Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Nifi Admin Access.

avatar
Contributor

Hi Team,

I have configured Nifi with LDAP and i can able to add users, but i cannot assign more than one user as ADMIN.

Is there any way to assing multiple ADMINS?

Note: its a standalone instance and not integrated with AMBARI/RANGER.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Anishkumar Valsalam

Hello,

During initial setup of a secured NiFi installation NiFi allows you to specify a single "initial Admin Identity". Upon first startup, NiFi will use that "Initial Admin Identity" to setup that user and grant them the "Access Policies" needed to administer that NiFi instance/cluster. That identity will be able to log in and add new users and grant "Access Policies" to those users.

The default "Access Policies" that are given to that "Initial Admin Identity" include:

NiFi File Based Policies:

Ranger based Policies:

view the UI

view the user interface/flow
view the controlleraccess the controller (view)/controller (read)
modify the controlleraccess the controller (modify)/controller (write)
view the users/groupsaccess users/user groups (view)/tenants (read)
modify the users/groupsaccess users/user groups (modify)/tenants (write)
view policiesaccess all policies (view)/policies (read)
modify policiesaccess all policies (modify)/policies (write)

11891-screen-shot-2017-01-24-at-15050-pm.png

Granting these same "Access Policies" to other users you have added will affectively make them an Admin as well.

Thanks,

Matt

View solution in original post

9 REPLIES 9

avatar
Master Guru

In Apache NiFi 1.x there is no more concept of roles, all users are just users, and users and groups can be added to policies. The concept of "Initial Admin" is just a way for the first user to get into NiFi and started adding more users and creating policies, once NiFi is running it doesn't know that user was the initial admin. The initial admin could grant access to other users to make them have the same permissions as his/her self.

avatar
Master Mentor

@Anishkumar Valsalam

Hello,

During initial setup of a secured NiFi installation NiFi allows you to specify a single "initial Admin Identity". Upon first startup, NiFi will use that "Initial Admin Identity" to setup that user and grant them the "Access Policies" needed to administer that NiFi instance/cluster. That identity will be able to log in and add new users and grant "Access Policies" to those users.

The default "Access Policies" that are given to that "Initial Admin Identity" include:

NiFi File Based Policies:

Ranger based Policies:

view the UI

view the user interface/flow
view the controlleraccess the controller (view)/controller (read)
modify the controlleraccess the controller (modify)/controller (write)
view the users/groupsaccess users/user groups (view)/tenants (read)
modify the users/groupsaccess users/user groups (modify)/tenants (write)
view policiesaccess all policies (view)/policies (read)
modify policiesaccess all policies (modify)/policies (write)

11891-screen-shot-2017-01-24-at-15050-pm.png

Granting these same "Access Policies" to other users you have added will affectively make them an Admin as well.

Thanks,

Matt

avatar
Contributor
@Matt

I have assigned "Access All Policies" to a new created normal user but when i loged in as normal user that policies tab not highlighted.

Do i need to assign any othe policies to make that user act as admin.

avatar
Contributor

Thanks i got it 🙂

avatar
Master Mentor
@Anishkumar Valsalam

Glad to hear you got it setup.

The "Access all Policies" access policy willnot work if you have not also granted the users the "access users/user groups" access policy. They need to be able to view users in order to grant them access policies.

If this answer was helpful to solving your issue, will you please accept it.

Thank you,

Matt

avatar
Contributor

@Matt yeah its working but this working but still i am seeing some of the components are disabled in Canvas.

11902-capture.png

To enable this components for other "non inital admin user" do i need to enable any policy?

avatar
Master Mentor
@Anishkumar Valsalam

The intent of an "Admin" account in NiFi is to setup users who can do the following:

- Access the UI

- Setup NiFi controller level Controller Services and Reporting Tasks

- Add new users and groups

- Set Access policies for those users

When it comes to building dataflows on the canvas, that is more of a dataflow managers role. The "Initial Admin Identity" by default does not even get this roles capabilities/accesses, but has the ability through the policies he was granted to grant himself or other users the access needed to build dataflows.

In order to enable the dataflow building icons along the top of the UI, those users will need to be granted the "view the component" and "modify the component" access policies on the specific process group in which the want to build their dataflows.

11928-screen-shot-2017-01-31-at-82156-am.png

For more information on the various "Access policies" and what capabilities they provide to the assigned users, the NiFi Admin Guide can be found under help within your installed NiFi's UI (Most accurate for whichever version you have installed) or at the following link: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization

Thanks,

Matt

avatar
Contributor

@Matt

Really Thanks for the guidance. its working. i wll go through the links which you have shared.

avatar
New Contributor

I m new bee to nifi. I followed the below link and did the configuration and username password screen appears. But i dont know what the username and password is. Can you help me with it?

https://mintopsblog.com/2017/11/01/apache-nifi-configuration/