Created 01-30-2017 04:50 PM
Hi Team,
I have configured Nifi with LDAP and i can able to add users, but i cannot assign more than one user as ADMIN.
Is there any way to assing multiple ADMINS?
Note: its a standalone instance and not integrated with AMBARI/RANGER.
Created on 01-30-2017 05:00 PM - edited 08-18-2019 05:43 AM
Hello,
During initial setup of a secured NiFi installation NiFi allows you to specify a single "initial Admin Identity". Upon first startup, NiFi will use that "Initial Admin Identity" to setup that user and grant them the "Access Policies" needed to administer that NiFi instance/cluster. That identity will be able to log in and add new users and grant "Access Policies" to those users.
The default "Access Policies" that are given to that "Initial Admin Identity" include:
NiFi File Based Policies: | Ranger based Policies: | |
view the UI | view the user interface | /flow |
view the controller | access the controller (view) | /controller (read) |
modify the controller | access the controller (modify) | /controller (write) |
view the users/groups | access users/user groups (view) | /tenants (read) |
modify the users/groups | access users/user groups (modify) | /tenants (write) |
view policies | access all policies (view) | /policies (read) |
modify policies | access all policies (modify) | /policies (write) |
Granting these same "Access Policies" to other users you have added will affectively make them an Admin as well.
Thanks,
Matt
Created 01-30-2017 04:58 PM
In Apache NiFi 1.x there is no more concept of roles, all users are just users, and users and groups can be added to policies. The concept of "Initial Admin" is just a way for the first user to get into NiFi and started adding more users and creating policies, once NiFi is running it doesn't know that user was the initial admin. The initial admin could grant access to other users to make them have the same permissions as his/her self.
Created on 01-30-2017 05:00 PM - edited 08-18-2019 05:43 AM
Hello,
During initial setup of a secured NiFi installation NiFi allows you to specify a single "initial Admin Identity". Upon first startup, NiFi will use that "Initial Admin Identity" to setup that user and grant them the "Access Policies" needed to administer that NiFi instance/cluster. That identity will be able to log in and add new users and grant "Access Policies" to those users.
The default "Access Policies" that are given to that "Initial Admin Identity" include:
NiFi File Based Policies: | Ranger based Policies: | |
view the UI | view the user interface | /flow |
view the controller | access the controller (view) | /controller (read) |
modify the controller | access the controller (modify) | /controller (write) |
view the users/groups | access users/user groups (view) | /tenants (read) |
modify the users/groups | access users/user groups (modify) | /tenants (write) |
view policies | access all policies (view) | /policies (read) |
modify policies | access all policies (modify) | /policies (write) |
Granting these same "Access Policies" to other users you have added will affectively make them an Admin as well.
Thanks,
Matt
Created 01-30-2017 05:34 PM
I have assigned "Access All Policies" to a new created normal user but when i loged in as normal user that policies tab not highlighted.
Do i need to assign any othe policies to make that user act as admin.
Created 01-30-2017 05:41 PM
Thanks i got it 🙂
Created 01-30-2017 06:06 PM
Glad to hear you got it setup.
The "Access all Policies" access policy willnot work if you have not also granted the users the "access users/user groups" access policy. They need to be able to view users in order to grant them access policies.
If this answer was helpful to solving your issue, will you please accept it.
Thank you,
Matt
Created on 01-31-2017 09:04 AM - edited 08-18-2019 05:42 AM
@Matt yeah its working but this working but still i am seeing some of the components are disabled in Canvas.
To enable this components for other "non inital admin user" do i need to enable any policy?
Created on 01-31-2017 01:26 PM - edited 08-18-2019 05:42 AM
The intent of an "Admin" account in NiFi is to setup users who can do the following:
- Access the UI
- Setup NiFi controller level Controller Services and Reporting Tasks
- Add new users and groups
- Set Access policies for those users
When it comes to building dataflows on the canvas, that is more of a dataflow managers role. The "Initial Admin Identity" by default does not even get this roles capabilities/accesses, but has the ability through the policies he was granted to grant himself or other users the access needed to build dataflows.
In order to enable the dataflow building icons along the top of the UI, those users will need to be granted the "view the component" and "modify the component" access policies on the specific process group in which the want to build their dataflows.
For more information on the various "Access policies" and what capabilities they provide to the assigned users, the NiFi Admin Guide can be found under help within your installed NiFi's UI (Most accurate for whichever version you have installed) or at the following link: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization
Thanks,
Matt
Created 01-31-2017 03:33 PM
Really Thanks for the guidance. its working. i wll go through the links which you have shared.
Created 09-03-2020 06:34 AM
I m new bee to nifi. I followed the below link and did the configuration and username password screen appears. But i dont know what the username and password is. Can you help me with it?
https://mintopsblog.com/2017/11/01/apache-nifi-configuration/