Support Questions

harishvaibhav_k · ‎07-12-2018

Hi,

I am currently working on upgrading NiFi from v0.6.1 to v1.5.0.

One thing I noticed is that in v0.6.1, when a user tries to login to NiFi and doesn't have permissions to login, he will be routed to a new justification window as below and will be asked to provide justification for access. Once he provides justification, the user's username will be added to the list of users in NiFi UI saying that the request is pending. The admin can then login and provide the access to that user.

But in v1.5.0, when a user with insufficient permissions tries to login to NiFi, the UI is routed to a new window which says Insufficient Permissions but does not add the user id to the list of users for the admin to process the request.

Was this feature removed in latest versions of NiFi?

If so, why was it removed? If not, how can I enable it in v1.5.0?

MattWho · ‎07-13-2018

@Harish Vaibhav Kali

-

With the release of Apache NiFi 1.0 there were major design changes to NiFi at its core.

Most obvious major changes include:

1. Gone is the NiFi Cluster Manger in favor of a new zero master clustering for example.
2. Additionally NiFi's authorization model moved to a very granular authorization setup and also added multi-tenancy capability (Multiple users can be logged in at the same time making changes concurrently to different components).

-

With this major re-work to user authentication/authorization the ability to request access was left out. Because of the new very granular authorization capability the notion of user requesting access became very convoluted. Suppose a user does have access to the /flow NiFi resource. This does not mean they have the ability to actually build, view, or modify any of the actual components on the canvas. And there is not capability for that user (who ha authorized access to the UI) to request additional accesses. So it felt just like an incomplete solution just to give only user who could not access UI ability to request access.

-

Not to say that such a capability may not come back in the future, i just believe it is a low priority type item.

-

As of Apache NiFi 1.5, Nifi provides the ability within the authorizers.xml to sync NiFi's list of users/groups with LDAP. This will auto populate users in the NiFi users UI to which an admin user can then apply various authorizations.

-

Thank you,

Matt

-

When an "Answer" addresses/solves your question, please select "Accept" beneath that answer. This encourages user participation in this forum.

View solution in original post

harishvaibhav_k · ‎07-13-2018

@Felix Albani @Timothy Spann can you please help me with this?

MattWho · ‎07-13-2018

@Harish Vaibhav Kali

-

With the release of Apache NiFi 1.0 there were major design changes to NiFi at its core.

Most obvious major changes include:

1. Gone is the NiFi Cluster Manger in favor of a new zero master clustering for example.
2. Additionally NiFi's authorization model moved to a very granular authorization setup and also added multi-tenancy capability (Multiple users can be logged in at the same time making changes concurrently to different components).

-

With this major re-work to user authentication/authorization the ability to request access was left out. Because of the new very granular authorization capability the notion of user requesting access became very convoluted. Suppose a user does have access to the /flow NiFi resource. This does not mean they have the ability to actually build, view, or modify any of the actual components on the canvas. And there is not capability for that user (who ha authorized access to the UI) to request additional accesses. So it felt just like an incomplete solution just to give only user who could not access UI ability to request access.

-

Not to say that such a capability may not come back in the future, i just believe it is a low priority type item.

-

As of Apache NiFi 1.5, Nifi provides the ability within the authorizers.xml to sync NiFi's list of users/groups with LDAP. This will auto populate users in the NiFi users UI to which an admin user can then apply various authorizations.

-

Thank you,

Matt

-

When an "Answer" addresses/solves your question, please select "Accept" beneath that answer. This encourages user participation in this forum.

harishvaibhav_k · ‎07-13-2018

@Matt Clarke

so the only way to add new users is to login to NiFi as admin and then add the users via UI?

MattWho · ‎07-13-2018

@Harish Vaibhav Kali

Yes, unless you are using ldap and can setup a ldap sync to add the users for you.

harishvaibhav_k · ‎07-24-2018

@Matt Clarke

Hi Matt,

Let's say if I have a list of users that have access to an instance of NiFi. Is there any way I can retain those users even after I re-install NiFi on that particular instance?

MattWho · ‎07-24-2018

@Harish Vaibhav Kali

Are we still talking about users created in a NiFi 0.x version being used in a NiFi 1.x+ version?
How user authorization is handled is different between each of those major release versions.

-

Lets assume you are working with purely NiFi 1.x+ versions.
There are three tightly couple files when it comes to user authorization (assuming you are using NiFi default file based authorizer):

1. users.xml <-- contains all user to which authorizations will be granted. Each user is assigned a unique UUID.

2. Authorizations.xml <-- Contains all authorization policies (some policies will be based off specific components uuids) User UUIDs are associated to one or more policies.

3. flow.xml.gz <-- contains all components add to NiFi and their configurations

-

So saving off these three files before your re-install your NiFi instance will allow you to put them back afterwards. Keep in mind that sensitive properties (i.e - passwords) in the flow.xml.gz file are encrypted using the sensitive props key set in the nifi.properties file. So you must use same sensitive props key on re-installed NiFi version or NiFi will fail to start because it cannot decrypt the sensitive props.

-

Thanks

Matt

harishvaibhav_k · ‎07-25-2018

Hi Matt,

I know that when the users are added via NiFi UI, it reflects in the users.xml file. What I am asking is, if suppose I have added 10 users via NiFi UI and now I have 10 users in my users.xml file. So now can I use this users.xml file in future installations. If suppose I use the same users.xml in a new installation, will those 10 users be able to login to the newly installed NiFi?

MattWho · ‎07-25-2018

@Harish Vaibhav Kali

-

The users.xml only contains all the users and the UUID each has been assigned. It has nothing to do with authorizations for those users. While you can copy the users.xml file to another NiFi install which will result in those 10 users existing in that new NiFi, the authorizations for those 10 users will not exist on new server since the actual authorizations are stored in the authorizations.xml file.

-

Thanks,

Matt

harishvaibhav_k · ‎07-25-2018

@Matt Clarke

So is there any way I can migrate the users I added manually via UI in one installation of NiFi to a different installation?

If so, how?

The reason I am asking this is because, I dont want to manually add the users everytime I reinstall NiFi

Cloudera Community

Support Questions

NiFi v0.6.1 vs NiFi v1.5.0 - Provide access to users via NiFi UI