Support Questions

Felix is correct. All processor on the NiFi canvas execute their code as the user who owns the NIFi JVM process. Authenticated user are granted authorizations needed to build dataflows but that user is in no way tied to execution of the added processors code.

-

However, processors that utilize connection authentication methods like Kerberos, username/password, etc.. will connect to the target system using those credentials provided in the processor configuration.

-

Processors where not authentictaion credentials are provided will exececute as the NiFi service user

@Felix Albani & @Matt Clarke :

Thanks both for your answers. If I correctly understood, "dynamic" delegation is not an option... My use case is as follow :

• user John logs in NiFi and runs a pipeline with a processor, e.g. PutHDFS which write into `/some/dir` which is associated with a Ranger policy granting write permission to user John.
• user James logs in NiFi and runs the same pipeline with a processor, e.g. PutHDFS which write into `/some/dir` which is associated with a Ranger policy denying write permission to user James.

Is this possible to achieve this kind of use case? Basically, the credentials used by the processor depends on the logged in user.

@David D

-

That is not possible. Every component added in NiFi is executed by the service user (this is the user running the NiFi JVM)

-

NiFI authorizations simply control what a users can access the canvas and what types of actions they can perform while logged in to the canvas. A logged in user has no association to the processors themselves.

-

Thanks,

Matt

@Matt Clarke

Thanks for the clarification. I'm quite new to Hadoop security and Kerberos, so I was wondering if there is some architectural issue to implement what I was talking about. That doesn't seem very difficult code-wise, I just had a quick look and found that Kerberos authentication is done in AbstractHadoopProcessor#resetHDFSResources : I just need to get the logged in user from a processor and do some Kerberos delegation.

@David D

Where would the processor then store that information?

-

There is no notion of a logged in user in NiFi. Every single request made to the NiFi UI requires authorization. Before a user request can be checked for proper authorization, the user must be successfully authenticated. The default user authentication is via ssl certificates. In this case the user certificate is expected in every ret endpoint request. For other authentication request like ldap or kerberos, the user is issued a token upon successful authentication which the browser stores. That token is only valid for a configured amount of time before user must log in again. That token must then be included in every rest endpoint request which will trigger an authorization check. So there really is no place for NiFi code to check for what user is "logged in". Not to mention a user logs in to a specific node in a Nifi cluster. How would the same processor executing on other nodes in the cluster know what user to use?

-

What user would that processor use next time it is scheduled to run if that user no longer has a valid token?

-

What happens if NiFi ended up being restarted?

-

There are a lot of things to consider there. None of which NiFI at its core was designed to handle.

-

Thanks,

Matt