Support Questions

Find answers, ask questions, and share your expertise

Nifi GetFile (os operation) user impersonation

avatar
Explorer

Every example I've seen on GetFile processor assumes that the user running nifi has full permissions on the files and paths being read. Is there a way to provide user credentials to a nifi processor. This will allow nifi to impersonate that user so that it can have access to data on the filesystem that the nifi user doesn't have permission to read or write.

1 ACCEPTED SOLUTION

avatar

As @Abdelkrim Hadjidj mentioned, this is not currently possible in NiFi out of the box. You have a few options.

  1. Change the file permissions to be accessible by the OS user that is running NiFi. Assuming that user is "nifi", this could be done by adding the "nifi" account to a group with R/W access to the file, or by changing the owner to the "nifi" user (assuming the owner has R/W). This is the recommended solution.
  2. You could use an ExecuteStreamCommand or ExecuteProcess processor to run a shell command which reads the contents of the file into a flowfile. Because you are running a shell command, you can use something like "$ echo <other_account_password> | sudo -S -u OTHER_USER more ${path/to/file}". It would be more secure to provide the password in a separate password file (secured via OS permissions) to avoid history leakage, but you can also prepend the command with a space to avoid it showing up in the history.
  3. You might be able to use the GetHDFS processor with a configuration file that mapped it to the local file system and allowed user impersonation. This is not recommended and definitely not supported, but potentially technically possible.
  4. You could write a custom processor, but Java does not have any API for reading a file as an OS user other than the one that the JVM is running under. You could possibly use the Java FileSystem API to change the OS ownership or permissions on the file, but in that case, #1 is a better solution.

View solution in original post

3 REPLIES 3

avatar

Hi @Jason Bolden

This is not possible currently. Access will be done with the user running NiFi. This is possible for other processors like GetHDFS where you can do user impersonation.

Thanks

avatar
Explorer

Thank you for the quick response. That being said, creating a custom processor is not beyond my ability. Is this even possible? My nifi instance is running in a Linux environment.

avatar

As @Abdelkrim Hadjidj mentioned, this is not currently possible in NiFi out of the box. You have a few options.

  1. Change the file permissions to be accessible by the OS user that is running NiFi. Assuming that user is "nifi", this could be done by adding the "nifi" account to a group with R/W access to the file, or by changing the owner to the "nifi" user (assuming the owner has R/W). This is the recommended solution.
  2. You could use an ExecuteStreamCommand or ExecuteProcess processor to run a shell command which reads the contents of the file into a flowfile. Because you are running a shell command, you can use something like "$ echo <other_account_password> | sudo -S -u OTHER_USER more ${path/to/file}". It would be more secure to provide the password in a separate password file (secured via OS permissions) to avoid history leakage, but you can also prepend the command with a space to avoid it showing up in the history.
  3. You might be able to use the GetHDFS processor with a configuration file that mapped it to the local file system and allowed user impersonation. This is not recommended and definitely not supported, but potentially technically possible.
  4. You could write a custom processor, but Java does not have any API for reading a file as an OS user other than the one that the JVM is running under. You could possibly use the Java FileSystem API to change the OS ownership or permissions on the file, but in that case, #1 is a better solution.