question Nifi Rejecting access to web api: Untrusted proxy in Support Questions https://community.cloudera.com/t5/Support-Questions/Nifi-Rejecting-access-to-web-api-Untrusted-proxy/m-p/321900#M228597 <P>Hello Community,</P><P>I'm trying to set-up a secured 3 node NiFi cluster with self-signed certs, generated via Cert-Manager. Nifi is deployed via a Helm chart into AKS.</P><P>&nbsp;</P><P>The issue is, as soon as I set the number of nodes to 3 I get this error. With 1 node, I did not have this issue.</P><P>So, all 3 nodes has their own Keystore and a shared Truststore. All&nbsp; 3 nodes' TLS cert is stored in the shared truststore.</P><P>I have my authorizers.xml set up:</P><P>&nbsp;</P><PRE><SPAN class="line"> <SPAN class="nt">&lt;userGroupProvider&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;identifier&gt;</SPAN>file-user-group-provider<SPAN class="nt">&lt;/identifier&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;class&gt;</SPAN>org.apache.nifi.authorization.FileUserGroupProvider<SPAN class="nt">&lt;/class&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Users File"</SPAN><SPAN class="nt">&gt;</SPAN>./auth-conf/users.xml<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Legacy Authorized Users File"</SPAN><SPAN class="nt">&gt;&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Initial User Identity 1"</SPAN><SPAN class="nt">&gt;</SPAN>initial.admin@mail.com<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Initial User Identity 3"</SPAN><SPAN class="nt">&gt;</SPAN>CN=nifi-0<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Initial User Identity 4"</SPAN><SPAN class="nt">&gt;</SPAN>CN=nifi-1<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Initial User Identity 5"</SPAN><SPAN class="nt">&gt;</SPAN>CN=nifi-2<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;/userGroupProvider&gt;<BR /><BR /></SPAN></SPAN></PRE><PRE><SPAN class="line"> <SPAN class="nt">&lt;accessPolicyProvider&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;identifier&gt;</SPAN>file-access-policy-provider<SPAN class="nt">&lt;/identifier&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;class&gt;</SPAN>org.apache.nifi.authorization.FileAccessPolicyProvider<SPAN class="nt">&lt;/class&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"User Group Provider"</SPAN><SPAN class="nt">&gt;</SPAN>file-user-group-provider<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Authorizations File"</SPAN><SPAN class="nt">&gt;</SPAN>./auth-conf/authorizations.xml<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Initial Admin Identity"</SPAN><SPAN class="nt">&gt;</SPAN>initial.admin@mail.com<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Node Identity 1"</SPAN><SPAN class="nt">&gt;</SPAN>CN=nifi-0<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Node Identity 2"</SPAN><SPAN class="nt">&gt;</SPAN>CN=nifi-1<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;property</SPAN> <SPAN class="na">name=</SPAN><SPAN class="s">"Node Identity 3"</SPAN><SPAN class="nt">&gt;</SPAN>CN=nifi-2<SPAN class="nt">&lt;/property&gt;</SPAN></SPAN> <SPAN class="line"> <SPAN class="nt">&lt;/accessPolicyProvider&gt;</SPAN></SPAN> </PRE><P>&nbsp;The TLS certs for each node contains the same names: CN=nifi-0, etc.</P><P>I've made sure that I have deleted the authorizations.xml and users.xml on my nodes so it will be generated again up to date.</P><P>All my nodes has the /proxy policy on all my nodes:</P><PRE>&lt;authorizations&gt;<BR />&lt;policies&gt;<BR />&lt;policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="17b6f3de-feaf-3539-b938-ee287e625cf3" resource="/data/process-groups/9701352c-a1c0-4cfc-a6bb-92f76382e007" action="R"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;user identifier="5d994b80-c1b1-3c50-aa9f-488c1e549c53"/&gt;<BR />&lt;user identifier="8fa66807-0e9c-3972-b28e-ed8542fec384"/&gt;<BR />&lt;user identifier="a3a07ec3-6507-3e19-bc6a-c47e0deca8c6"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="6bf50b6c-d24b-38a4-9c6e-1b9bd888b6ee" resource="/data/process-groups/9701352c-a1c0-4cfc-a6bb-92f76382e007" action="W"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;user identifier="5d994b80-c1b1-3c50-aa9f-488c1e549c53"/&gt;<BR />&lt;user identifier="8fa66807-0e9c-3972-b28e-ed8542fec384"/&gt;<BR />&lt;user identifier="a3a07ec3-6507-3e19-bc6a-c47e0deca8c6"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="23d164f5-1bef-3c18-86ee-e1b88fd2845f" resource="/process-groups/9701352c-a1c0-4cfc-a6bb-92f76382e007" action="R"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="d4fd2dc1-5c49-370d-bb81-107b6de0bdcc" resource="/process-groups/9701352c-a1c0-4cfc-a6bb-92f76382e007" action="W"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4"/&gt;<BR />&lt;/policy&gt;<BR />&lt;policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W"&gt;<BR />&lt;user identifier="5d994b80-c1b1-3c50-aa9f-488c1e549c53"/&gt;<BR />&lt;user identifier="8fa66807-0e9c-3972-b28e-ed8542fec384"/&gt;<BR />&lt;user identifier="a3a07ec3-6507-3e19-bc6a-c47e0deca8c6"/&gt;<BR />&lt;/policy&gt;<BR />&lt;/policies&gt;<BR />&lt;/authorizations&gt;</PRE><P>&nbsp;</P><P>And my users.xml:</P><PRE>&lt;tenants&gt;<BR />&lt;groups/&gt;<BR />&lt;users&gt;<BR />&lt;user identifier="08106046-f063-3605-9480-9afc3f4726d4" identity="<SPAN class="line">initial.admin@mail.com</SPAN>"/&gt;<BR />&lt;user identifier="5d994b80-c1b1-3c50-aa9f-488c1e549c53" identity="CN=nifi-0"/&gt;<BR />&lt;user identifier="8fa66807-0e9c-3972-b28e-ed8542fec384" identity="CN=nifi-1"/&gt;<BR />&lt;user identifier="a3a07ec3-6507-3e19-bc6a-c47e0deca8c6" identity="CN=nifi-2"/&gt;<BR />&lt;/users&gt;<BR />&lt;/tenants&gt;</PRE><P>User-log error:</P><PRE>2021-08-01 18:35:27,868 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (&lt;<SPAN class="line">initial.admin@mail.com</SPAN>&gt;&lt;CN=nifi-1&gt;) GET https://nifi-2.nifi-headless.test-nifi.svc.cluster.local:9443/nifi-api/flow/current-user (source ip: x.x.x.x)<BR />2021-08-01 18:35:27,869 WARN [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Untrusted proxy CN=nifi-1</PRE><P>When I try to log-in on the UI:</P><P><STRONG>Insufficient permissions: Untrusted proxy CN=nifi-1 or nifi-2 or nifi-0</STRONG><SPAN><BR /></SPAN></P><P>Only other issue which I couldnt figure out yet: <STRONG>Failed to send message to Cluster Coordinator due to: java.net.UnknownHostException: nifi-1.nifi-headless.test-nifi.svc.cluster.local</STRONG></P><P>My pods can resolve each-other and the zookeeper pods aswell.</P><P>&nbsp;</P><P>What can be the issue here?</P><P>&nbsp;</P> Sun, 01 Aug 2021 18:54:57 GMT Noctix 2021-08-01T18:54:57Z