Support Questions

Find answers, ask questions, and share your expertise

NIFI Can I have more than one admin user ?

avatar
Contributor

Hi ,

Is there a way to have more than one Admin user in NIFI ?
How do you manage users/nodes,only with one user ?

I want additional NIFI user that will add users and authorize them.

 

Thanks 

Edi

2 ACCEPTED SOLUTIONS

avatar
Master Mentor

@edim2525 

Just to add to what @cotopaul already shared:

Out-of-the-box NiFi install sets users up with a single user authorizer and single user login provider.   These provider are not designed for production use, but where designed to allow for an easy out-of-the-box secure install of NiFi.  This default provider allows for only a single user with full unmanaged access to NiFi. See links provided by @cotopaul for more info there.  

Reconfiguring your out-of-the-box NiFi configuration to instead use a managed authorizer would then give you the ability to create various levels of authorization for different authenticated users.  The managed authorizer used a file-access-policy-provider and file-user-group-provider to create and seed the users.xml and authorizations.xml files upon first startup.  After these files exist, those two providers will not modify them via any config changes you make within the providers.  The initial user identity and initial admin defined in those providers will seed those files with the required authorization policies for that authenticated user to perform admin type actions (such as authorizing additional authenticated users against various NiFi policies.  NiFi does NOT have the ability to managed local users, this means that user authentication must be handled via an external method.   The most commonly used method for user authentication are Mutual TLS using clientAuth certificate, ldap-provider (allowing user authentication via. uses ldap username and password), and kerberos based authentication (via Spnego or Kerberos-provider login provider).

Once your NiFi is setup to support multi-user authentication and authorization, your "initial admin" will have ability to define additional user authorizations including those authorization your initial admin was pre-configured with.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

3 REPLIES 3

avatar
Master Mentor

@edim2525 

Just to add to what @cotopaul already shared:

Out-of-the-box NiFi install sets users up with a single user authorizer and single user login provider.   These provider are not designed for production use, but where designed to allow for an easy out-of-the-box secure install of NiFi.  This default provider allows for only a single user with full unmanaged access to NiFi. See links provided by @cotopaul for more info there.  

Reconfiguring your out-of-the-box NiFi configuration to instead use a managed authorizer would then give you the ability to create various levels of authorization for different authenticated users.  The managed authorizer used a file-access-policy-provider and file-user-group-provider to create and seed the users.xml and authorizations.xml files upon first startup.  After these files exist, those two providers will not modify them via any config changes you make within the providers.  The initial user identity and initial admin defined in those providers will seed those files with the required authorization policies for that authenticated user to perform admin type actions (such as authorizing additional authenticated users against various NiFi policies.  NiFi does NOT have the ability to managed local users, this means that user authentication must be handled via an external method.   The most commonly used method for user authentication are Mutual TLS using clientAuth certificate, ldap-provider (allowing user authentication via. uses ldap username and password), and kerberos based authentication (via Spnego or Kerberos-provider login provider).

Once your NiFi is setup to support multi-user authentication and authorization, your "initial admin" will have ability to define additional user authorizations including those authorization your initial admin was pre-configured with.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

avatar
Contributor

I appreciate the comprehensive response, Thanks .