Support Questions

Find answers, ask questions, and share your expertise

Cloudera NiFi - Automatic policy creation

avatar
New Contributor

Good morning,

Is there a way to automate the creation of users, groups, and/or policies in NiFi? For example, I have configured LDAP authentication in NiFi -- is there a way to manage not only authentication but also authorization? It is not necessary for this to be LDAP-based.

I was considering the possibility of using a script with the API, but I wanted to know if there is an "out-of-the-box" solution available.

Thank you.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@jirungaray 

Cloudera Flow Management (Based on Apache NiFi) provides multiple methods for managing user authorization.  This includes NiFi internally via the File-Access-Policy-Provider and externally via Apache Ranger. 

There is no built in mechanism for auto setting up authorization policies for users or groups with the exception of the Initial Admin and Initial NiFi Node authorizations.

Many of the Authorization policies are directly related to the components added to the canvas.  Those components are assigned unique IDs making it impossible to  create policies before the components exist. 

File-Access-Policy-Porvider: 
This provider utilizes a file on disk (authorizations.xml) to persists authorization policies.  This file is loaded when NiFi starts.  This means it is possible to manually generate this file and have NiFi load it on startup.   Also as you mentioned, you could script out the authorization creating through NiFi Rest-API calls. 

Ranger provider:
This moves authorization responsibility over to Apache Ranger.  Policies setup within Ranger are download by the NiFi nodes where they are locally enforced. 

No matter which authorizer you choose to use, authorizations are easiest to manage via groups.  Typical users setup ldap groups for various NiFi roles (admins, team 1, team2, etc..) and makes specific users members of these groups.  This simplifies authorization since you can authorizer these groups instead of the individual users. Simply adding or removing a user as member of one of these authorized groups gives or removes authorized access to the NiFi resource identifier (NiFi policy). 

The ldap-user-group-provider can be added to the NiFi authorizers.xml to auto manage syncing of user and group identities from your AD/LDAP further simplifying management over the file-user-group-provider method which requires the manual adding of user and group identifiers to the NiFi.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

View solution in original post

2 REPLIES 2

avatar
Community Manager

@jirungaray Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @MattWho @mburgess  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Master Mentor

@jirungaray 

Cloudera Flow Management (Based on Apache NiFi) provides multiple methods for managing user authorization.  This includes NiFi internally via the File-Access-Policy-Provider and externally via Apache Ranger. 

There is no built in mechanism for auto setting up authorization policies for users or groups with the exception of the Initial Admin and Initial NiFi Node authorizations.

Many of the Authorization policies are directly related to the components added to the canvas.  Those components are assigned unique IDs making it impossible to  create policies before the components exist. 

File-Access-Policy-Porvider: 
This provider utilizes a file on disk (authorizations.xml) to persists authorization policies.  This file is loaded when NiFi starts.  This means it is possible to manually generate this file and have NiFi load it on startup.   Also as you mentioned, you could script out the authorization creating through NiFi Rest-API calls. 

Ranger provider:
This moves authorization responsibility over to Apache Ranger.  Policies setup within Ranger are download by the NiFi nodes where they are locally enforced. 

No matter which authorizer you choose to use, authorizations are easiest to manage via groups.  Typical users setup ldap groups for various NiFi roles (admins, team 1, team2, etc..) and makes specific users members of these groups.  This simplifies authorization since you can authorizer these groups instead of the individual users. Simply adding or removing a user as member of one of these authorized groups gives or removes authorized access to the NiFi resource identifier (NiFi policy). 

The ldap-user-group-provider can be added to the NiFi authorizers.xml to auto manage syncing of user and group identities from your AD/LDAP further simplifying management over the file-user-group-provider method which requires the manual adding of user and group identifiers to the NiFi.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt