Support Questions

Find answers, ask questions, and share your expertise

Apche Nifi Show Templates and Workflows to only Owner

avatar

We want to hide templates and workflows created by one user to the other users in the system. So the workflow should be visible to only its owner.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Rupesh_Raghani 

NiFI templates are uploaded to the process group selected.  Only users who have been granted view and modify on that PG will be able to instantiate those templates on to the NiFi canvas.

MattWho_0-1622129648194.png

NiFi operates within a single JVM, so there are not separate per user canvases. 
User not authorized on a specific NiFi Process Group (PG) will only see a blank representation for that component on the canvas (non-authorized users can not see name, description, configuration details, etc...). Non-authorized users can still see metrics presented on components and queue counts on connections only.

MattWho_1-1622129912097.png

 

The reason NiFi still renders all components is because everything is executing within a single JVM. 
- One users flows can impact another team (Some flow with huge backlog of queued data, high volume, etc can impact resource availability to other teams/users.
- Stats on information bar is representative of entire canvas (all dataflows), so it is still important for all teams/users to be able to identify areas of concern even if is not their dataflows and they have no authorizations allowing them to do anything about it. But they could alert other teams/users.
- Typical use case is team/user 1 has a PG and then team/user 2 has a different authorized PG.  If NiFi did not render both PG to both users, nothing prevents users from building flows on top of one another.  Then assume we have team/user 3 that is authorized for both above team/users PGs.  This becomes unreadable useable by that third user.

If you found this helped with your query, please take a moment to login and click "Accept" on this solution.
Thank you,

Matt

View solution in original post

4 REPLIES 4

avatar
Master Mentor

@Rupesh_Raghani 

NiFI templates are uploaded to the process group selected.  Only users who have been granted view and modify on that PG will be able to instantiate those templates on to the NiFi canvas.

MattWho_0-1622129648194.png

NiFi operates within a single JVM, so there are not separate per user canvases. 
User not authorized on a specific NiFi Process Group (PG) will only see a blank representation for that component on the canvas (non-authorized users can not see name, description, configuration details, etc...). Non-authorized users can still see metrics presented on components and queue counts on connections only.

MattWho_1-1622129912097.png

 

The reason NiFi still renders all components is because everything is executing within a single JVM. 
- One users flows can impact another team (Some flow with huge backlog of queued data, high volume, etc can impact resource availability to other teams/users.
- Stats on information bar is representative of entire canvas (all dataflows), so it is still important for all teams/users to be able to identify areas of concern even if is not their dataflows and they have no authorizations allowing them to do anything about it. But they could alert other teams/users.
- Typical use case is team/user 1 has a PG and then team/user 2 has a different authorized PG.  If NiFi did not render both PG to both users, nothing prevents users from building flows on top of one another.  Then assume we have team/user 3 that is authorized for both above team/users PGs.  This becomes unreadable useable by that third user.

If you found this helped with your query, please take a moment to login and click "Accept" on this solution.
Thank you,

Matt

avatar
Community Manager

@Rupesh_Raghani Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 

 

Screen Shot 2019-08-06 at 1.54.47 PM.png

 

 


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar

Hey Jervis, 

 

Is there any way to show the blank canvas for every logged in user ?

avatar
Master Mentor

@Rupesh_Raghani 

NiFi was not designed to provide a completely blank canvas to each user.  There are important design reason for this.

NiFi runs within a single JVM.  All dataflows created on the canvas run as the NiFi service user and not as the user who is logged in.  This means that all user's dataflows share and compete for the same system resources.  Another user's poorly designed dataflow(s) can have an impact on the operation of another user's dataflow(s).  So it is important for one users to be able to identify where backlogs may be forming even if that is occurring in another user's dataflow(s).  

With a secured NiFi, authorization policy control what a successfully authenticated user can see and do on the NiFi canvas.  While components added to the canvas will always be visible to all users, what is displayed on the component is limited only stats for unauthorized users (no component names, component types, component configurations, etc).   So an unauthorized user would be unable to see how that unauthorized component is being used and for what.  The unauthorized user would also not have access to modify the component, access FlowFiles that traversed those components (unless that data passed through an authorized component somewhere else in the dataflow(s)), etc.

Besides resource usage, another reason users need to see these place holders for all components is so that users do not build dataflows atop one another.  It is common for multiple teams to be authorized to work within the same NiFi.  It is also common to have some users who are members of more than one team.  For those users, it would be very difficult to use the UI if each teams flows were built on top of one another.   Most common setup involves an admin user creating a single Process Group (PG) on the root canvas level (top level - what you see when you first log in to a new NiFi).  Then each team is authorized only to their assigned PG.  So team1 user logs in and there PG is fully rendered and non authorized PGs are present by non configurable and no displayed details.  team1 is unable to add components to canvas at this level and must enter their authorized PG before they can start building dataflows.  When you enter sub-PG, you have a blank canvas to work with.

Hope this helps with your query.
Matt