Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Required Permission for some Nifi processes

avatar
author-rank Sanaz_janbakhsh
Expert Contributor

Created ‎07-21-2017 07:45 PM

Hi,

I integrated Ranger with Nifi and configured Multi-Tenancy. But for some processes like below they don't have access to add it in their canvas. I added R/W permission to /flow and RW to their process group in Ranger. Not sure what permission i missed. Any thoughts?

TailFile, PutHDFS, PutFile, InvokeScripterProcessor, GetHDFSSequenceFile, GetHDFS, GetFile, FetchHDFS, FetchFile, DeleteHDFS, ExecuteStreamCOmmand, ExecuteScript, ExecuteProcess, ExecuteFlumeSource, ExecuteFlumeSink

7,002 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Sanaz_janbakhsh
Expert Contributor

Created ‎07-21-2017 11:02 PM

Hi Andrews,

what is the policy name that I should add ? "/accessrestrictedcomponents"

Thanks

View solution in original post

5,368 Views
0 Kudos
5 REPLIES 5

avatar
author-rank alim author-rank
Guru

Created ‎07-21-2017 08:15 PM

Hi @Sanaz Janbakhsh,

The processors you listed are considered Restricted Components and are marked by a red/white shield icon in the UI (in the Add Processor window and when the processor is added to the NiFi canvas). A description of Restricted Components:

"These are components that can be used to execute arbitrary unsanitized code provided by the operator through the NiFi REST API/UI or can be used to obtain or alter data on the NiFi host system using the NiFi OS credentials. These components could be used by an otherwise authorized NiFi user to go beyond the intended use of the application, escalate privilege, or could expose data about the internals of the NiFi process or the host system. All of these capabilities should be considered privileged, and admins should be aware of these capabilities and explicitly enable them for a subset of trusted users."

(This info can be found in: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#adding-components-to-the-canvas)

Before a user is allowed to create and modify restricted components they must be granted access to restricted components. There is a global access policy called "access restricted components" where you can configure this. More details here: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#UI-with-multi-tenant-authorization

5,368 Views

avatar
author-rank Sanaz_janbakhsh
Expert Contributor

Created ‎07-21-2017 11:02 PM

Hi Andrews,

what is the policy name that I should add ? "/accessrestrictedcomponents"

Thanks

5,369 Views
0 Kudos

avatar
author-rank alim author-rank
Guru

Created ‎07-24-2017 02:17 PM

"/restricted-components"

5,368 Views
0 Kudos

avatar
author-rank Sanaz_janbakhsh
Expert Contributor

Created ‎07-24-2017 08:09 PM

Hi,

I tried "/restricted-component" and granted the users to this. It works when user add the process outside of the their tenant but not inside their tenant. How it should be granted to inside of the tenant?

5,368 Views
0 Kudos

avatar
author-rank Sanaz_janbakhsh
Expert Contributor

Created ‎07-24-2017 08:20 PM

never mind. It took abit . Now it is working. Thanks for the help

5,368 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements