Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Master Guru

NiFi Restricted components are those processors, controller services or reporting tasks that have the ability to run user defined code or access/alter localhost filesystem data.

-

The NiFi User guide explains this as follows:

-----------------------------------------

Restricted components will be marked with a icon next to their name. These are components that can be used to execute arbitrary unsanitized code provided by the operator through the NiFi REST API/UI or can be used to obtain or alter data on the NiFi host system using the NiFi OS credentials. These components could be used by an otherwise authorized NiFi user to go beyond the intended use of the application, escalate privilege, or could expose data about the internals of the NiFi process or the host system. All of these capabilities should be considered privileged, and admins should be aware of these capabilities and explicitly enable them for a subset of trusted users. Before a user is allowed to create and modify restricted components they must be granted access.

------------------------------------------

Users can only be restricted from adding such components in NiFi if NiFi has be secured. Users of an unsecured NiFi will always have access to all components.

-

Prior to HDF 3.2 or Apache NiFi 1.6 all restricted component were covered by a single authorization policy:

Ranger Policy (Base policies):NiFi Policies (Hamburger menu)Ranger permissions description:
/restricted-componentsAccess restricted componentsRead/View - N/A

Write/Modify - Gives granted users ability to add components to the canvas that are tagged as “restricted”

-

It was decided that lumping all components in to one policy was not ideal. So https://jira.apache.org/jira/browse/NIFI-4885 was created to address this so that users access to restricted components would be based on level of restricted access they are being granted.

  • read-filesystem
  • write-filesystem
  • code-execution
  • access-keytab
  • Export-nifi-details

-

In order to avoid backwards compatibility issues when user upgrade to a HDF 3.2+ or Apache NiFi 1.6.0+, the “Access restricted components” base policy still exists. In the NiFi global “Access Policies” UI, this is the default policy and is depicted as follows:

In Ranger this is still associated to just the “/restricted-components” policy.

The four new policies are depicted as follows in Ranger and NiFi UIs:

-

Ranger Policy (Base policies):NiFi Policies (Hamburger menu)Ranger permissions description:
/restricted-components/read-filesystemAccess restricted componentsSub policy:Requiring ‘read filesystem’Read/View - N/A

Write/Modify - Allows users to create/modify restricted components requiring read filesystem.

/restricted-components/write-filesystemAccess restricted componentsSub policy:Requiring ‘write filesystem’Read/View - N/A
Write/Modify - Allows users to create/modify restricted components requiring read filesystem.
/restricted-components/code-executionAccess restricted componentsSub policy:Requiring ‘execute code’Read/View - N/A
Write/Modify - Allows users to create/modify restricted components requiring read filesystem.
/restricted-components/access-keytabAccess restricted components

Sub policy:Requiring ‘access keytab’

Read/View - N/A
Write/Modify - Allows users to create/modify restricted components requiring read filesystem.
/restricted-components/export-nifi-detailsAccess restricted components

Sub policy:Requiring ‘export nifi details’

Read/View - N/A
Write/Modify - Allows users to create/modify restricted components requiring read filesystem.

-

Below is a list of Restricted components for each of the above sub policies (current as of HDF 3.3 and Apache NiFi 1.8):

Read-filesystem:

NiFi component:Component type:Access provisions:
FetchFileProcessorProvides operator the ability to read from any file that NiFi has access to.
FetchHDFSProcessorProvides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem.
FetchParquetProcessorProvides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem.
GetFileProcessorProvides operator the ability to read from any file that NiFi has access to.
GetHDFSProcessorProvides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem.
GetHDFSSequenceFileProcessorProvides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem.
MoveHDFSProcessorProvides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem.
TailFileProcessorProvides operator the ability to read from any file that NiFi has access to.

-

Write-filesystem:

NiFi component:Component type:Access provisions:
DeleteHDFSProcessorProvides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem.
FetchFileProcessorProvides operator the ability to delete any file that NiFi has access to.
GetFileProcessorProvides operator the ability to delete any file that NiFi has access to.
GetHDFSProcessorProvides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem.
GetHDFSSequenceFileProcessorProvides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem.
MoveHDFSProcessorProvides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem.
PutFileProcessorProvides operator the ability to write to any file that NiFi has access to.
PutHDFSProcessorProvides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem.
PutParquetProcessorProvides operator the ability to write any file that NiFi has access to in HDFS or the local filesystem.

-

Code-execution:

NiFi component:Component type:Access provisions:
ScriptedReportingTaskReporting TaskProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.
ScriptedLookupServiceController ServiceProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.
ScriptedReaderController ServiceProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.
ScriptedRecordSetWriterController ServiceProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.
ExecuteFlumeSinkProcessorProvides operator the ability to execute arbitrary Flume configurations assuming all permissions that NiFi has.
ExecuteFlumeSourceProcessorProvides operator the ability to execute arbitrary Flume configurations assuming all permissions that NiFi has.
ExecuteGroovyScriptProcessorProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.
ExecuteProcessProcessorProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.
ExecuteScriptProcessorProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.
ExecuteStreamCommandProcessorProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.
invokeScriptedProcessorProcessorProvides operator the ability to execute arbitrary code assuming all permissions that NiFi has.

-

access-keytab:

NiFi component:Component type:Access provisions:
KeytabCredentialsServiceController ServiceAllows user to define a Keytab and principal that can then be used by other components.

-

Export-nifi-details:

NiFi component:Component type:Access provisions:
SiteToSiteBulletinReportingTaskReporting TaskProvides operator the ability to send sensitive details contained in bulletin events to any external system.
SiteToSiteProvenanceReportingTaskReporting TaskProvides operator the ability to send sensitive details contained in Provenance events to any external system.

-

***NOTE: Some components may be found under multiple sub policies above. In order for a user to utilize that component, they must be granted access to every sub policy required by that component.

-

Exceptions in HDF 3.2 and Apache 1.7 and 1.8:

In order to use following components, users must have full access to all restricted components policy:

NiFi component:Component type:Access provisions:
PutORCProcessorThis component requires access to restricted components regardless of restriction. Apache Jira: https://jira.apache.org/jira/browse/NIFI-5815

-

A full breakdown of all other NiFi Policies can be found here:

https://community.hortonworks.com/articles/115770/nifi-ranger-based-policy-descriptions.html

1,015 Views
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎11-12-2018 06:08 PM
Updated by:
 
Contributors
Top Kudoed Authors