Hello. We have a one node NIFI cluster configured with Ranger for NIFI security. We have setup the standard polices for /flow, /proxy and a policy for all nifi resources. When an admin user is signed in NIFI we can view Provenance data. If I sign into as a non-admin user such as one of our developers no provenance data is visible. I setup a /provenance policy which allows developers to see the NIFI Data Provenance screen but it has no data for the non-admin user.
I found this article and have followed the steps in this document including this section below - https://community.hortonworks.com/articles/58769/hdf-20-enable-ranger-authorization-for-hdf-compone....
We have setup these two policies which allow the non-admin user to manage the Process-Group
- Grant user/group access to modify the NiFi flow with a policy for /process-groups/<root-group-id> with RW
- Create a separate a policy for /provenance/process-groups/<root-group-id> (with each of the cluster node DNs) for read access
The first policy allows them to manage the process group properly but the second policy does not seem to work.
I see no errors in the nifi-app.log or the nifi-user.log. In the nifi-user.log I see "Authentication Success" messages when the attempt is made. In ranger I see no denied messages on the Audit>Access screen. If I add the developer to the /* policy it works fine so I am missing a NIFI resource identifier in one of my policies. I cannot find documentation on what I might be missing. Any help would be appreciated.
