Support Questions
Find answers, ask questions, and share your expertise

Can we apply canRead for all policies by default from coding for each new created user?

Solved Go to solution

Can we apply canRead for all policies by default from coding for each new created user?

I want to give all Read access for UI and all new crated processes and process groups by default from coding for each new user. Instead of explicitly go and give the view rights. I think we can do this by making changes in java files. But I am not able to find out the exact flow from java files. Expecting a solution for this.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Can we apply canRead for all policies by default from coding for each new created user?

Master Guru

@Bhushan Babar

I am not a NiFi developer, so if you are looking for way to modify the existing NiFi code to programmatically create new users in NiFi's authorizer and grant them access, I am not going to be able to help there.

NiFi's default file-based authorizer supports groups. You can create 1 or more groups and assign those groups all the global access policies and all the root process group component level policies. Then whenever you create a new user, simply add them to those groups during user creation and they will have access to those resources. The typical process here is to create an admin group (has most policies), Dataflow Manger group (has policies that give these users the ability to add to and modify dataflows, access the data and access provenance), Dataflow viewers (has polices that only give view access to the dataflows), Site-to-site group (has policies related to Site-to-site Components), and Proxy group (has proxy policy granted to Nifi nodes and any external proxy server).

Programmatically i would think what you are looking to do would be difficult to implement. NiFi authenticates user via certificates and/or multiple other methods (LDAP or kerberos). This means that servers that connect to your NiFi with a valid certificate would be automatically given admin level access (all policies)? Some policies are very specific to servers and not users (proxy and site-to-site policies for example). Some policies are not even available until an associated component that uses that policy is added to the canvas (Site-to-Site remote input or output ports).

Thanks,

Matt

View solution in original post

2 REPLIES 2

Re: Can we apply canRead for all policies by default from coding for each new created user?

@Matt Clarke Do you have any idea?? Can you suggest anythink for this?

Re: Can we apply canRead for all policies by default from coding for each new created user?

Master Guru

@Bhushan Babar

I am not a NiFi developer, so if you are looking for way to modify the existing NiFi code to programmatically create new users in NiFi's authorizer and grant them access, I am not going to be able to help there.

NiFi's default file-based authorizer supports groups. You can create 1 or more groups and assign those groups all the global access policies and all the root process group component level policies. Then whenever you create a new user, simply add them to those groups during user creation and they will have access to those resources. The typical process here is to create an admin group (has most policies), Dataflow Manger group (has policies that give these users the ability to add to and modify dataflows, access the data and access provenance), Dataflow viewers (has polices that only give view access to the dataflows), Site-to-site group (has policies related to Site-to-site Components), and Proxy group (has proxy policy granted to Nifi nodes and any external proxy server).

Programmatically i would think what you are looking to do would be difficult to implement. NiFi authenticates user via certificates and/or multiple other methods (LDAP or kerberos). This means that servers that connect to your NiFi with a valid certificate would be automatically given admin level access (all policies)? Some policies are very specific to servers and not users (proxy and site-to-site policies for example). Some policies are not even available until an associated component that uses that policy is added to the canvas (Site-to-Site remote input or output ports).

Thanks,

Matt

View solution in original post