Support Questions

Find answers, ask questions, and share your expertise

Hi, Why Input port should be created on top level flow, not in process group?.. Need to manage different process group on user perspective for requirement purpose.. please suggest some alternate on this or only managing policies is the solution??

avatar
 
1 ACCEPTED SOLUTION

avatar
Master Mentor
@Gitanjali Bare

-

When the NiFi Site-to-Site (S2S) capability was added to NiFi, the input and output ports were designed to allow for the movement of FlowFiles between NiFi process groups. Input and output ports allow for the movement of FlowFile to and from a parent process group. Once a FlowFile is on the "root" process group level, the effective parent would be another NiFi instance. S2S has been around a lot longer then NiFi's multi-tenant authorizations, thus at the time of development every user who could authenticate in to NiFi had access to everywhere on the NiFi canvas.

-

There is considerable design changes required to change this functionality in NiFi. The following Jira was opened as one suggested approach:

https://issues.apache.org/jira/browse/NIFI-2933

-

But in any design change, NiFi must consider how that design change will affect existing user during upgrade. The above change type may leave existing users with invalid flows after upgrade requiring potential substantial re-work.

-

At this time. the only option for NiFi S2S is having your input/output ports at the root canvas level (remote ports).

-

Another limitation in multi-tenant NiFi installations is authorized access to these remote input/output ports. The dataflows built by authenticated users do not execute as those users. All flows are executed as the NiFI service user. This means when NiFi A uses S2S to send/retrieve FlowFiles from NiFi B, the servers themselves are being authenticated and authorized in that connection. This means that once NiFI A has been authorized to see X number of remote ports on NiFi B, all users on NiFi A who add a Remote Process Group (RPG) pointing at NiFI B will be able to see and transfer FlowFiles to/from all those Remote ports.

-

Thank you,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

View solution in original post

4 REPLIES 4

avatar
Master Mentor
@Gitanjali Bare

-

When the NiFi Site-to-Site (S2S) capability was added to NiFi, the input and output ports were designed to allow for the movement of FlowFiles between NiFi process groups. Input and output ports allow for the movement of FlowFile to and from a parent process group. Once a FlowFile is on the "root" process group level, the effective parent would be another NiFi instance. S2S has been around a lot longer then NiFi's multi-tenant authorizations, thus at the time of development every user who could authenticate in to NiFi had access to everywhere on the NiFi canvas.

-

There is considerable design changes required to change this functionality in NiFi. The following Jira was opened as one suggested approach:

https://issues.apache.org/jira/browse/NIFI-2933

-

But in any design change, NiFi must consider how that design change will affect existing user during upgrade. The above change type may leave existing users with invalid flows after upgrade requiring potential substantial re-work.

-

At this time. the only option for NiFi S2S is having your input/output ports at the root canvas level (remote ports).

-

Another limitation in multi-tenant NiFi installations is authorized access to these remote input/output ports. The dataflows built by authenticated users do not execute as those users. All flows are executed as the NiFI service user. This means when NiFi A uses S2S to send/retrieve FlowFiles from NiFi B, the servers themselves are being authenticated and authorized in that connection. This means that once NiFI A has been authorized to see X number of remote ports on NiFi B, all users on NiFi A who add a Remote Process Group (RPG) pointing at NiFI B will be able to see and transfer FlowFiles to/from all those Remote ports.

-

Thank you,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

avatar

Thanks a lot!!!

avatar

The solution we use is not perfect.

Every project (tenant group) gets an input port that admins create on the root flow which we route into their PG.

To prevent one tenant from accidentally writing onto someone else's input port we recommend they add a secret value attribute to their outgoing flowfiles and check for it via routeonattribute upon recieving flowfiles in their PG.

avatar

Thanks for reply, Will try this out 🙂