@Frank168  Glad I was able to identify your issue for you. Can you accept the post that solved your issue.  I see you accepted your response. Thank you, Matt ... View more

@garb  There is an existing Apache NiFi jira reporting this issue here: https://issues.apache.org/jira/browse/NIFI-14729 It aligns with your observations above. Thanks, Matt   ... View more

@Frank168  It would be difficult to say what the issue is without being able to see your authorizers.xml file and nifi-registry.properties file. One common mistake I see individuals make is copying from their NiFi's authorizers.xml. While they structurally are the same, NiFi-Registry has different class names for each provider in the authorizers.xml.   The next suggestion i often make is start by reading your authorizers.xml from the bottom up starting with the authorizer (I expect that will be the "managed-authorizer" for you).  That managed-authorizer will reference another provider and that referenced provider will reference another provider and so on.  What you are making sure is that there is a referenced path from the managed-authorizer to your ldap-user-group-provider and likely your user-group-provider as well.  I have seen scenarios where the individual providers were all configured correctly; however, the authorizer was not actually using them because there was not referenced path to them. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@blackboks  All actions performed against  secured NiFi require proper authentication and authorization.   It appears you have successful authentication via. mutualTLS exchange, but you are missing the proper authorization needed for the rest-api endpoint you are trying to access.   The shared nifi-user.log entry tells you which authorization policy is missing for the user that is needed for the request endpoint /nifi-api/flow/metrics/prometheus: "view the user interface" which authorizes a user to /flow NiFI resource. I don't know how your NIFi has been configured to for authorization, but the most common setup uses the managed-authorizer. From the NiFi UI you can access the global policies from the NIFi global menu in the upper right corner of UI. "Policies" will open a new UI, where you can select "view the user interface" fomr the drop down selection: Then you can click on the person icon to the right to authorize additional user identities. Your list of user will be different.  What is important to note is NiFi user and group identities are case sensitive and must match exactly.  So the exact user identity shown in the nifi-user.log is the one that needs to be added to the "view the user interface" policy. If this user is not in the list, you must first add that user identity and then you will be able to authorize it.  This can be done if you are using the managed-authorizer with the file-user-group-provider.  If so, you can access "Users" from the NiFi global menu to open the NiFi Users UI: From there you can use the "+" icon to the right to add a new user identity. Remember that user identity string must match exactly case sensitive with what is shown in nifi-user.log; otherwise, it will be treated asa different user.   Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more