Support Questions

Find answers, ask questions, and share your expertise

[Secure NIFI] Provide custom-users.xml and custom-authorizations.xm

avatar
New Contributor

Hi All,

I am trying to secure NIFI with Keycloak based access control. I am able to set up the admin account and login successfully. Next step, I want to create a group access policy that will have most of the admin privileges, however not via UI.  Is it possible to provide custom-authorizations.xml  and custom-users.xml on NIFI Helm where i specify my group and policy for it and still keep the initial admin user being generated as well? So basically, the content of these custom files should be appended to the generated users.xml and authorizations.xml file. 

I tried couple of tricks and hacks such as mounting my custom file under the name users.xml and authorizations.xml , this will basically replace auto-generated users.xml and authorizations.xml , hence it does not include admin user but only the group/users I mentioned. I tried to manually add my admin user to the file as well but in this case, root process-group uuid needs to be specified in the policy which might change and unknown.

 

<policy identifier="3d164d96-bf95-3c66-9b73-7554c0ad04f5" resource="/data/process-groups/138b1307-7a1d-4c0d-8120-ecdaa1741629" action="R">
            <user identifier="admin"/>
        </policy>
 
I tried to use wild cards such as /process-groups/* or just /process-groups to allow all the process groups to be read and written but doesnt work. This restricts admin to create a new process group etc.
 
Any help is appreciated!!
1 ACCEPTED SOLUTION

avatar
Master Mentor

@joyjlee 

The File-User-Group-Provider is responsible for:
1. Creating the users.xml using the configured provider properties ONLY if the users.xml file does not already exist.
2. Loading the users from the users.xml in to heap memory on startup when the users.xml already exists.

The File-Access-Policy-Provider is responsible for:
1. Generating the authorizations.xml file ONLY if it does not already exist using the configured provider properties.  This provider will not work if users are not already loaded by some user group provider (multiple options exist for loading users: file-user-group-provider, ldap-user-group-provider, shell-user-group-provider, etc.)
2. Loading the user's authorizations into memory if the authorizations.xml file already exists.

So by creating your own custom users.xml and authorizations.xml files, these providers do nothing beyond loading what is already in those files into memory.  They will not append to or modify them.

NiFI does not support wildcard policies either.

The UUID generated by NiFi for a User Identity string will always be the same. So I am assuming you captured all those UUID for the users.xml you are manually creating.
Also NiFi only generates the flow.json.gz (replacing flow.xml.gz) if it does not already exist.
While upon creation initially the UUID for the root process group will be random, you could certainly load a pre-built flow.json.gz with your deployment that only has that root PG already in it.   That would allow your pre-built users.xml and authorizations.xml to load with policies you defined.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

2 REPLIES 2

avatar
Community Manager

@joyjlee, Welcome to our community! To help you get the best possible answer, I have tagged in our NiFi experts @ckumar @mnui @MattWho  who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Master Mentor

@joyjlee 

The File-User-Group-Provider is responsible for:
1. Creating the users.xml using the configured provider properties ONLY if the users.xml file does not already exist.
2. Loading the users from the users.xml in to heap memory on startup when the users.xml already exists.

The File-Access-Policy-Provider is responsible for:
1. Generating the authorizations.xml file ONLY if it does not already exist using the configured provider properties.  This provider will not work if users are not already loaded by some user group provider (multiple options exist for loading users: file-user-group-provider, ldap-user-group-provider, shell-user-group-provider, etc.)
2. Loading the user's authorizations into memory if the authorizations.xml file already exists.

So by creating your own custom users.xml and authorizations.xml files, these providers do nothing beyond loading what is already in those files into memory.  They will not append to or modify them.

NiFI does not support wildcard policies either.

The UUID generated by NiFi for a User Identity string will always be the same. So I am assuming you captured all those UUID for the users.xml you are manually creating.
Also NiFi only generates the flow.json.gz (replacing flow.xml.gz) if it does not already exist.
While upon creation initially the UUID for the root process group will be random, you could certainly load a pre-built flow.json.gz with your deployment that only has that root PG already in it.   That would allow your pre-built users.xml and authorizations.xml to load with policies you defined.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt