I integrated Ranger with Nifi and configured Multi-Tenancy. But for some processes like below they don't have access to add it in their canvas. I added R/W permission to /flow and RW to their process group in Ranger. Not sure what permission i missed. Any thoughts?
TailFile, PutHDFS, PutFile, InvokeScripterProcessor, GetHDFSSequenceFile, GetHDFS, GetFile, FetchHDFS, FetchFile, DeleteHDFS, ExecuteStreamCOmmand, ExecuteScript, ExecuteProcess, ExecuteFlumeSource, ExecuteFlumeSink
Hi @Sanaz Janbakhsh,
The processors you listed are considered Restricted Components and are marked by a red/white shield icon in the UI (in the Add Processor window and when the processor is added to the NiFi canvas). A description of Restricted Components:
"These are components that can be used to execute arbitrary unsanitized code provided by the operator through the NiFi REST API/UI or can be used to obtain or alter data on the NiFi host system using the NiFi OS credentials. These components could be used by an otherwise authorized NiFi user to go beyond the intended use of the application, escalate privilege, or could expose data about the internals of the NiFi process or the host system. All of these capabilities should be considered privileged, and admins should be aware of these capabilities and explicitly enable them for a subset of trusted users."
(This info can be found in: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#adding-components-to-the-canvas)
Before a user is allowed to create and modify restricted components they must be granted access to restricted components. There is a global access policy called "access restricted components" where you can configure this. More details here: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#UI-with-multi-tenant-authorization
I tried "/restricted-component" and granted the users to this. It works when user add the process outside of the their tenant but not inside their tenant. How it should be granted to inside of the tenant?