Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
Guru

Objective

To import a versioned flow or revert local changes in a versioned flow, a user must have access to all the components in the versioned flow. As such, it is recommended that restricted components are created at the root process group level if they are to be utilized in versioned flows. This tutorial illustrates the benefits of this configuration and demonstrates a new feature introduced in Apache NiFi 1.6.0: granular restricted component categories (NIFI-4885). Users can be given access to all restricted components or to specific categories of restricted components.

Note: This tutorial assumes you are familiar with setting up a secure Apache NiFi instance and integrating it with a secure Apache NiFi Registry.

Environment

This tutorial was tested using the following environment and components:

  • Mac OS X 10.11.6
  • Apache NiFi 1.6.0
  • Apache NiFi Registry 0.1.0
  • User Setup

    Assume the following:

    • There are two users, "sys_admin" and "test_user" who have access to both view and modify the root process group.
    • "sys_admin" has access to all restricted components.69399-1-sys-admin-restricted-component-access-policy.png
    • "test_user" has access to restricted components requiring 'read filesystem' and 'write filesystem'.

      69400-2a-test-user-restricted-component-read-filesystem.png

    • 69401-2b-test-user-restricted-component-write-filesystem.png

      Restricted Controller Service Created in Root Process Group

      In this first example, sys_admin creates a KeytabCredentialsService controller service (NIFI-4917) at the root process group level:

      69402-3-keytabcredentialsservice-rpg.png

      KeytabCredentialService controller service is a restricted component that requires 'access keytab' permissions:

      69403-4-keytabcredentialsservice-permissions.png

      Sys_admin creates a process group ABC containing a flow with GetFile and PutHDFS processors:

      69404-5-abc-restricted-component-flow.png

      GetFile processor is a restricted component that requires 'write filesystem' and 'read filesystem' permissions:

      69405-6-getfile-permissions.png

      PutHDFS is a restricted component that requires 'write filesystem' permissions:

      69406-7-puthdfs-permissions.png

      The PutHDFS processor is configured to use the root process group level KeytabCredentialsService controller service:

      69407-8-puthdfs-properties.png

      Sys_admin saves the process group as a versioned flow:

      69408-9-abc-versioned-flow.png

      Test_user changes the flow by removing the KeytabCredentialsService controller service:

      69409-10-puthdfs-no-kerberoscs.png

      If test_user chooses to revert this change:

      69410-11-test-user-revert-local-changes.png

      the revert is successful:

      69411-12-revert-success.png

      Additionally, if test_user chooses to import the ABC versioned flow:

      69412-13-test-user-import-abc-flow.png

      The import is successful:

      69413-14-test-user-import-success.png

      Restricted Controller Service Created in Process Group

      Now, consider a second scenario where the controller service is created on the process group level.

      Sys_admin creates a process group XYZ:

      69414-15-xyz-process-group.png

      Sys_admin creates a KeytabCredentialsService controller service at the process group level:

      69415-16-keytabcredentialsservice-pg.png

      The same GetFile and PutHDFS flow is created in the process group:

      69416-17-xyz-flow.png

      However, PutHDFS now references the process group level controller service:

      69417-18-puthdfs-properties-2.png

      Sys_admin saves the process group as a versioned flow.

      Test_user changes the flow by removing the KeytabCredentialsService controller service. However, with this configuration, if test_user attempts to revert this change:

      69418-19-test-user-revert-local-changes-2.png

      the revert is unsuccessful because test_user does not have the 'access keytab' permissions required by the KeytabCredentialService controller service:

      69419-20-revert-failure.png

      Similarly, if test_user tries to import the XYZ versioned flow:

      69420-21-test-user-import-xyz-flow.png

      The import fails:

      69421-22-import-xyz-flow-fails.png

967 Views
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.
Version history
Last update:
‎08-17-2019 07:57 AM
Updated by:
Contributors
Top Kudoed Authors