Member since
02-28-2022
17
Posts
0
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
7903 | 06-21-2022 11:23 AM |
06-21-2022
11:23 AM
Thank you everyone for all the support and help. RCA: What I have observed, whenever we are performing PUT or Delete HTTP requests, the proxy in front of NiFi is intercepting and denying the request. Hence these requests are not even reaching our EC2 instance, and NIFI request.log is not capturing any PUT/DELETE HTTP requests. Hence on UI, we are getting 403 permissions Issues. Solution: We have enabled Put/ Delete HTTP requests from the proxy, and are now able to perform all the actions. Hence we can close this ticket.
... View more
06-14-2022
09:53 PM
@MattWho @gtorres @SAMSAL I am sharing my user logs. 2022-06-15 04:18:06,090 DEBUG [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,090 DEBUG [NiFi Web Server-18] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2022-06-15 04:18:06,091 DEBUG [NiFi Web Server-18] o.a.n.w.s.j.k.StandardVerificationKeySelector Key Identifier [ec9c28d4-7330-48da-bdf5-dd398cd5b76f] Verification Keys Found [1]
2022-06-15 04:18:06,093 DEBUG [NiFi Web Server-143] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,093 DEBUG [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,093 DEBUG [NiFi Web Server-143] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2022-06-15 04:18:06,093 DEBUG [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,093 DEBUG [NiFi Web Server-143] o.a.n.w.s.j.k.StandardVerificationKeySelector Key Identifier [ec9c28d4-7330-48da-bdf5-dd398cd5b76f] Verification Keys Found [1]
2022-06-15 04:18:06,094 DEBUG [NiFi Web Server-143] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,094 DEBUG [NiFi Web Server-143] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,108 DEBUG [NiFi Web Server-128] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,108 DEBUG [NiFi Web Server-128] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntitiesChain - <********@Company.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=********.***.**.***>
2022-06-15 04:18:06,108 DEBUG [NiFi Web Server-128] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntityGroups - <>
2022-06-15 04:18:06,108 INFO [NiFi Web Server-128] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.204.230.155 [<********@Company.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=********.***.**.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=******.***>] GET https://********.***.**.***:8086/nifi-api/flow/status
2022-06-15 04:18:06,108 INFO [NiFi Web Server-128] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [********@Company.***] 10.204.230.155 GET https://********.***.**.***:8086/nifi-api/flow/status
2022-06-15 04:18:06,108 DEBUG [NiFi Web Server-128] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,108 DEBUG [NiFi Web Server-128] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,108 DEBUG [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,108 DEBUG [NiFi Web Server-136] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntitiesChain - <********@Company.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=********.***.**.***>
2022-06-15 04:18:06,108 DEBUG [NiFi Web Server-136] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntityGroups - <>
2022-06-15 04:18:06,108 INFO [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.204.230.155 [<********@Company.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=********.***.**.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=******.***>] GET https://********.***.**.***:8086/nifi-api/flow/process-groups/653f47d8-0181-1000-1d99-58b6a323962a
2022-06-15 04:18:06,109 INFO [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [********@Company.***] 10.204.230.155 GET https://********.***.**.***:8086/nifi-api/flow/process-groups/653f47d8-0181-1000-1d99-58b6a323962a
2022-06-15 04:18:06,109 DEBUG [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,109 DEBUG [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,359 DEBUG [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,359 DEBUG [NiFi Web Server-136] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2022-06-15 04:18:06,359 DEBUG [NiFi Web Server-128] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,360 DEBUG [NiFi Web Server-128] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2022-06-15 04:18:06,360 DEBUG [NiFi Web Server-136] o.a.n.w.s.j.k.StandardVerificationKeySelector Key Identifier [ec9c28d4-7330-48da-bdf5-dd398cd5b76f] Verification Keys Found [1]
2022-06-15 04:18:06,360 DEBUG [NiFi Web Server-128] o.a.n.w.s.j.k.StandardVerificationKeySelector Key Identifier [ec9c28d4-7330-48da-bdf5-dd398cd5b76f] Verification Keys Found [1]
2022-06-15 04:18:06,361 DEBUG [NiFi Web Server-143] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,361 DEBUG [NiFi Web Server-143] o.a.n.w.s.x509.X509CertificateExtractor No client certificate found in request.
2022-06-15 04:18:06,362 DEBUG [NiFi Web Server-143] o.a.n.w.s.j.k.StandardVerificationKeySelector Key Identifier [ec9c28d4-7330-48da-bdf5-dd398cd5b76f] Verification Keys Found [1]
2022-06-15 04:18:06,362 DEBUG [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,362 DEBUG [NiFi Web Server-136] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,362 DEBUG [NiFi Web Server-128] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,362 DEBUG [NiFi Web Server-128] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,363 DEBUG [NiFi Web Server-143] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,363 DEBUG [NiFi Web Server-143] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,373 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,373 DEBUG [NiFi Web Server-20] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntitiesChain - <********@Company.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=********.***.**.***>
2022-06-15 04:18:06,373 DEBUG [NiFi Web Server-20] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntityGroups - <>
2022-06-15 04:18:06,373 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.204.230.155 [<********@Company.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=********.***.**.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=******.***>] GET https://********.***.**.***:8086/nifi-api/flow/current-user
2022-06-15 04:18:06,373 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [********@Company.***] 10.204.230.155 GET https://********.***.**.***:8086/nifi-api/flow/current-user
2022-06-15 04:18:06,373 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,373 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,378 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:18:06,378 DEBUG [NiFi Web Server-20] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntitiesChain - <********@Company.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=********.***.**.***>
2022-06-15 04:18:06,378 DEBUG [NiFi Web Server-20] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntityGroups - <>
2022-06-15 04:18:06,378 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.204.230.155 [<********@Company.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=********.***.**.***><C=US, ST=California, O=Company ***, OU=********.***.**.***, CN=******.***>] GET https://********.***.**.***:8086/nifi-api/flow/controller/bulletins
2022-06-15 04:18:06,378 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [********@Company.***] 10.204.230.155 GET https://********.***.**.***:8086/nifi-api/flow/controller/bulletins
2022-06-15 04:18:06,379 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:18:06,379 DEBUG [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [********@Company.***]
2022-06-15 04:16:23,463 DEBUG [NiFi Web Server-120] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntityGroups - <>
2022-06-15 04:16:23,463 INFO [NiFi Web Server-120] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.204.230.155 [<xxxxxxxxx@company.com><C=US, ST=California, O=Company, OU=xxxxxxxxx, CN=zzzzzzzzzz.company.com><C=US, ST=California, O=Company, OU=xxxxxxxxx, CN=yyyyyyyy.company.com>] GET https://xxxxxxxxx.company.com:8086/nifi-api/policies/write/process-groups/653f47d8-0181-1000-1d99-58b6a323962a
2022-06-15 04:16:23,464 INFO [NiFi Web Server-120] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [xxxxxxxxx@company.com] 10.204.230.155 GET https://xxxxxxxxx.company.com:8086/nifi-api/policies/write/process-groups/653f47d8-0181-1000-1d99-58b6a323962a
2022-06-15 04:16:23,464 DEBUG [NiFi Web Server-120] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [xxxxxxxxx@company.com]
2022-06-15 04:16:23,464 DEBUG [NiFi Web Server-120] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [xxxxxxxxx@company.com]
2022-06-15 04:16:27,281 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:16:27,281 DEBUG [NiFi Web Server-21] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntitiesChain - <xxxxxxxxx@company.com><C=US, ST=California, O=Company, OU=xxxxxxxxx, CN=zzzzzzzzzz.company.com>
2022-06-15 04:16:27,281 DEBUG [NiFi Web Server-21] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntityGroups - <>
2022-06-15 04:16:27,281 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.204.230.155 [<xxxxxxxxx@company.com><C=US, ST=California, O=Company, OU=xxxxxxxxx, CN=zzzzzzzzzz.company.com><C=US, ST=California, O=Company, OU=xxxxxxxxx, CN=yyyyyyyy.company.com>] GET https://xxxxxxxxx.company.com:8086/nifi-api/policies/write/operation/process-groups/653f47d8-0181-1000-1d99-58b6a323962a
2022-06-15 04:16:27,282 INFO [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [xxxxxxxxx@company.com] 10.204.230.155 GET https://xxxxxxxxx.company.com:8086/nifi-api/policies/write/operation/process-groups/653f47d8-0181-1000-1d99-58b6a323962a
2022-06-15 04:16:27,282 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [xxxxxxxxx@company.com]
2022-06-15 04:16:27,282 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [xxxxxxxxx@company.com]
2022-06-15 04:16:27,302 INFO [NiFi Web Server-21] o.a.n.w.a.c.ResourceNotFoundExceptionMapper org.apache.nifi.web.ResourceNotFoundException: Unable to find access policy for write on /operation/process-groups/653f47d8-0181-1000-1d99-58b6a323962a. Returning Not Found response.
2022-06-15 04:16:27,309 DEBUG [NiFi Web Server-21] o.a.n.w.a.c.ResourceNotFoundExceptionMapper
org.apache.nifi.web.ResourceNotFoundException: Unable to find access policy for write on /operation/process-groups/653f47d8-0181-1000-1d99-58b6a323962a
at org.apache.nifi.web.dao.impl.StandardPolicyBasedAuthorizerDAO.getAccessPolicy(StandardPolicyBasedAuthorizerDAO.java:201)
at org.apache.nifi.web.dao.impl.StandardPolicyBasedAuthorizerDAO$$FastClassBySpringCGLIB$$ea190383.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698)
at org.apache.nifi.web.dao.impl.StandardPolicyBasedAuthorizerDAO$$EnhancerBySpringCGLIB$$be10ced9.getAccessPolicy(<generated>)
at org.apache.nifi.web.StandardNiFiServiceFacade.getAccessPolicy(StandardNiFiServiceFacade.java:4089)
at org.apache.nifi.web.StandardNiFiServiceFacade$$FastClassBySpringCGLIB$$358780e0.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:783)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89)
at org.apache.nifi.web.NiFiServiceFacadeLock.proceedWithReadLock(NiFiServiceFacadeLock.java:161)
at org.apache.nifi.web.NiFiServiceFacadeLock.getLock(NiFiServiceFacadeLock.java:120)
at jdk.internal.reflect.GeneratedMethodAccessor136.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:753)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:698)
at org.apache.nifi.web.StandardNiFiServiceFacade$$EnhancerBySpringCGLIB$$26e6223b.getAccessPolicy(<generated>)
at org.apache.nifi.web.api.AccessPolicyResource.getAccessPolicyForResource(AccessPolicyResource.java:162)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1631)
at org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:327)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:58)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:58)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:121)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94)
at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:211)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:487)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:336)
at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:301)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.StrictTransportSecurityFilter.doFilter(StrictTransportSecurityFilter.java:48)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.XContentTypeOptionsFilter.doFilter(XContentTypeOptionsFilter.java:48)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.XSSProtectionFilter.doFilter(XSSProtectionFilter.java:48)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.apache.nifi.web.security.headers.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:48)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:763)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:400)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
at java.base/java.lang.Thread.run(Thread.java:829)
2022-06-15 04:16:31,701 DEBUG [NiFi Web Server-120] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
2022-06-15 04:16:31,701 DEBUG [NiFi Web Server-120] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntitiesChain - <xxxxxxxxx@company.com><C=US, ST=California, O=Company, OU=xxxxxxxxx, CN=zzzzzzzzzz.company.com>
2022-06-15 04:16:31,701 DEBUG [NiFi Web Server-120] o.a.n.w.s.x509.X509AuthenticationFilter Raw X-ProxiedEntityGroups - <>
2022-06-15 04:16:31,701 INFO [NiFi Web Server-120] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 10.204.230.155 [<xxxxxxxxx@company.com><C=US, ST=California, O=Company, OU=xxxxxxxxx, CN=zzzzzzzzzz.company.com><C=US, ST=California, O=Company, OU=xxxxxxxxx, CN=yyyyyyyy.company.com>] POST https://xxxxxxxxx.company.com:8086/nifi-api/policies
2022-06-15 04:16:31,701 INFO [NiFi Web Server-120] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [xxxxxxxxx@company.com] 10.204.230.155 POST https://xxxxxxxxx.company.com:8086/nifi-api/policies user.logs Here we have observed that whenever NIFI tries to get status or fetch the current user, we get below mentioned logs, weherNiFiAuthenticationFilter Authenticating sometimes gets the user and sometimes log with null: 10.204.230.155 GET https://xxxxxxxxx.company.com:8086/nifi-api/flow/status 2022-06-15 04:14:57,583 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [xxxxxxxxx@company.com] 2022-06-15 04:14:57,583 DEBUG [NiFi Web Server-25] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [xxxxxxxxx@company.com] 2022-06-15 04:14:57,583 DEBUG [NiFi Web Server-21] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [xxxxxxxxx@company.com] 2022-06-15 04:14:57,583 DEBUG [NiFi Web Server-25] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [xxxxxxxxx@company.com] 2022-06-15 04:14:57,818 DEBUG [NiFi Web Server-120] o.a.n.w.s.NiFiAuthenticationFilter Authenticating [null]
... View more
06-12-2022
12:50 AM
@MattWho Thank you for pointing out logback.xml, now am able to generate the users.log.
... View more
06-10-2022
12:08 PM
@MattWho 1. Have you tried using a different web browser like Firefox? I am unable to log in via Mozilla, my SAML service is not working for callbacks to NIFI. However, used Safari and Chrome. 2. Have you tried opening your browser's Developer tools and inspecting the actual rest-api call that was made when you attempt the various actions that fail from with the NiFi UI? Yes, I did it. I am sharing details for few of the actions: Request URL: https://xxxxxxxx/nifi-api/policies/43dfca36-0181-1000-ffff-ffff90447006 Request Method: PUT Status Code: 403 Payload: {"revision":{"clientId":"4806d375-0181-1000-e24c-c2e2244d8578","version":0},"disconnectedNodeAcknowledged":false,"component":{"id":"43dfca36-0181-1000-ffff-ffff90447006","users":[{"revision":{"version":0},"id":"5c72646f-a9cb-3239-9450-2511231b004e","permissions":{"canRead":true,"canWrite":true},"component":{"id":"5c72646f-a9cb-3239-9450-2511231b004e","identity":"xxxx@xxx.com","configurable":true}}],"userGroups":[]}} Request URL: https://xxxxxxxxx/nifi-api/flow/process-groups/439aeba6-0181-1000-fabf-28c9c87d5ce8/controller-services Request Method: PUT Status Code: 403 Payload: {"id":"439aeba6-0181-1000-fabf-28c9c87d5ce8","state":"ENABLED","disconnectedNodeAcknowledged":false} https://xxxxxxx/nifi-api/access/logout Request Method: DELETE Status Code: 403 3. Are you going through a proxy or load balancer (is it configured to use sticky sessions?)? Yes, I am using a proxy and have configured sticky sessions. 4. Which Browser and version are you using? Safari: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15 Chrome: user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36 For both, the browser NIFI adds Mozilla/5.0 in user-agent 5. Have you tried clearing your browser cache? - Yes I tried clearing my cache, It exhibits the same behavior. 6. Does the same behavior exist using an incognito window in your browser? I have tried on Safari, and Chrome. However, I have used Safari private window as well. It exhibits the same behavior. However unable to Logging using Chrome- incognito window. 7. What java version is your NiFi using? - JDK-11.0.14.9.2 In addition to these, I would like to bring you to notice that, I have tried NIFI- 1.16.0 on AWS with a single node setup, using single-user-authorizer. It works absolutely fine. And I am able to use NIFI smoothly. Once I tried using managed-authorizer with SAML on 3 node cluster. Then I am facing all these permission issues. However, I have an absolutely similar setup with 3 node cluster for NIFI-1.150 (not on AWS, it is on the private cloud). There I am able to get access to the main root process policy. And able to access processors can create processors, but can not delete processors, Logout and add policy for other users or myself.
... View more
06-10-2022
10:55 AM
@MattWho I have tried to click on that key and add my user to the policies. But still, it gives me 403 insufficient permissions : Please find the Request/Response Details: Request URL: https://xxxxxxxxxxxxxxx/nifi-api/policies/43f0b681-0181-1000-ffff-ffffc15af0d7 Request Method: PUT Status Code: 403 Payload: ion":{"clientId":"4eb9cca3-0181-1000-5ccc-79d4aacc5540","version":0},"disconnectedNodeAcknowledged":false,"component":{"id":"43f0b681-0181-1000-ffff-ffffc15af0d7","users":[{"revision":{"version":0},"id":"5c72646f-a9cb-3239-9450-2511231b004e","permissions":{"canRead":true,"canWrite":true},"component":{"id":"5c72646f-a9cb-3239-9450-2511231b004e","identity":"*****@*******.com","configurable":true}}],"userGroups":[]}} Response: <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>Apple</center> </body> </html> If I am trying to add any policy to my user, it is giving me insufficient permissions. Thank you!!!
... View more
06-10-2022
10:33 AM
Hi @MattWho, Thank you for replying, it's my bad, I have missed posting my complete authorizers.xml which have <authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy Provider">file-access-policy-provider</property>
</authorizer>
... View more
06-08-2022
08:00 PM
HI @gtorres, I am not able to see any 403 activity even getting logged in my servers. I have not found any such 403 request/response calls in App logs, user logs, Request logs. Whenever I am getting 403 while performing any actions, it is not getting captured in any log file (App, User, Request). https://community.cloudera.com/t5/Support-Questions/Unable-to-seed-access-policy-on-NIFI-1-16-0-and-User-logs/td-p/345246
... View more
06-08-2022
07:54 PM
HI Team, System Env Details: I am trying setup NIFI on AWS 3 node cluster NIFI version: 1.16.0 Primarily I tried to setup 1 node with single-user-provider on AWS with NIFI-1.16.0 and able to perform each and every action. It is working fine. Then I tried to setup 3 node cluster on AWS, What went well. 1. Configured zookeeper in nifi.properties and Statemanagement.xml and able to formulate a cluster and cluster coordinator setup is successful. 2. using nifi.security.user.authorizer=managed-authorizer 3. Successfully able to integrate with SAML and able to login as a Admin user. What went wrong: 1. Except User-logs, all other logs are getting generated (app, request, bootstrap) 2. When I have logged in as an Initial Admin Identity, Ideally I should be able to add users and policy to them. However, I am getting insufficient permissions while performing any action. (add policy, delete used, edit user, logout etc...) Any help would be highly appreciated. For my detailed set kindly visit my post: https://community.cloudera.com/t5/Support-Questions/NIFI-1-16-0-insufficient-permissions-while-performing-any/td-p/345150
... View more
Labels:
- Labels:
-
Apache NiFi
06-08-2022
08:18 AM
These are the list of permissions I have to ADMIN User: {
"identity": "xxxx@xxx.com",
"anonymous": false,
"provenancePermissions": {
"canRead": false,
"canWrite": false
},
"countersPermissions": {
"canRead": false,
"canWrite": false
},
"tenantsPermissions": {
"canRead": true,
"canWrite": true
},
"controllerPermissions": {
"canRead": true,
"canWrite": true
},
"policiesPermissions": {
"canRead": true,
"canWrite": true
},
"systemPermissions": {
"canRead": false,
"canWrite": false
},
"parameterContextPermissions": {
"canRead": true,
"canWrite": true
},
"restrictedComponentsPermissions": {
"canRead": false,
"canWrite": true
},
"componentRestrictionPermissions": [
{
"requiredPermission": {
"id": "read-distributed-filesystem",
"label": "read distributed filesystem"
},
"permissions": {
"canRead": false,
"canWrite": true
}
},
{
"requiredPermission": {
"id": "access-keytab",
"label": "access keytab"
},
"permissions": {
"canRead": false,
"canWrite": true
}
},
{
"requiredPermission": {
"id": "export-nifi-details",
"label": "export nifi details"
},
"permissions": {
"canRead": false,
"canWrite": true
}
},
{
"requiredPermission": {
"id": "read-filesystem",
"label": "read filesystem"
},
"permissions": {
"canRead": false,
"canWrite": true
}
},
{
"requiredPermission": {
"id": "access-environment-credentials",
"label": "access environment credentials"
},
"permissions": {
"canRead": false,
"canWrite": true
}
},
{
"requiredPermission": {
"id": "execute-code",
"label": "execute code"
},
"permissions": {
"canRead": false,
"canWrite": true
}
},
{
"requiredPermission": {
"id": "access-ticket-cache",
"label": "access ticket cache"
},
"permissions": {
"canRead": false,
"canWrite": true
}
},
{
"requiredPermission": {
"id": "write-filesystem",
"label": "write filesystem"
},
"permissions": {
"canRead": false,
"canWrite": true
}
},
{
"requiredPermission": {
"id": "write-distributed-filesystem",
"label": "write distributed filesystem"
},
"permissions": {
"canRead": false,
"canWrite": true
}
}
],
"canVersionFlows": false
}
... View more
06-08-2022
07:50 AM
Hi @araujo, Have you experience it ? Request your help. Thanks
... View more