@stevenmatison I tried those earlier. Few things that i checked.making sure user has privileges to the bucket and added hostname in users in nifi -registry with CN=<dns for nifi>,OU=NIFI and made sure that access to bucket and can proxy requests.
Intial user is coming from LDAP provider on both nifi and nifi-registry and hashed userid in both users.xml in nifi and nifi-registry are matching.
Your NiFi node(s) will need to exist in NiFi-Registry and be assigned the following special privileges:
Read allow your NiFi nodes to read all buckets to see if new versions of existing version controlled flows exist. Proxy allows is needed because a NiFi node may proxy requests on behalf of the user authenticated in to NiFi and making NiFi-Registry requests.
Your NiFi authenticated user in NIFi will need to exist in NiFi-Registry (exact string match) and be authorized for a bucket you must first create via the NiFi-Registry's UI as follows:
If your NiFi user has not been authorized to any buckets you will see below error in NiFi when you try version control a process group:
Once the user is properly given authorization to a bucket in NiFi-Registry, you will instead see:
Only buckets for which your user is authorized will show in the bucket pull-down menu.
Authorizing your user is not enough. The NiFi nodes themselves need to be able to successfully authenticate via a mutual TLS handshake with the target NiFi-Registry. Those nodes then need to be authorized to read all buckets and given read/write to proxy user requests.
When a User authenticates in to NiFi, that user entity is authorized to perfrom actions based on authorizations in NiFi. When it comes to NiFi then talking to NiFi-Registry, The NiFi node is proxying request to the NiFi-Registry on behalf of the user authenticated into NiFi.
Also background threads in NiFi just like the NiFi processors added to the canvas are not executing as the user authenticated in to NiFi. So in the background NiFi connects to NiFi-Registry to check on current version controlled process groups to see of newer versions exist.
While you are granting your NiFi nodes the ability to read all buckets, the NiFi users should be given read and write authorizations to the specific buckets that that user is going to sue to version control their Process Group.
The ability to dynamically fetch secrets/passwords form an external source is not something that exists currently. Doing so would require modification with the every component class that uses sensitive properties.
I have added Nifi keystore Owner (CN=<host>, OU=NIFI) to Registry as an user and gave these privileges. No effect.
It looks like the connection between Nifi and Registry is done correctly because when I made buckets publicly available, the buckets fetched successfuly from Registry. I can see my buckets from Chrome developer tools (Network tab) as above.
So, there is a issue with authorization.
Do I need to save my Nifi Keystore Owner string to LDAP?
Do I need to import Nifi truststore or keystore to Registry stores?
If you have a support contract with Cloudera, I'd recommend opening a support case to assist with your issue here.
Possible causes: 1. Unsuccessful Mutual TLS handshake with NiFi-Registry from the NiFi hosts resulting in NiFi node connection only being 1-way TLS connection and node treated as an "anonymous" user. Anonymous users would could not proxy user requests and can not see anything except public buckets.
--- Caused by missing complete trust chain on one or both sides of connection. Truststore in NiFi-Registry contains complete trust chain for NiFi hosts keystore PrivateKeyEntry. --- Caused by PrivateKeyEntry not meeting minimum requirements (missing SAN with NiFi hostname, missing EKU of clientAuth, and/or using wildcards are the most common) 2. NiFi-registry is configured with an identity mapping pattern in the nifi-registry.properties file that is matching on the DN from the the NiFi's client certificate presented in the mutual TLS handshake. The Identity mapping value and transform is then being applied which alters the actual client string which must be then authorized for Proxy and buckets policies.
It was a really annoying problem. Somehow, I managed to solve at that time but I dont remember how right now and I cannot check config files because I have changed my job. I don't remember exactly, but it was fixed by making some changes in the config files. So you have to make sure you set your configs properly for both nifi and registry. Sorry, couldnt help 😞