Support Questions

Find answers, ask questions, and share your expertise

Access Policy in NiFi

avatar
Contributor

Hello in NiFi can we have some restriction over users about what can they view and not edit other users processor groups. I want to have like say we have 5 persons then I want to give 5 user id and don't want one to interfere with others work like processor groups and possibly not even view other's processor groups.

I was viewing one article (https://docs.cloudera.com/cfm/2.0.4/nifi-admin-guide/topics/nifi-creating-users-groups.html) mentioning "From the UI, select "Users" from the Global Menu." But I am not getting where is this Users option and also Global Menu which icon can be that.

3 REPLIES 3

avatar
Master Mentor

@AlokKumar 

Apache NiFi out-of-the-box configuration utilizes the Single-User-provider for user authentication and the Single-User-Authorizer for authorization.  When using the Single-user-authorizer provider, you can not manage authorizations for additional users. 

So with this out-of-the-box setup you will not see either the Users or Policies options in NiFi since only the single user generated by NiFi an authenticate and that user has full access.  These providers were created so that NiFi would be secured (HTTPS) on startup and would be accessible with modern browsers that now all redirect any http request to https.

Prior to Apache NiFi 1.14 these single-user providers did not exist.  The out-of-the-box setup of NiFi was unsecured.   Users were required to create their own certificates, setup an external mechanism for user authentication, and setup an authorizer that could manage authorization policies for multiple user identities.   CFM 2.0.4 referenced in the doc link you shared is based off Apache NiFi 1.11.4.  Also worth noting is that Cloudera Flow Management (CFM) has never used the single user providers.  CFM is designed to deploy/install  enterprise ready secured managed Apache NiFi clusters.


So before i can help here, I need to understand more about your setup.  Which login provider and which authorizer are you using?  If you are utilizing the out-of-the-box single user providers, that is the first thing you will need to change.   Understand that Apache NiFi does not provide a multi-user login provider.  So for multi-user access you'll need to use an external provider or utilize unique clientAuth certificates for each if your users.  You can see what options for user authentication exist in the Apache NiFi Admin Guide under the User Authentication section. Lightweight Directory Access Protocol (LDAP)  is probably the most commonly used.

Now these unique user will require unique authorizations (Multi-Tenant Authorization), which the responsibility falls on the NiFi authorizers.xml configuration file. The most common setup for Apache NiFi will use the StandardManagedAuthorizer. This authorizer would then be configured to reference the FileAccessPolicyProvider which will enable the Policies option in the NiFi UI global menu.  In order to set policies against multiple "user identities", this provider must be made aware of all the possible user identities and if you want to authorize by groups, will also need to know what users belong to what groups.  So the file-access-policy-provider will require being configured with a user group provider.  There are several options, but here are the most common:

  • FileUserGroupProvider - This enables the "users" option in the global menu and allows you to define your user identities and group identities manually.  Reminder: This has nothing to do with authentication.
  • LdapUserGroupProvider- This syncs users and groups from an external ldap
  • Composite Implementations - providers that allows multiple user-group-providers to be used at same time.  It is common to configure the file-access-policy provider to use the composite-configurable-user-group-provider and then configure the composite-configurable-user-group-provider to obtain users and groups from both the file-user-group-provider and the ldap-user-group-provider.  Where the file-user-group-provider is used to manage the user identities derived from your individual NiFi cluster node identities (yes, even your individual nodes in a NiFi cluster require some authorizations).

An example authorizers.xml setup utilizing the common setup i described above can be seen here in the NIFi admin guide:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-file-and-ldap-based-...

Hope above helps you get your setup configured to manage multiple unique users. 

--------------------

Once you have multi-user authentication and authorization setup, you'll need to authorize your users.  All users will access the same root Process Group (PG) which is the top level canvas.  It is then common for a unique child PG to be created  for each unique user or group.  You can not hide components on the canvas, this is done to prevent one user/group from building their dataflows on top of other user's dataflows.  However, if a user/group is not authorized on a PG, they will only see a dashed outlined PG box and no details.  Same goes for processor  and other components. 

MattWho_0-1754932571380.png

And if they try to view the configuration they will not be able to see that either:

MattWho_1-1754932660597.png

Keep in mind that processor components will inherit their permissions/authorizations from the parent Process Group.  So once you authorize a user or group to child single PG, they will be able to add processors, deeper child PGs, etc within that authorized child PG without needing to set explicit policies on every  sub-component.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Contributor

Hello @MattWho Thank you for a detailed answer. I very much appreciate your time. 

My requirement is to have say 5 developers are there in my team then I want each to have their own unique userid and password. Currently I have single user setup. 

You have mentioned LDAP. I am not much aware of it. Is there any helpful article which can help me as a newbie. I again appreciate your much help to this community.

avatar
Master Mentor

@AlokKumar 

The out-of-the-box Single user setup is only intended to be used for ease of NiFi evaluation.  For a multi user production NiFi setup you need to be using another form of multi user authentication and the managed authorizer for authorization.  

For authentication since you have only 5 developers you could go as simple as generated a unique user certificate for each of your 5 developers.  These developers could load their certificate in to their browser and use that to authenticate their user during the mutual TKLS handshake between their browser and the NiFi instance.   There are plenty of detailed how-tos via  a google  search on how to generate certificates and even some free services that will do it for you.   You'll need to make sure the public certs are added to NiFi's truststore or NiFi will not trust the private certificates you create for your users.

Another common option is using LDAP or Active Directory to authenticate your users.  Again, there are many resource and examples on the web for setting up a LDAP server.  LDAP is not a NiFi specific service.  

You can then follow the the NiFi guide links i shared in my previous post that show you what needs to be configured in NiFi to use LDAP.    Client certificates are supported by any secured NiFi even if you have enabled additional form of authentication like LDAP.  Client certificates are the only way NiFi nodes in a multi-node NIFi cluster setup authenticate with one another.  

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt