Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Component level Access in NiFi

avatar
author-rank jgeorge
Guru

Created ‎10-12-2016 06:45 AM

Hello

I have a scenario where I am getting confused,

- I have Secured 3 node NiFi cluster [Kerberos]

- Logged in as user 'admin' trying to do file-based authorization with out Ranger

- Created a Process group named Group1 --> 5 processors with in the group

- Set modify privilege on just GetSFTP processor for user 'john' in the Group1.

- Once I set the privilege for GetSFTP, entire process group is allocated with the modify access for john, not just GetSFTP processor.

I am thinking this is not an expected behavior, someone experienced this before?

Thanks,

Jobin George

1,381 Views
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎10-12-2016 12:30 PM - edited ‎08-19-2019 03:09 AM

@Jobin George

When you add new components (Process groups or processors), they inherit the policies from the parent component by default. This means the your process group (Group1) has inherited some policies maybe from its parent process group and your processor (getSFTP) has inherited policies from the process group it is inside. My guess is that those inherited policies are allowing user "john" view and "modify" to process group 'Group1'.

When you select a component (process group or processor) and click on the key icon to modify/set its policies, you may notice the following in the "Access Policies" UI that is displayed:

8429-screen-shot-2016-10-12-at-90740-am.png

This line is telling you that the policies you are currently looking at are coming from a parent process group. If you modify any of these policies, what you are really doing is modifying the policies on that parent process group rather then on the actual selected component.

In order to set specific policies for the select component, you must fist click on "Override". You will then see the above effective policy line go away and the specific policy you are currently looking at will be cleared of all entries. Now you can add specific users for this policy that are applied to only tis component. If the component is a process group, any processor or additional process group within will inherit this new policy.

Keep in mind that every policy inherits from its parent by default, so clicking on "Override" only create a new policy accesses for that one policy. You will need to select each available policy for a component and click "Override" for each one where you want to set component specific policy accesses.

8430-screen-shot-2016-10-12-at-91940-am.png

Thanks,

Matt

View solution in original post

1,185 Views
2 REPLIES 2

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎10-12-2016 12:30 PM - edited ‎08-19-2019 03:09 AM

@Jobin George

When you add new components (Process groups or processors), they inherit the policies from the parent component by default. This means the your process group (Group1) has inherited some policies maybe from its parent process group and your processor (getSFTP) has inherited policies from the process group it is inside. My guess is that those inherited policies are allowing user "john" view and "modify" to process group 'Group1'.

When you select a component (process group or processor) and click on the key icon to modify/set its policies, you may notice the following in the "Access Policies" UI that is displayed:

8429-screen-shot-2016-10-12-at-90740-am.png

This line is telling you that the policies you are currently looking at are coming from a parent process group. If you modify any of these policies, what you are really doing is modifying the policies on that parent process group rather then on the actual selected component.

In order to set specific policies for the select component, you must fist click on "Override". You will then see the above effective policy line go away and the specific policy you are currently looking at will be cleared of all entries. Now you can add specific users for this policy that are applied to only tis component. If the component is a process group, any processor or additional process group within will inherit this new policy.

Keep in mind that every policy inherits from its parent by default, so clicking on "Override" only create a new policy accesses for that one policy. You will need to select each available policy for a component and click "Override" for each one where you want to set component specific policy accesses.

8430-screen-shot-2016-10-12-at-91940-am.png

Thanks,

Matt

1,186 Views

avatar
author-rank jgeorge
Guru

Created ‎10-12-2016 01:51 PM

Hi @mclark,

Thanks for the reply and for time you spend on zoom. It was confusing that when i make a change in the component it gets added to the Parent group if i don't override, which was some kind of reverse inheritance. The message said only below which made me think there is something wrong:

"Showing effective policy inherited from Process Group Group1. Override this policy."

Thanks Again for clarifying !!

1,185 Views
0 Kudos
webinar banner
Announcements
What's New @ Cloudera
From Silos to Synergy: Unifying Data Warehousing and AI
What's New @ Cloudera
Cloudera Streaming Analytics 1.13 for Private Cloud Base
What's New @ Cloudera
Get started with Cloudera Data Engineering on AWS Graviton a...
What's New @ Cloudera
[NEW] Cloudera Data Engineering 1.22 for Public Cloud: Suppo...
Community Announcements
CommunityOverCode Asia 2024 will be held in Hangzhou from Ju...
View More Announcements