Hello,
During initial setup of a secured NiFi installation NiFi allows you to specify a single "initial Admin Identity". Upon first startup, NiFi will use that "Initial Admin Identity" to setup that user and grant them the "Access Policies" needed to administer that NiFi instance/cluster. That identity will be able to log in and add new users and grant "Access Policies" to those users.
The default "Access Policies" that are given to that "Initial Admin Identity" include:
NiFi File Based Policies: | Ranger based Policies: | |
view the UI | view the user interface | /flow |
| view the controller | access the controller (view) | /controller (read) |
| modify the controller | access the controller (modify) | /controller (write) |
| view the users/groups | access users/user groups (view) | /tenants (read) |
| modify the users/groups | access users/user groups (modify) | /tenants (write) |
| view policies | access all policies (view) | /policies (read) |
| modify policies | access all policies (modify) | /policies (write) |
Granting these same "Access Policies" to other users you have added will affectively make them an Admin as well.
Thanks,
Matt
Hello,
During initial setup of a secured NiFi installation NiFi allows you to specify a single "initial Admin Identity". Upon first startup, NiFi will use that "Initial Admin Identity" to setup that user and grant them the "Access Policies" needed to administer that NiFi instance/cluster. That identity will be able to log in and add new users and grant "Access Policies" to those users.
The default "Access Policies" that are given to that "Initial Admin Identity" include:
NiFi File Based Policies: | Ranger based Policies: | |
view the UI | view the user interface | /flow |
| view the controller | access the controller (view) | /controller (read) |
| modify the controller | access the controller (modify) | /controller (write) |
| view the users/groups | access users/user groups (view) | /tenants (read) |
| modify the users/groups | access users/user groups (modify) | /tenants (write) |
| view policies | access all policies (view) | /policies (read) |
| modify policies | access all policies (modify) | /policies (write) |
Granting these same "Access Policies" to other users you have added will affectively make them an Admin as well.
Thanks,
Matt
@Matt yeah its working but this working but still i am seeing some of the components are disabled in Canvas.
To enable this components for other "non inital admin user" do i need to enable any policy?
The intent of an "Admin" account in NiFi is to setup users who can do the following:
- Access the UI
- Setup NiFi controller level Controller Services and Reporting Tasks
- Add new users and groups
- Set Access policies for those users
When it comes to building dataflows on the canvas, that is more of a dataflow managers role. The "Initial Admin Identity" by default does not even get this roles capabilities/accesses, but has the ability through the policies he was granted to grant himself or other users the access needed to build dataflows.
In order to enable the dataflow building icons along the top of the UI, those users will need to be granted the "view the component" and "modify the component" access policies on the specific process group in which the want to build their dataflows.
For more information on the various "Access policies" and what capabilities they provide to the assigned users, the NiFi Admin Guide can be found under help within your installed NiFi's UI (Most accurate for whichever version you have installed) or at the following link: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization
Thanks,
Matt
