nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: Questions regarding security set-up in NiFi 1.0.0
Date Thu, 08 Sep 2016 22:02:29 GMT
Hi Ben,

In addition to what Andy said... did you also copy the flow.xml.gz from a
previous instance, or were you starting with a new instance and just
copying over the users?

If you were only bringing over the users and no flow, then I think this is
behaving as expected... The policies in the admin guide for DFM are:

1) view the UI (READ on /flow)
2) view the controller (READ on /controller)
3) modify the controller (WRITE on /controller)
4) view system diagnostics (READ on /system)
5) view the dataflow (READ on /process-groups/<root-group-id>)
6) modify the dataflow (WRITE on /process-groups/<root-group-id>)
7) view the data (READ on /data/process-groups/<root-group-id>)
8) modify the data (WRITE on /data/process-groups/<root-group-id>)

In your example the first four were created, but the last four were not.
The last four are dependent on knowing a consistent root group id which it
doesn't know in a brand new instance, but if you copied over the previous
flow.xml.gz I believe it should have created those.

In the state you are in with a brand new flow, you have to create a policy
on the root group for your user. You can do that from the lock icon in the
palette on the left.
Once you have created a policy for "view component" and "modify the
component" for the root group, and added your user to both, you should see
the toolbar enabled.

Let us know if this helps, or if there are still other challenges.

-Bryan

On Thu, Sep 8, 2016 at 5:50 PM, Andy LoPresto <alopresto@apache.org> wrote:

> Hi Ben,
>
> Sorry to hear you are having trouble with the new security authorizer. I
> understand this is a big change and it is frustrating when it does not work
> as expected.
>
> I am surprised to hear that the legacy migration did not create policies
> for the DFM role that you previously had. Could you please provide the
> logs/nifi-app.log (with sensitive data sanitized) to help us understand if
> this is a bug?
>
> As for adding users and policies through the NiFi UI, there are
> instructions here [1] and Bryan Bende has written a helpful blog post about
> this as well [2]. You can add users and then add global or component-level
> (i.e. access to a single process group or processor) access policies for
> those users.
>
> Please let us know if this is still not clear or if you encounter other
> challenges.
>
> [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#
> config-users-access-policies
> [2] http://bryanbende.com/development/2016/08/17/apache-
> nifi-1-0-0-authorization-and-multi-tenancy
>
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <alopresto.apache@gmail.com>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Sep 8, 2016, at 1:27 PM, Michaud, Ben A <ben_michaud@optum.com> wrote:
>
> Greetings.
>
> I have been trying to use the new release of NiFi today, and am frankly at
> a dead end. I can't use it with security enabled.
>
> We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the
> recommendations of using the existing authorized-users.xml file to migrate
> to the new model.  This process did allow me to log in, but did not give me
> any write access from the old DFM role. In fact, it did not even create all
> of the authorizations mentioned here (http://nifi.apache.org/docs/
> nifi-docs/html/administration-guide.html#authorizers-setup) It only
> created write policies for the following:
>
> -        Controller
>
> -        Tenants
>
> -        Policies
>
> -        Site-to-site
>
> Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like I
> was only given admin rights.
>
> Furthermore, when I accessed the UI, I wanted to add groups and policies,
> but I can't for the life of me figure out how I'm supposed to do this. It
> seems like I can only add users to existing policies in the "Access
> Policies" dialog or add users in general on the "NiFi Users" dialog. Since
> I am not supposed to manually edit these files, I am not sure how I am
> supposed to fix this.
>
> Any help in this regard would be greatly appreciated.
>
> Here is the original authorized-users.xml snippet with my roles:
> (NB: I have removed other users from the listings below. I was the second
> user out of six.)
> $ cat authorized-users.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <users>
>    <user dn="EMAILADDRESS=ben_michaud@optum.com, CN=bmichau1, CN=Users,
> DC=ms, DC=ds, DC=uhc, DC=com">
>        <role name="ROLE_DFM"/>
>        <role name="ROLE_ADMIN"/>
>        <role name="ROLE_PROVENANCE"/>
>    </user>
> </users>
>
> Here is the resulting users.xml:
> $ cat users.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
>    <groups/>
>    <users>
>        <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity="
> EMAILADDRESS=ben_michaud@optum.com, CN=bmichau1, CN=Users, DC=ms, DC=ds,
> DC=uhc, DC=com"/>
>    </users>
> </tenants>
>
> Here is the resulting authorizations.xml:
> $ cat authorizations.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
>    <policies>
>        <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39"
> resource="/system" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947"
> resource="/controller" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8"
> resource="/flow" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08"
> resource="/controller" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b"
> resource="/policies" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70"
> resource="/tenants" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039"
> resource="/tenants" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8"
> resource="/policies" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="49208654-71b3-37e9-a68f-7814015c1108"
> resource="/provenance" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1"
> resource="/site-to-site" action="W">
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2"
> resource="/site-to-site" action="R">
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>    </policies>
> </authorizations>
>
> Regards,
> Ben Michaud
>
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message