NiFi Restricted components are those processors, controller services, or reporting tasks that have the ability to run user-defined code or access/alter localhost filesystem data.
-
The NiFi User guide explains this as follows:
-----------------------------------------
Restricted components will be marked with a 
------------------------------------------
Users can only be restricted from adding such components in NiFi if NiFi has to be secured. Users of an unsecured NiFi will always have access to all components.
-
Prior to HDF 3.2 or Apache NiFi 1.6, all restricted components were covered by a single authorization policy:
| Ranger Policy (Base policies): | NiFi Policies (Hamburger menu) | Ranger permissions description: |
| /restricted-components | Access restricted components | Read/View - N/A Write/Modify - Gives granted users the ability to add components to the canvas that are tagged as “restricted” |
-
It was decided that lumping all components into one policy was not ideal. So NIFI-4885 was created to address this so that users' access to restricted components would be based on the level of restricted access they are being granted.
- read-filesystem
- read-distributed-filesystem
- write-filesystem
- write-distributed-filesystem
- execute=code
- access-keytab
- export-nifi-details
-
In order to avoid backward compatibility issues when users upgrade to a HDF 3.2+ or Apache NiFi 1.6.0+, the “Access restricted components” base policy still exists and defaults to "regardless of restrictions". In the NiFi global “Access Policies” UI, this is the default policy and is depicted as follows:
In Ranger, this is still associated with just the “/restricted-components” policy. The four new policies are depicted as follows in Ranger and NiFi UIs:
-
| Ranger Policy (Base policies): | NiFi Policies (Hamburger menu) | Ranger permissions description: |
| /restricted-components/read-filesystem | Access restricted componentsSub policy:Requiring ‘read filesystem’ | Read/View - N/A Write/Modify - Allows users to create/modify restricted components requiring read filesystem. |
| /restricted-components/read-distributed-filesystem | Access restricted componentsSub policy:Requiring ‘read distributed filesystem’ | Read/View - N/A Write/Modify - Allows users to create/modify restricted components requiring read distributed filesystem. |
| /restricted-components/write-filesystem | Access restricted componentsSub policy:Requiring ‘write filesystem’ | Read/View - N/A Write/Modify - Allows users to create/modify restricted components requiring write filesystem. |
| /restricted-components/write-distributed-filesystem | Access restricted componentsSub policy:Requiring ‘write distributed filesystem’ | Read/View - N/A Write/Modify - Allows users to create/modify restricted components requiring write distributed filesystem. |
| /restricted-components/execute-code | Access restricted componentsSub policy:Requiring ‘execute code’ | Read/View - N/A Write/Modify - Allows users to create/modify restricted components requiring read filesystem. |
| /restricted-components/access-keytab | Access restricted components Sub policy:Requiring ‘access keytab’ | Read/View - N/A Write/Modify - Allows users to create/modify restricted components requiring read filesystem. |
| /restricted-components/export-nifi-details | Access restricted components Sub policy:Requiring ‘export nifi details’ | Read/View - N/A Write/Modify - Allows users to create/modify restricted components requiring read filesystem. |
-
Below is a list of restricted components for each of the above sub-policies (current as of CFM 2.1.1 and Apache NiFi 1.13):
Read-filesystem:
| NiFi component: | Component type: | Access provisions: |
| FetchFile | Processor | Provides operator the ability to read from any file that NiFi has access to. |
| TailFile | Processor | Provides operator the ability to read from any file that NiFi has access to. |
| GetFile | Processor | Provides operator the ability to read from any file that NiFi has access to. |
-
Read-Distributed-Filesystem: (Added NiFi 1.13)
| NiFi component: | Component type: | Access provisions: |
| FetchHDFS | Processor | Provides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem. |
| FetchParquet | Processor | Provides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem. |
| GetHDFS | Processor | Provides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem. |
| GetHDFSSequenceFile | Processor | Provides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem. |
| MoveHDFS | Processor | Provides operator the ability to retrieve any file that NiFi has access to in HDFS or the local filesystem. |
-
Write-filesystem:
| NiFi component: | Component type: | Access provisions: |
| FetchFile | Processor | Provides operator the ability to delete any file that NiFi has access to. |
| GetFile | Processor | Provides operator the ability to delete any file that NiFi has access to. |
| PutFile | Processor | Provides operator the ability to write to any file that NiFi has access to. |
-
Write-Distributed-Filesystem: (Added NiFi 1.13)
| NiFi component: | Component type: | Access provisions: |
| DeleteHDFS | Processor | Provides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem. |
| GetHDFS | Processor | Provides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem. |
| GetHDFSSequenceFile | Processor | Provides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem. |
| MoveHDFS | Processor | Provides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem. |
| PutHDFS | Processor | Provides operator the ability to delete any file that NiFi has access to in HDFS or the local filesystem. |
| PutParquet | Processor | Provides operator the ability to write any file that NiFi has access to in HDFS or the local filesystem. |
-
Execute-code:
| NiFi component: | Component type: | Access provisions: |
| ScriptedReportingTask | Reporting Task | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
| ScriptedLookupService | Controller Service | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
| ScriptedReader | Controller Service | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
| ScriptedRecordSetWriter | Controller Service | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
| ExecuteFlumeSink | Processor | Provides operator the ability to execute arbitrary Flume configurations assuming all permissions that NiFi has. |
| ExecuteFlumeSource | Processor | Provides operator the ability to execute arbitrary Flume configurations assuming all permissions that NiFi has. |
| ExecuteGroovyScript | Processor | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
| ExecuteProcess | Processor | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
| ExecuteScript | Processor | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
| ExecuteStreamCommand | Processor | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
| invokeScriptedProcessor | Processor | Provides operator the ability to execute arbitrary code assuming all permissions that NiFi has. |
-
access-keytab:
| NiFi component: | Component type: | Access provisions: |
| KeytabCredentialsService | Controller Service | Allows user to define a Keytab and principal that can then be used by other components. |
-
Export-nifi-details:
| NiFi component: | Component type: | Access provisions: |
| SiteToSiteBulletinReportingTask | Reporting Task | Provides operator the ability to send sensitive details contained in bulletin events to any external system. |
| SiteToSiteProvenanceReportingTask | Reporting Task | Provides operator the ability to send sensitive details contained in Provenance events to any external system. |
-
***Note: Some components may be found under multiple sub-policies above. In order for a user to utilize that component, they must be granted access to every sub policy required by that component.
-
Exceptions in HDF 3.2 and Apache 1.7 and 1.8:
In order to use the following components, users must have full access to all restricted components policies:
| NiFi component: | Component type: | Access provisions: |
| PutORC | Processor | This component requires access to restricted components regardless of restriction. Apache Jira: NIFI-5815 |
-
A full breakdown of all other NiFi Policies can be found here:
