nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michaud, Ben A" <ben_mich...@optum.com>
Subject Questions regarding security set-up in NiFi 1.0.0
Date Thu, 08 Sep 2016 20:27:17 GMT
Greetings.

I have been trying to use the new release of NiFi today, and am frankly at a dead end. I can't
use it with security enabled.

We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the recommendations of using
the existing authorized-users.xml file to migrate to the new model.  This process did allow
me to log in, but did not give me any write access from the old DFM role. In fact, it did
not even create all of the authorizations mentioned here (http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup)
It only created write policies for the following:

-        Controller

-        Tenants

-        Policies

-        Site-to-site

Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like I was only given
admin rights.

Furthermore, when I accessed the UI, I wanted to add groups and policies, but I can't for
the life of me figure out how I'm supposed to do this. It seems like I can only add users
to existing policies in the "Access Policies" dialog or add users in general on the "NiFi
Users" dialog. Since I am not supposed to manually edit these files, I am not sure how I am
supposed to fix this.

Any help in this regard would be greatly appreciated.

Here is the original authorized-users.xml snippet with my roles:
(NB: I have removed other users from the listings below. I was the second user out of six.)
$ cat authorized-users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users>
    <user dn="EMAILADDRESS=ben_michaud@optum.com, CN=bmichau1, CN=Users, DC=ms, DC=ds,
DC=uhc, DC=com">
        <role name="ROLE_DFM"/>
        <role name="ROLE_ADMIN"/>
        <role name="ROLE_PROVENANCE"/>
    </user>
</users>

Here is the resulting users.xml:
$ cat users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity="EMAILADDRESS=ben_michaud@optum.com,
CN=bmichau1, CN=Users, DC=ms, DC=ds, DC=uhc, DC=com"/>
    </users>
</tenants>

Here is the resulting authorizations.xml:
$ cat authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39" resource="/system" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
        </policy>
        <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947" resource="/controller"
action="W">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8" resource="/flow" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
        </policy>
        <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08" resource="/controller"
action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
        </policy>
        <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b" resource="/policies"
action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70" resource="/tenants" action="W">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039" resource="/tenants" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8" resource="/policies"
action="W">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="49208654-71b3-37e9-a68f-7814015c1108" resource="/provenance"
action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1" resource="/site-to-site"
action="W">
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2" resource="/site-to-site"
action="R">
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
    </policies>
</authorizations>

Regards,
Ben Michaud



This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message