Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Required Permission for some Nifi processes

Solved Go to solution

Required Permission for some Nifi processes

Rising Star

Hi,

I integrated Ranger with Nifi and configured Multi-Tenancy. But for some processes like below they don't have access to add it in their canvas. I added R/W permission to /flow and RW to their process group in Ranger. Not sure what permission i missed. Any thoughts?

TailFile, PutHDFS, PutFile, InvokeScripterProcessor, GetHDFSSequenceFile, GetHDFS, GetFile, FetchHDFS, FetchFile, DeleteHDFS, ExecuteStreamCOmmand, ExecuteScript, ExecuteProcess, ExecuteFlumeSource, ExecuteFlumeSink

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Required Permission for some Nifi processes

Rising Star

Hi Andrews,

what is the policy name that I should add ? "/accessrestrictedcomponents"

Thanks

5 REPLIES 5

Re: Required Permission for some Nifi processes

Guru

Hi @Sanaz Janbakhsh,

The processors you listed are considered Restricted Components and are marked by a red/white shield icon in the UI (in the Add Processor window and when the processor is added to the NiFi canvas). A description of Restricted Components:

"These are components that can be used to execute arbitrary unsanitized code provided by the operator through the NiFi REST API/UI or can be used to obtain or alter data on the NiFi host system using the NiFi OS credentials. These components could be used by an otherwise authorized NiFi user to go beyond the intended use of the application, escalate privilege, or could expose data about the internals of the NiFi process or the host system. All of these capabilities should be considered privileged, and admins should be aware of these capabilities and explicitly enable them for a subset of trusted users."

(This info can be found in: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#adding-components-to-the-canvas)

Before a user is allowed to create and modify restricted components they must be granted access to restricted components. There is a global access policy called "access restricted components" where you can configure this. More details here: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#UI-with-multi-tenant-authorization

Re: Required Permission for some Nifi processes

Rising Star

Hi Andrews,

what is the policy name that I should add ? "/accessrestrictedcomponents"

Thanks

Re: Required Permission for some Nifi processes

Guru

"/restricted-components"

Re: Required Permission for some Nifi processes

Rising Star

Hi,

I tried "/restricted-component" and granted the users to this. It works when user add the process outside of the their tenant but not inside their tenant. How it should be granted to inside of the tenant?

Re: Required Permission for some Nifi processes

Rising Star

never mind. It took abit . Now it is working. Thanks for the help