesn’t work when is.cluster is true.

Thanks,
Milan Das


On 10/15/18, 2:56 PM, "Bryan Bende" <[hidden email]> wrote:

    The error message is saying your user does not have permission to view
    the data for the given processor.
   
    There is a specific policy for viewing data which is described in the
    admin guide component policies [1], the policy named "view the data".
   
    I think you should be able to create the "view the data" policy on the
    root process group to allow the user to see all data, but I can't
    remember off the top of my head.
   
    I think the users representing the nodes also might need to be in that
    policy as well, since in a cluster the requests are being proxied and
    it needs to ensure the node proxying the user is also authorized to
    receive the data.
   
    [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
    On Mon, Oct 15, 2018 at 2:20 PM Milan Das <[hidden email]> wrote:
    >
    > Hello Nifi Team,
    >
    > I am having an issue only when cluster mode is on.
    >
    >
    >
    > Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
    >
    >
    >
    >  Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
    >
    >
    >
    > Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
    >
    >
    >
    > NIFI version : 1.6.0
    >
    >
    >
    >
    >
    >
    >
    > Error:
    >
    >
    >
    > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for [hidden email]
    >
    > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
    >
    > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
    >
    > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<[hidden email]><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
    >
    > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
    >
    >
    >
    > Thanks,
    >
    > Milan Das
    >
   


Reply | Threaded
Open this post in threaded view
|

Re: Unable to List Queue

Bryan Bende
Just to confirm, the cluster nodes are also granted access to "view the data"?

That is the main difference between clustered vs non-clustered, so I
would think something is not correct with the access policies for the
nodes.
On Mon, Oct 15, 2018 at 5:29 PM Milan Das <[hidden email]> wrote:

>
> Hi Bryan
> Thanks for your response.
> The user have all access including view the data at root processor level. It works when is.cluster is false. It doesn’t work when is.cluster is true.
>
> Thanks,
> Milan Das
>
>
> On 10/15/18, 2:56 PM, "Bryan Bende" <[hidden email]> wrote:
>
>     The error message is saying your user does not have permission to view
>     the data for the given processor.
>
>     There is a specific policy for viewing data which is described in the
>     admin guide component policies [1], the policy named "view the data".
>
>     I think you should be able to create the "view the data" policy on the
>     root process group to allow the user to see all data, but I can't
>     remember off the top of my head.
>
>     I think the users representing the nodes also might need to be in that
>     policy as well, since in a cluster the requests are being proxied and
>     it needs to ensure the node proxying the user is also authorized to
>     receive the data.
>
>     [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
>     On Mon, Oct 15, 2018 at 2:20 PM Milan Das <[hidden email]> wrote:
>     >
>     > Hello Nifi Team,
>     >
>     > I am having an issue only when cluster mode is on.
>     >
>     >
>     >
>     > Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
>     >
>     >
>     >
>     >  Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
>     >
>     >
>     >
>     > Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
>     >
>     >
>     >
>     > NIFI version : 1.6.0
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     > Error:
>     >
>     >
>     >
>     > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for [hidden email]
>     >
>     > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
>     >
>     > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
>     >
>     > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<[hidden email]><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
>     >
>     > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
>     >
>     >
>     >
>     > Thanks,
>     >
>     > Milan Das
>     >
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Unable to List Queue

Milan Das
Hi Brian,
Yes that was the problem.
I didn’t know that cluster node identity also need to be added. After adding it worked.
Thanks a lot.

Thanks,
Milan Das

On 10/15/18, 5:44 PM, "Bryan Bende" <[hidden email]> wrote:

    Just to confirm, the cluster nodes are also granted access to "view the data"?
   
    That is the main difference between clustered vs non-clustered, so I
    would think something is not correct with the access policies for the
    nodes.
    On Mon, Oct 15, 2018 at 5:29 PM Milan Das <[hidden email]> wrote:
    >
    > Hi Bryan
    > Thanks for your response.
    > The user have all access including view the data at root processor level. It works when is.cluster is false. It doesn’t work when is.cluster is true.
    >
    > Thanks,
    > Milan Das
    >
    >
    > On 10/15/18, 2:56 PM, "Bryan Bende" <[hidden email]> wrote:
    >
    >     The error message is saying your user does not have permission to view
    >     the data for the given processor.
    >
    >     There is a specific policy for viewing data which is described in the
    >     admin guide component policies [1], the policy named "view the data".
    >
    >     I think you should be able to create the "view the data" policy on the
    >     root process group to allow the user to see all data, but I can't
    >     remember off the top of my head.
    >
    >     I think the users representing the nodes also might need to be in that
    >     policy as well, since in a cluster the requests are being proxied and
    >     it needs to ensure the node proxying the user is also authorized to
    >     receive the data.
    >
    >     [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
    >     On Mon, Oct 15, 2018 at 2:20 PM Milan Das <[hidden email]> wrote:
    >     >
    >     > Hello Nifi Team,
    >     >
    >     > I am having an issue only when cluster mode is on.
    >     >
    >     >
    >     >
    >     > Issue is, I am unable to list Queue on secured cluster. It is communicating on sasl with Zookeeper and the cluster is configured with TLS encryption and nifi.security.user.login.identity.provider=kerberos-provider
    >     >
    >     >
    >     >
    >     >  Queue on Success Queue: My flow is simple GenerateFlowFile (success) --> Funnel.
    >     >
    >     >
    >     >
    >     > Yes I added all policies at root level to user nifiadmin1. This works when I set the cluster to false.
    >     >
    >     >
    >     >
    >     > NIFI version : 1.6.0
    >     >
    >     >
    >     >
    >     >
    >     >
    >     >
    >     >
    >     > Error:
    >     >
    >     >
    >     >
    >     > 2018-10-14 15:03:21,620 INFO [NiFi Web Server-38] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for [hidden email]
    >     >
    >     > 2018-10-14 15:03:21,621 INFO [NiFi Web Server-38] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Returning Forbidden response.
    >     >
    >     > 2018-10-14 15:03:21,623 INFO [NiFi Web Server-40] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[[hidden email]], groups[] does not have permission to access the requested resource. Node ip-172-30-1-235.ec2.internal:8443 is unable to fulfill this request due to: Unable to view the data for Processor with ID 7312084e-0166-1000-0000-00006ef08dd3. Contact the system administrator. Returning Forbidden response.
    >     >
    >     > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<[hidden email]><CN=ip-172-30-1-235.ec2.internal, O=Interset, ST=California, C=US>) POST https://ip-172-30-1-235.ec2.internal:8443/nifi-api/flowfile-queues/73121f31-0166-1000-0000-000024972726/listing-requests (source ip: 172.30.1.235)
    >     >
    >     > 2018-10-14 15:03:21,633 INFO [NiFi Web Server-138] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for nifiadmin1@
    >     >
    >     >
    >     >
    >     > Thanks,
    >     >
    >     > Milan Das
    >     >
    >
    >
    >