Support Questions

Find answers, ask questions, and share your expertise

User management NiFi

avatar
New Contributor

Hi, I am new with NiFi. I installed version 1.1.2 on a CentOS6 virtual machine for testing purposes. Installation went fine and I also secured it with certificates/keys etc via de toolkit.

In the authorizers.xml I configured CN=admin as Initial Admin Identity. CN=admin was also used with the toolkit to generate the keys etc. I imported the certifacte in the browser and works fine. As testing purpose I want to assign roles to the admin. I can create a user but same as with the admin I don't know where to add which roles.

In the admin guide on the apache nifi website they talk about connecting an ldap but I don't want that. I just want an admin and 1 or 2 users maybe in the application and assign roles. I see the described roles described in the admin guide but where and how do I configure that?

The users.xml and authorizations.xml where nicely created. In the users.xml I have:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="1a0ab441-da40-30dd-b28c-c4a4c710d03c" identity="cn=admin"/>
    </users>
</tenants>

But if I add roles under under user admin then nifi service won't start anymore.

<role name="ROLE_ADMIN"/>

<role name="ROLE_DFM"/>

Hope anyone can help me out :).

With kind regards,

Bram

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Bram Klinkenberg

The users.xml and authorizations.xml files are generated for you the first time NiFi is started after being secured. Initially they are populated using the configuration from the authorizers.xml file.

In that file you specified an "Initial Admin Identity" (assuming you used CN=admin).

As a result a user (CN=admin) was added to the users.xml file and the relevant "admin" related access policies were assigned to that user in the authorizations.xml file.

At this point your user (CN=admin) should be able to access the NiFi UI.

The admin will use the NIFi UI to add additional users and authorize them for various access policies:

Users are managed and Global Policies are applied as follows:

14194-screen-shot-2017-03-29-at-83033-am.png

Adding "Users" within NiFi has nothing to do with user authentication. The users you add here are for authorization to NiFi resources only. User Authentication must occur first and can be accomplished using User issued certs load in browser, Kerberos, or LDAP.

Global access policies include the following:

14196-screen-shot-2017-03-29-at-83653-am.png

Component (Processors, process groups, and other things on canvas) level access policies are assigned to users as follows:

14195-screen-shot-2017-03-29-at-83326-am.png

Component level access policies include:

14197-screen-shot-2017-03-29-at-83800-am.png

Some Component level access policies are on available to specific components. If the currently selected component does not support the policy it will be greyed out in the list.

More detail on teh various access policies can be found in teh admin guide:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies

Thank you,

Matt

View solution in original post

3 REPLIES 3

avatar
Master Mentor

@Bram Klinkenberg

The users.xml and authorizations.xml files are generated for you the first time NiFi is started after being secured. Initially they are populated using the configuration from the authorizers.xml file.

In that file you specified an "Initial Admin Identity" (assuming you used CN=admin).

As a result a user (CN=admin) was added to the users.xml file and the relevant "admin" related access policies were assigned to that user in the authorizations.xml file.

At this point your user (CN=admin) should be able to access the NiFi UI.

The admin will use the NIFi UI to add additional users and authorize them for various access policies:

Users are managed and Global Policies are applied as follows:

14194-screen-shot-2017-03-29-at-83033-am.png

Adding "Users" within NiFi has nothing to do with user authentication. The users you add here are for authorization to NiFi resources only. User Authentication must occur first and can be accomplished using User issued certs load in browser, Kerberos, or LDAP.

Global access policies include the following:

14196-screen-shot-2017-03-29-at-83653-am.png

Component (Processors, process groups, and other things on canvas) level access policies are assigned to users as follows:

14195-screen-shot-2017-03-29-at-83326-am.png

Component level access policies include:

14197-screen-shot-2017-03-29-at-83800-am.png

Some Component level access policies are on available to specific components. If the currently selected component does not support the policy it will be greyed out in the list.

More detail on teh various access policies can be found in teh admin guide:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies

Thank you,

Matt

avatar
Master Mentor

@Bram Klinkenberg

The "Roles" noted above are only valid for us in the older Apache NiFi 0.x baseline. They were part of the authorized-users.xml file used in that baseline.

The Apache NiFi 1.x baseline added support for multi-tenancy and a granular access control via access policies. It is an entirely new authorization method and uses different files. There is no notion of Roles in NiFI 1.x. The authorizers.xml file allows you to specify a legacy authorized-usesr.xml file in place of configuring an "Initial Admin Identity" simply to make it easy for user of NiFi 0.x to port their existing users over to NiFi 1.x.

Matt

avatar
Rising Star

@Matt Clarke

Hi Matt,

i am trying to secure my nifi-1.1.1 instance using kerberos, i have set up the truststore, keystore in nifi home directory using nifi-tls-toolkit, also set the truststore and keystore passwords in the nifi.properties, provided kerberos-provider as the login-identity-provider. have set up the authorizers.xml with the same CN as i used in certificates. But after restarting nifi, the UI is not coming up, i am getiing "site can't be reached:refuse to connect error" , i also tried importing .p12 cert to my browser but that also didn't helped. could you please suggest what is wrong in the process i followed?