Created 07-10-2017 04:11 PM
Hello. We have a one node NIFI cluster configured with Ranger for NIFI security. We have setup the standard polices for /flow, /proxy and a policy for all nifi resources. When an admin user is signed in NIFI we can view Provenance data. If I sign into as a non-admin user such as one of our developers no provenance data is visible. I setup a /provenance policy which allows developers to see the NIFI Data Provenance screen but it has no data for the non-admin user.
I found this article and have followed the steps in this document including this section below - https://community.hortonworks.com/articles/58769/hdf-20-enable-ranger-authorization-for-hdf-compone....
We have setup these two policies which allow the non-admin user to manage the Process-Group
The first policy allows them to manage the process group properly but the second policy does not seem to work.
I see no errors in the nifi-app.log or the nifi-user.log. In the nifi-user.log I see "Authentication Success" messages when the attempt is made. In ranger I see no denied messages on the Audit>Access screen. If I add the developer to the /* policy it works fine so I am missing a NIFI resource identifier in one of my policies. I cannot find documentation on what I might be missing. Any help would be appreciated.
Created 07-10-2017 05:08 PM
https://community.hortonworks.com/articles/60842/hdf-20-defining-nifi-policies-in-ranger.html has detailed info on policies that need to be setup.
We need to setup policies for
/data/{resource}/{uuid}
so users can view provenance data.
Also we need to create a policy for
/provenance
so users can submit a query. Data policy will allow you to view the data.
Created 07-10-2017 05:08 PM
https://community.hortonworks.com/articles/60842/hdf-20-defining-nifi-policies-in-ranger.html has detailed info on policies that need to be setup.
We need to setup policies for
/data/{resource}/{uuid}
so users can view provenance data.
Also we need to create a policy for
/provenance
so users can submit a query. Data policy will allow you to view the data.
Created 07-10-2017 06:12 PM
Just to add more detail to the above answer... - Granting users the ability to run provenance queries does to then give users the ability to view details on every piece of data that passes through any processor component on the canvas.
- if you were to monitor the nifi-app.log on each of your nodes, you would likely see that the provence query is returning events yet none are being displayed. This is because NiFi filters the result based on "data" resource policies granted to that user.
- Only results for components which the user has been granted access will be displayed. This is where the /data/{resource}/{uuid} mentioned above comes in to play here.
Created 07-10-2017 07:45 PM
Thank you very much. I was able to get your suggestions to work. I have one other question. I have setup permissions at the /data/Process-Group/{uuid} level. The developer has created multiple Process Groups under where I have applied the permissions. Will these permissions propagate to the additional Process Groups or will I have to configure those as well? They have not run the flow completely yet is why I am asking.
Created 07-10-2017 09:14 PM
The permissions should be hierarchical, so everything underneath the process group should inherit the policy you created, unless you create a more specific policy on a component within that process group, then the more specific policy would take precedence.