https://community.cloudera.com/t5/Support-Questions/NIFI-quot-No-available-buckets-quot-for-saving-flow-version/m-p/326299#M229859 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/92470">@Theoo</a>&nbsp;<BR /><BR />Nice job on your path to solving the authorization issues, but you left out a few pieces<BR /><BR /></P><P>- When NiFi cluster nodes or a standalone NiFi instance communicates with a secured NiFi-Registry that communication MUST be authenticated and authorized in the NiFi-Registry side.&nbsp; The established connection between NiFi and NiFi-Registry only supports authentication via a mutual TLS handshake (Client is identified via the certificate shared to the NiFi-Registry from NiFi).&nbsp; Both NiFi and NiFi-Registry have identity mapping properties that can be added to the nifi-properties/nifi-registry.properties file that are used to manipulated the DN that comes from the client certificate.&nbsp; &nbsp;<BR /><BR />For example a NiFi host certificate with DN of "<SPAN>CN=nifi-node01, OU=NIFI" could be manipulated&nbsp;so the client string is only "nifi-node-01".<BR /><BR />Users and NiFi nodes/instances to both NiFi and NiFi-Registry&nbsp;are just clients, there is no distinction between the two.&nbsp; What matters is what each client is uniquely authorized to do within each service.<BR /><BR />Whatever the client string happens to be, The NiFi nodes/instance must be authorized for the following global policies in NiFi-Registry:<BR /><BR />"<STRONG>Can proxy user requests</STRONG>" (/proxy) with "<STRONG>Read, Write, and Delete</STRONG>" - This allows the NiFi nodes/instance to proxy some request made by the user authenticated in NiFi to perform some authorized request against NiFi-Registry (start version control, commit a new version of a version controlled Process Group (PG), etc.) since the NiFi user is not actually authenticating&nbsp;in to NiFi-Registry from NiFi. This does mean that the NiFi user string must exist as a user in NiFi-Registry and be authorized for the action they are trying perform.<BR /><BR />"<STRONG>Can Manage Buckets</STRONG>" (/buckets) with "<STRONG>Read</STRONG>" - This policy is needed by the NiFi nodes/instance so that the NiFi background thread that occasionally&nbsp;communicates with NiFi-Registry to see if newer version of a version controlled PG is available or so NiFi can display a list of available buckets).&nbsp; This request is not done on behalf of the user authenticated into NiFi.<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattWho_0-1633365611601.png" style="width: 400px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/32565i5BA4934B3A37690A/image-size/medium?v=v2&amp;px=400" role="button" title="MattWho_0-1633365611601.png" alt="MattWho_0-1633365611601.png" /></span></P><P><SPAN>----<BR />When it comes to the NiFi user, the policies needed in NiFi-Registry vary based on what you want that user to be able to do through&nbsp;NiFi or directly via the NiFi-Registry UI.<BR /><BR />In order for a user who is currently&nbsp;authenticated&nbsp;and authorized in to NiFi to interact with NiFi-Registry, that user string would need to be authorized in NiFi-Registry for the following:<BR />- A NiFi-Registry admin user would need to create a bucket and authorize the NiFi user on that bucket so it can be used by the NiFi user.<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - "<STRONG>READ</STRONG>" on the bucket would allow the user to import and existing&nbsp;version controlled flow from Nifi-Registry on the NiFi UI.<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;- "<STRONG>WRITE</STRONG>" on the bucket would allow the user to start version control or change the version of the versioned PG in NiFi.<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; - "<STRONG>Delete</STRONG>" on the bucket would allow a user who can authenticate&nbsp;in to NiFi-Registry to delete flows within that bucket.&nbsp;<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattWho_1-1633365681781.png" style="width: 400px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/32566i3247DD1462B6CF97/image-size/medium?v=v2&amp;px=400" role="button" title="MattWho_1-1633365681781.png" alt="MattWho_1-1633365681781.png" /></span></P><P>--------<BR /><BR />As far as authentication of users in to NiFi and/or NiFi-Registry, you can create certificates for each fo your users, but the most commonly used method is LDAP/AD based authentication.&nbsp; You can add users in NiFi-Registry's authorizer so that those user string can be associated to authorization policies without those user even being able to authenticate and be authorized directly in to the NiFi-Registry's UI.&nbsp; They simply need to exist for the proxied request that come from NiFi on that user's behalf.</P><P><SPAN>Hope this exposes all that is needed in this thread.<BR /><BR />Thanks,<BR />Matt<BR /><BR /></SPAN></P> Mon, 04 Oct 2021 16:48:16 GMT MattWho 2021-10-04T16:48:16Z