You have to implement a custom reporting task that pages through the events and does something with them... A ReportingTask has access to a ReportingContext which has access to EventAccess which has a method for paging through the flow change events. Here is an example: https://github.com/bbende/incubator-atlas/blob/NIFI/addons/nifi-bridge/nifi-atlas-bundle/nifi-atlas-reporting-task/src/main/java/org/apache/nifi/reporting/atlas/AtlasReportingTask.java#L117-L139 ... View more

@Oliver Fletcher Lets assume you have Node A, Node B, and Node C in your NiFi cluster. Now your AD user is logged into Node A and runs a provenance query. That provenance query is propagated to all other nodes (A, B, and C) by Node A. Each node runs the query which may return 0 to many results (Actually looking in the nifi-app.log of each node will show a log line that indicates the number of returned results) All those results are returned to the node A where your user is logged in for display in the provenance UI. Node A upon receiving these events will check to see which results Node A is allowed to access to. In you case your user has access to the data but your nodes do not. The nodes must be granted the access to the data of the component(s) the provenance results belong to. Generally speaking you set data access policies at the process group level and all components and process groups contained within the process group inherit those parent access policies. For you, you will need the UUID of your root process group. Then in ranger you would add a new policy that grants all your nodes access to "/data/process-group/<uuid of root process group>" resource. After doing so, try running your query again and you should see results. You should already have an existing policy in Ranger which grants all your nodes the /proxy resource. Thanks, Matt ... View more

@Oliver Fletcher Authentication and authorization are two separate processes within NiFi. There is no way currently for NiFi to pull LDAP groups in to its authorizer. While NiFi's file based local authorizer does support groups, those groups are not mapped to any LDAP groups. With NiFi's latest release authentication via LDAP supports only two "Identity Strategies": Identity Strategy Strategy to identify users. Possible values are USE_DN and USE_USERNAME. The default functionality if this property is missing is USE_DN in order to retain backward compatibility. USE_DN will use the full DN of the user entry if possible. USE_USERNAME will use the username the user logged in with. So either the DN returned by LDAP (USE_DN) or the username enter on the login screen (USE_USERNAME) is passed to the authorizer post any configured pattern mapping. There are currently is no Strategy for passing the user's LDAP group to the authorizer. NiFi has no support for Ranger groups as you are already aware. However, you could create a set of groups in NiFi's local file based authorizers that each provide a distinct set of access policies. You could then use your script idea to conduct ldap searches and map users DNs or usernames to those specific NiFi groups. You scripts could make calls to the nifi-api to automate adding these users to the those groups. Thanks, Matt ... View more