@JelenaS Making a bucket public only only control whether an unauthenticated and authorized user can import flows from a bucket on to the NiFi instance. So ONLY make it public if you want anonymous users to be able to use your version controlled flows in that bucket. Users must still be authenticated and authorized in order to commit new flows to a public bucket. As far as the global polices you set up for your "CN=<domainname>.net, OU=NiFi", that looks correct (don't need "write" on buckets), but is only correct if that string matches exactly what is coming from the certificates used on your secured NiFi instance(s) post and identity mapping happening on the NiFi-Registry server. So check your nifi-registry.properties file for any configured Identity Mapping Properties: https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#identity-mapping-properties For example: nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?)$
nifi.registry.security.identity.mapping.value.dn=$1
nifi.registry.security.identity.mapping.transform.dn=NONE with above and "CN=<domainname>.net, OU=NiFi", the string that would get checked for authorization in NiFi-Registry would be only "<domainname>.net" and thus be the string that would need to be authorized in instead of the full DN. When you are authenticated in to your NiFi instance as your nifi_admin user, what exact string is displayed in the upper right corner of the NiFi UI? Is it "nifi_admin" or "CN=nifi_admin, OU=NiFi" because whatever displayed there is going to be the exact user string that gets proxied to the NiFi-Registry. Also keep in mind that USER/CLIENT strings are case sensitive in both NIFi and NiFi-Registry. Mapping transforms can be used to convert strings to all uppercase (UPPER) or all lowercase (LOWER). Hope this helps, Matt
... View more
