unable to empty the connection queue between 2 processors in NIFI secure cluster

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

unable to empty the connection queue between 2 processors in NIFI secure cluster

yinwencai Ywc
Hi guys, I've just setup a secure NIFI 1.0.0 cluster and tried to check how NIFI cluster works.

I set up my NIFI secure cluster with LDAP based authorization and set the Initial Admin Identity to one of the users inside the LDAP server.
I could successfully log into the NIFI user interface and could do almost anything inside, but when I tried to empty the connection queue between 2 processors inside a processor group,
it prompted me I don't have enough permission to do it. I checked the policies menu inside NIFI and have given this user all possible permissions but still failed. You could check the snapshots
below:






Does anyone have any idea why this would happen? Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: unable to empty the connection queue between 2 processors in NIFI secure cluster

Andrew Grande

Hi,

There are 2 levels basically. One is the global policies in the top right menu. Another is in the operator menu on the left and is specific to every processing group.

Sometimes you need a combination of both to allow for an action. E.g. try data provenance and modify data permissions to allow emptying a queue.

Andrew


On Sun, Nov 13, 2016, 10:11 PM yinwencai Ywc <[hidden email]> wrote:
Hi guys, I've just setup a secure NIFI 1.0.0 cluster and tried to check how NIFI cluster works.

I set up my NIFI secure cluster with LDAP based authorization and set the Initial Admin Identity to one of the users inside the LDAP server.
I could successfully log into the NIFI user interface and could do almost anything inside, but when I tried to empty the connection queue between 2 processors inside a processor group,
it prompted me I don't have enough permission to do it. I checked the policies menu inside NIFI and have given this user all possible permissions but still failed. You could check the snapshots
below:






Does anyone have any idea why this would happen? Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: unable to empty the connection queue between 2 processors in NIFI secure cluster

yinwencai Ywc
Thanks Andrew, I finally got it to work. it turns out I had to add permissions for all the node identities in the global "query provenance" policy setting menu as well as inside the operator menu for that processor group. these node identities are configured inside the cluster configuration file authorizers.xml as below:
        <property name="Node Identity 1">CN=CentOS1, OU=NIFI</property>
        <property name="Node Identity 2">CN=CentOS2, OU=NIFI</property>
        <property name="Node Identity 3">CN=CentOS3, OU=NIFI</property>

Regards,
Ben


On Mon, Nov 14, 2016 at 12:34 PM, Andrew Grande <[hidden email]> wrote:

Hi,

There are 2 levels basically. One is the global policies in the top right menu. Another is in the operator menu on the left and is specific to every processing group.

Sometimes you need a combination of both to allow for an action. E.g. try data provenance and modify data permissions to allow emptying a queue.

Andrew


On Sun, Nov 13, 2016, 10:11 PM yinwencai Ywc <[hidden email]> wrote:
Hi guys, I've just setup a secure NIFI 1.0.0 cluster and tried to check how NIFI cluster works.

I set up my NIFI secure cluster with LDAP based authorization and set the Initial Admin Identity to one of the users inside the LDAP server.
I could successfully log into the NIFI user interface and could do almost anything inside, but when I tried to empty the connection queue between 2 processors inside a processor group,
it prompted me I don't have enough permission to do it. I checked the policies menu inside NIFI and have given this user all possible permissions but still failed. You could check the snapshots
below:






Does anyone have any idea why this would happen? Thanks.