Users who are not authorized for specific NiFi components (process groups, processors, input/output ports, etc...) will only see "ghost" processors. Those ghost processors will not contain any information on the face of them the reveals their type or configuration.
-
-
Unless authorized, user also will not be able to list queues, perform provenance queries, etc on FlowFiles that traverse these components.
-
There are good reasons why NiFi does not hide these ghost processor completely:
1. All components operate within the same resource constraints of a single JVM. It is important that all user can identify areas of any flow that may be backlogging or have large queues, as these things may impact their own dataflows. While the can not see the actual data or processor details, they can observe FlowFile stat info as you can see in above screenshot.
2. If User1 built a dataflows only user 1 could see, User2 may end up building a dataflow directly on top of it. While functionally NiFi does not care about overlapping components, user3 who logs in and has access to both user1 and user2 flows would. It would make it very hard for user 3 to follow the canvas in such a case.
-
Thanks,
Matt
