Objective
To import a versioned flow or revert local changes in a versioned flow, a user must have access to all the components in the versioned flow. As such, it is recommended that restricted components are created at the root process group level if they are to be utilized in versioned flows. This tutorial illustrates the benefits of this configuration and demonstrates a new feature introduced in Apache NiFi 1.6.0: granular restricted component categories (NIFI-4885). Users can be given access to all restricted components or to specific categories of restricted components.
Note: This tutorial assumes you are familiar with setting up a secure Apache NiFi instance and integrating it with a secure Apache NiFi Registry.
Environment
This tutorial was tested using the following environment and components:
- Mac OS X 10.11.6
- Apache NiFi 1.6.0
- Apache NiFi Registry 0.1.0
- There are two users, "sys_admin" and "test_user" who have access to both view and modify the root process group.
- "sys_admin" has access to all restricted components.
-
"test_user" has access to restricted components requiring 'read filesystem' and 'write filesystem'.
User Setup
Assume the following:
Restricted Controller Service Created in Root Process Group
In this first example, sys_admin creates a KeytabCredentialsService controller service (NIFI-4917) at the root process group level:
KeytabCredentialService controller service is a restricted component that requires 'access keytab' permissions:
Sys_admin creates a process group ABC containing a flow with GetFile and PutHDFS processors:
GetFile processor is a restricted component that requires 'write filesystem' and 'read filesystem' permissions:
PutHDFS is a restricted component that requires 'write filesystem' permissions:
The PutHDFS processor is configured to use the root process group level KeytabCredentialsService controller service:
Sys_admin saves the process group as a versioned flow:
Test_user changes the flow by removing the KeytabCredentialsService controller service:
If test_user chooses to revert this change:
the revert is successful:
Additionally, if test_user chooses to import the ABC versioned flow:
The import is successful:
Restricted Controller Service Created in Process Group
Now, consider a second scenario where the controller service is created on the process group level.
Sys_admin creates a process group XYZ:
Sys_admin creates a KeytabCredentialsService controller service at the process group level:
The same GetFile and PutHDFS flow is created in the process group:
However, PutHDFS now references the process group level controller service:
Sys_admin saves the process group as a versioned flow.
Test_user changes the flow by removing the KeytabCredentialsService controller service. However, with this configuration, if test_user attempts to revert this change:
the revert is unsuccessful because test_user does not have the 'access keytab' permissions required by the KeytabCredentialService controller service:
Similarly, if test_user tries to import the XYZ versioned flow:
The import fails:
