Created 03-08-2017 02:16 PM
The remote process group on insance-1 trying to connect to instance-2 says forbidden. How can i fix this?
Created on 03-08-2017 03:52 PM - edited 08-18-2019 06:23 AM
When performing Site-to-Site (S2S) between two Secured NiFi installs, server authentication and authorization will need to be successful. In your case it sounds like authentication was likely successful (You can confirm this by looking in the nifi-user.log of the target NiFi). What appears to be missing is source server(s) authorization.
To resolve the "forbidden" you are seeing on your RPG, you will need to go to the target NiFi and add a new user for the source NiFi server(s) running the RPG. Click on "Users" to add new
The user you are adding will need to be the full DN from the source NiFI's server certificate. (Case sensitive and white spaces count as valid characters). You can pull he DN out of the nifi-user.log or by doing a verbose listing source NiFi's keystore.
After you have added the server as a user, you will need to authorize that server by clicking on "Policies" and granting the server "retrieve site-to-site details" access policy. After doing the above the "forbidden" response on the RPG should go away on next sync.
What you still will not see is a list of available input and output ports on the target NiFi to which your source NiFi can connect with over S2S. Remote input and output ports can only be added to the root canvas level. After they have been added you will need to allow your source NiFi server user to access them as well before they will show up in the RPG.
This is done via the "Operate panel":
Selecting an input or output port on the canvas will show that component as the selected component in the operate panel. Select the key icon and grant your NiFi source Server the following policy:
For input ports --> "receive data via site-to-site" access policy
For output ports --> "send data via site-to-site" access policy
On next sync RPG should now show these ports as available to your source Nifi for connecting to over S2S.
Thanks,
Matt
Created on 03-08-2017 03:52 PM - edited 08-18-2019 06:23 AM
When performing Site-to-Site (S2S) between two Secured NiFi installs, server authentication and authorization will need to be successful. In your case it sounds like authentication was likely successful (You can confirm this by looking in the nifi-user.log of the target NiFi). What appears to be missing is source server(s) authorization.
To resolve the "forbidden" you are seeing on your RPG, you will need to go to the target NiFi and add a new user for the source NiFi server(s) running the RPG. Click on "Users" to add new
The user you are adding will need to be the full DN from the source NiFI's server certificate. (Case sensitive and white spaces count as valid characters). You can pull he DN out of the nifi-user.log or by doing a verbose listing source NiFi's keystore.
After you have added the server as a user, you will need to authorize that server by clicking on "Policies" and granting the server "retrieve site-to-site details" access policy. After doing the above the "forbidden" response on the RPG should go away on next sync.
What you still will not see is a list of available input and output ports on the target NiFi to which your source NiFi can connect with over S2S. Remote input and output ports can only be added to the root canvas level. After they have been added you will need to allow your source NiFi server user to access them as well before they will show up in the RPG.
This is done via the "Operate panel":
Selecting an input or output port on the canvas will show that component as the selected component in the operate panel. Select the key icon and grant your NiFi source Server the following policy:
For input ports --> "receive data via site-to-site" access policy
For output ports --> "send data via site-to-site" access policy
On next sync RPG should now show these ports as available to your source Nifi for connecting to over S2S.
Thanks,
Matt
Created on 03-09-2017 05:48 AM - edited 08-18-2019 06:23 AM
I've added the DN under users and added the same under 'retrieve site-to-site details' policy But I am still getting forbidden warning.
Created 03-09-2017 01:05 PM
What do you see in the nifi-user.log on the target NiFi server of the RPG? What is the full error seen in the nifi-app.log of the source NiFi server?
Created 03-09-2017 02:25 PM
This is the error i see in nifi-app.log
Process Thread-10] o.apache.nifi.controller.FlowController Unable to communicate with remote instance RemoteProcessGroup[https://xx.xx.xx.xx:8124/nifi] due to org.apache.nifi.controller.exception.CommunicationsException: Unable to communicate with Remote NiFi at URI https://xx.xx.xx.xx:8124/nifi-api due to: response code 403:Forbidden with explanation: null
Created 03-09-2017 02:55 PM
And what do you see in the nifi-user.log on the other NiFi instance?
Created 03-09-2017 02:58 PM
Where the certificates created to secure each of these NiFi instances signed by the same CA?
The authentication that is going to occur between these NiFi instances is 2-way SSL. Both servers must be able to trust the certificate being presented by the other NiFi instance.
Thanks,
Matt
Created 03-09-2017 09:40 PM
Created on 03-10-2017 05:49 AM - edited 08-18-2019 06:22 AM
This is what i found in nifi-user.log
I had created server certificate, client certificate and a CAcert holding signature of both from tinycert.org. I had mentioned server certificate and CAcert path in nifi.properties and was loading client certificate into my browser. I was using same certificate for both the nifi instances.
Like you said I had added the client cert DN under the users but nifi was using server cert DN (which i got to know after seeing the nifi-user.log) for site-to-site authentication. So, i added the server DN under the user and added the same under 'retrieve site-to-site details' policy. Now the issue is fixed. The RPG is now able to establish connection.
Thanks,
Harshith