Support Questions

Find answers, ask questions, and share your expertise

Required Permission for some Nifi processes

avatar
Expert Contributor

Hi,

I integrated Ranger with Nifi and configured Multi-Tenancy. But for some processes like below they don't have access to add it in their canvas. I added R/W permission to /flow and RW to their process group in Ranger. Not sure what permission i missed. Any thoughts?

TailFile, PutHDFS, PutFile, InvokeScripterProcessor, GetHDFSSequenceFile, GetHDFS, GetFile, FetchHDFS, FetchFile, DeleteHDFS, ExecuteStreamCOmmand, ExecuteScript, ExecuteProcess, ExecuteFlumeSource, ExecuteFlumeSink

1 ACCEPTED SOLUTION

avatar
Expert Contributor

Hi Andrews,

what is the policy name that I should add ? "/accessrestrictedcomponents"

Thanks

View solution in original post

5 REPLIES 5

avatar
Guru

Hi @Sanaz Janbakhsh,

The processors you listed are considered Restricted Components and are marked by a red/white shield icon in the UI (in the Add Processor window and when the processor is added to the NiFi canvas). A description of Restricted Components:

"These are components that can be used to execute arbitrary unsanitized code provided by the operator through the NiFi REST API/UI or can be used to obtain or alter data on the NiFi host system using the NiFi OS credentials. These components could be used by an otherwise authorized NiFi user to go beyond the intended use of the application, escalate privilege, or could expose data about the internals of the NiFi process or the host system. All of these capabilities should be considered privileged, and admins should be aware of these capabilities and explicitly enable them for a subset of trusted users."

(This info can be found in: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#adding-components-to-the-canvas)

Before a user is allowed to create and modify restricted components they must be granted access to restricted components. There is a global access policy called "access restricted components" where you can configure this. More details here: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#UI-with-multi-tenant-authorization

avatar
Expert Contributor

Hi Andrews,

what is the policy name that I should add ? "/accessrestrictedcomponents"

Thanks

avatar
Guru

"/restricted-components"

avatar
Expert Contributor

Hi,

I tried "/restricted-component" and granted the users to this. It works when user add the process outside of the their tenant but not inside their tenant. How it should be granted to inside of the tenant?

avatar
Expert Contributor

never mind. It took abit . Now it is working. Thanks for the help