Support Questions
Find answers, ask questions, and share your expertise

NIFI: "No available buckets" for saving flow version to nifi registry

Highlighted

NIFI: "No available buckets" for saving flow version to nifi registry

New Contributor

Hello all,

 

NoBuckets.PNG

Here is our setup:

-set up secure nifi
-set up secure registry
-both on the same machine
-created user in registry with CN=[hostname], OU=NiFi with read right on buckets and proxy user requests enabled
-created Registry client in the nifi instance with https://[hostname]:[port]
-when trying to start version control on a process group, buckets are loading for a split second, then showing -> "no available buckets"
-activated logging on DEBUG level, can see the proxy request, but no authorization
-when listening to the registry port with netstat, we can see registry listening on that port
-when trying to retrieve buckets through nifi, connection is established, but no buckets can be seen

 

 

Additional information:
We have created buckets, adding both the admin user and the user which is used for the connection in registry to their policies. 
We encounter no error when trying to retrieve the buckets, neither in the UI nor anywhere in the logs (with highest logging level activated).
We have seen several set up videos and many open threads but the suggested solutions are not solving our problem.
We suspect a permission problem, but are unable to detect the root of the problem
if necessary logs can be provided.

4 REPLIES 4
Highlighted

Re: NIFI: "No available buckets" for saving flow version to nifi registry

Master Guru

@JelenaS 

You are correct that this sounds like an authorization issue.

I recommend tailing the nifi-registry-app.log  and then perform the action of trying to version control a Process Group within NiFI's UI.

How are you handling user authorization in your NiFi and NiFi-Registry?
- File based authorization (users.xml and authorizations.xml)

What identity.mapping patterns have you configured in your NiFi and NiFi-Registry?
How are you authenticating your user that access both NiFi and NiFi-Registry?

The only buckets that would be returned are those buckets for which the Authenticated user in NiFi has access to in NiFi-Registry.
Screen Shot 2020-12-23 at 3.43.29 PM.png

Keep in mind that the user/client strings in NiFi that are passed to NiFi-Registry must match exactly.

Nodes will pass their full DN when they proxy the request on behalf of the authorized user.  The user string will passed as is.   That means identity mapping patterns will be applied on NiFi-Registry side against those NIFi DNs.  Resulting mapped value must match the client string add as a user in NiFi-Registry.

The passed user string must match exactly (case sensitive) or it is treated as a different user.

 

Hope this helps,

Matt

 

Highlighted

Re: NIFI: "No available buckets" for saving flow version to nifi registry

New Contributor

Thank you @MattWho 

 

Our whole setup is very basic so far. We are working with the admin user and authenticate with the generated client certificates (nifi toolkit). We have no additional user authorization in place yet. Therefore also no identity mapping patterns. 

Also used the exact domain name as user CN.

 

When trying to perform version control, the nifi registry log gives the requested resource followed by a repetition of these messages: 

 

IdentityFilter Attempting to extract user credentials using X509IdentityProvider

IdentityFilter Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='CN=nifi_admin, OU=NiFi', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@3938d0ef}

IdentityFilter Credentials already extracted for [org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken$1@138d2a4], skipping credentials extraction filter using JwtIdentityProvider

AnonymousIdentityFilter SecurityContextHolder not populated with anonymous token, as it already contained: 'AuthenticationRequest{username='CN=nifi_admin, OU=NiFi', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@1a175871}'

ResourceAuthorizationFilter Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.

ProxyChainAuthorizable Requested resource is /tenants

 

 

This is the only remarkable message but I don't see any obvious error.

Re: NIFI: "No available buckets" for saving flow version to nifi registry

Master Guru

@JelenaS 

 

You would need to share some screenshots of the policies/permissions you have set on the bucket(s) you have created in your NiFi-Registry. 
- Go to "Settings" (wrench icon upper right corner within NiFi-Registry
- under "BUCKETS" click pencil icon for bucket you expect your user to see
- Your NiFi user which is logged in to NiFi should have write,delete,read on the bucket.

Would also be helpful to what "Special Privileges" you have set for each of your NiFi nodes inside NiFi-Registry as well.
- Go to "Settings" (wrench icon upper right corner within NiFi-Registry
- under "USERS" click pencil icon for each of your NiFi nodes
- Each of your NiFi nodes (case sensitive) should have "Can proxy user requests" and read on "Can manage buckets" checked.

Highlighted

Re: NIFI: "No available buckets" for saving flow version to nifi registry

New Contributor

@MattWho 

We tried two different bucket settings: one publicly visible, the other not

Bucket2.PNGBucket1.PNG

We are logged into NiFi and to NiFi Registry with the NiFi Admin user. Could this cause a problem? 

 

Admin_User.PNGhost_user.PNG

The NiFI Controller Settings look like this:

Registry_client.PNG

 

 

  

Don't have an account?