Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Using certificate based authorization/authentication in NiFi but users can't access components toolbar

Labels:
avatar
author-rank AlokKumar
Rising Star

Created ‎09-23-2025 05:24 AM

Hello I have configured certificate based authorization by using manager-authorizer in nifi.properties and then adding property name ="Initial Admin Identity" in <userGroupProvider> and <accessPolicyProvider> sections of authorizers.xml

Now once I do that and import admin cert (which I specified in authorizers.xml) then I can access NiFi and I can bring comonents/processors from Component Toolbar. I can also add users from the Global Menu "Users" section or Add Policies.

Issue I am experiencing is that the user I added can only view the processors groups and can't modify them. Apart from this the whole component toolbar is grayed out so not accessible. 

I went to my admin account and added that user in some Policies but this did not help.

I saw in some article that we need to right click on certain processor group and then go to "Manage Access Policies" but surprisingly for my admin account the Add User icon is gray and not able to click it. I have added two photos one showing my user component toolbar being inaccessible and another one my admin cert logged in NiFi where I see Add User icon not accessible.(Note I can add user from Global Menu) 

How to resolve this? Can someone please advise. I want to provide access to users so that they can do their work in one processor group.

AlokKumar_1-1758630196133.png

 

AlokKumar_0-1758630044299.png

 

119 Views
0 Kudos
5 REPLIES 5

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-23-2025 10:09 AM

@AlokKumar 

NiFi allows very granular authorizations down to the individual component.  A component such as a processor will inherit its authorizations from the Process Group in which it resides, IF there are no explicit policies set directly in the processor itself.  Likewise, a Process group will inherit it's authorization from it's parent Process Group if it does not have explicit policies set directly on that child process group.

When you launch NiFi for the very first time, NiFi will create the root Process Group for you and it will have the name "NiFi Flow".  It is the UI canvas you see when you access the UI. 

Form the second image you shared we can see that you have access the "policies" for a child process group named "Copy of ProcessGroupAdminTest".  

MattWho_0-1758646886976.png

What we can also see from this is that it is inheriting the "view the component" policy from the root process group "NiFi Flow": 

MattWho_1-1758646984055.png

This is why you will see the add user and delete options as greyed out.  You need to first click "override" and choose either to start with no users or copy the current authorized users.  After doing this you will be able to add additional user to this policy on this child process group.

Keep in mind that once you override inheritance on this components policy(s), inheritance no longer applies to this component.  Any changes to the policies set on the parent Process Group "NiFi Flow" will not get applied to this child Process Group.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

102 Views
0 Kudos

avatar
author-rank AlokKumar
Rising Star

Created on ‎09-24-2025 03:48 AM - edited ‎09-24-2025 03:56 AM

ok thank you I will check. But how to provide access to the Component Toolbar to the users who are not admin? I have overriden that option("which is visible in screenshot from the main question and you also discussed that in your answer above) from admin account and added this user but now that user can only go inside that processor group and things are no longer grey in the processor group but still that user can't bring new processor from the Component Toolbar as whole section is still grey.

New Update: So now 5 mins later I went to the admin account again, right clicked on a certain processor-group and clicked on the "Manage Access Policies"-> dropdown which was showing the "View the component"-> changed it to "Modify the component". After this the user is able to bring new processors to that processor group.
Is it correct approach? Do I need to provide any more accesses?

88 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-24-2025 05:55 AM

@AlokKumar 

NiFi authorization policies are very granular.

A user will not have access to flow development icon across top of the UI unless that user is authorized within the currently access process group to "modify the component", but you would also want those same users to also be authorized for "view the component".  Now depending on what additional access you want each user to have, you'll probably be authorizing them for even more NiFi policies.  Keep in mind that by adding a user to the "modify the component" authorization policy in the "Copy of ProcessGroupAdminTest" process group will only give that user the ability to add and modify components within that process group and any child/sub process group of "Copy of ProcessGroupAdminTest" Process group (if a child/sub process group is not inheriting authorizations from the parent Process group, then user you add to parent would not have same access to chid/sub Process group).

NiFi has "Global Access Policies" and "Component Access Policies"

The Global Access Policies are set by accessing the NiFi Global menu (three horizontal lines in upper right corner of the NiFi UI) and then "Policies".

MattWho_0-1758717438047.png

If you hover your cursor over the access policy, it will pop-up a description of what the policy grants access for:

MattWho_1-1758717523109.png

The levels of access you want to provide your individual users/teams is completely up to you.  ALL users must be authorized for the "View the User Interface" global access policy in order to access the NiFi UI, but that does not give the user much access beyond that.  

So you need to decide which user will be building dataflows, NiFi refers to them as DataFlow Managers (DFM)s.   Then you may also have operators which you only grant ability to "view the component" and "operate the component" certain dataflows with no authorization to modify or view the data.

The component level access policies are set by clicking on the "key" icon for a selected component.  For example: Below I have clicked on the "GenerateFlowFile" processor as we can see it in the "operation" panel to its left.  Inside that Operate panel, your admin user (or other users you have authorized) will have access to the policies for that component.  

MattWho_2-1758717959883.png

MattWho_3-1758718183656.png

Granting a user "view the component" and "modify the component" on a process group will give that user the ability to build and operate dataflows.  But that user will still not be authorized to view the content of the FlowFiles traversing that dataflow, empty a connection queue, or view the provenance data produced by those components unless you set that additional authorizations.   

 

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt




68 Views
0 Kudos

avatar
author-rank AlokKumar
Rising Star

Created ‎09-24-2025 11:29 PM

Thank you for your advise above. That really helped. Now one new thing I am observing is that I can't see Data provenance from admin or user accounts. So I right clicked on the process group->and clicked on the "Manage Access Policies"-> dropdown which was showing the "View the component"-> changed it to "View Provenance" and then added the users. But still I can't see the data provenance icon when I right click any processor to check. This is for both the admin or user accounts.

46 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-25-2025 05:38 AM

@AlokKumar 

When you authorize a user to "View Provenance", you are authorizing that user to be able to view provenance events created by that component (and any components that may be inheriting this authorization).   So this authorizations controls what the user can see, but does not give that user the ability to execute a provenance query. For that the admin user will need to go into the NiFi Global menu --> Policies and authorize the user for "query provenance" access policy.

MattWho_0-1758803842383.png

 

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

 

24 Views
0 Kudos
Announcements
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
Community Announcements
June 2021 Community Highlights
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
View More Announcements