Support Questions

Find answers, ask questions, and share your expertise

security and schema seperation in nifi

avatar
Super Collaborator

is there a way to hide users work area from each other in nifi ? we are using Ranger and Kerberos

1 ACCEPTED SOLUTION

avatar
Guru

@Sami Ahmad

NiFi supports multi-tenant authorization (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization) which "enables multiple groups of users (tenants) to command, control, and observe different parts of the dataflow, with varying levels of authorization." For example, each user could be given access to a process group on the canvas. Not sure if that meets your definition of "work area".

View solution in original post

2 REPLIES 2

avatar
Guru

@Sami Ahmad

NiFi supports multi-tenant authorization (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#multi-tenant-authorization) which "enables multiple groups of users (tenants) to command, control, and observe different parts of the dataflow, with varying levels of authorization." For example, each user could be given access to a process group on the canvas. Not sure if that meets your definition of "work area".

avatar
Master Mentor

@Sami Ahmad

Users who are not authorized for specific NiFi components (process groups, processors, input/output ports, etc...) will only see "ghost" processors. Those ghost processors will not contain any information on the face of them the reveals their type or configuration.

-

77792-screen-shot-2018-06-20-at-113342-am.png

-

Unless authorized, user also will not be able to list queues, perform provenance queries, etc on FlowFiles that traverse these components.

-

There are good reasons why NiFi does not hide these ghost processor completely:

1. All components operate within the same resource constraints of a single JVM. It is important that all user can identify areas of any flow that may be backlogging or have large queues, as these things may impact their own dataflows. While the can not see the actual data or processor details, they can observe FlowFile stat info as you can see in above screenshot.

2. If User1 built a dataflows only user 1 could see, User2 may end up building a dataflow directly on top of it. While functionally NiFi does not care about overlapping components, user3 who logs in and has access to both user1 and user2 flows would. It would make it very hard for user 3 to follow the canvas in such a case.

-

Thanks,

Matt