Support Questions
Find answers, ask questions, and share your expertise

Adding policies to newly added users by Initial Admin

New Contributor

I set up https locally for nifi version: 1.4 and am able to successfully login to UI through client certificate. But I cannot seem to add policies to new users I create in reference to the steps described in the answer here.

My authorizations.xml looks like authorizations.xml and my users.xml like users.xml.

Really need help with where I am doing it wrong.

Appreciate it!

2 REPLIES 2

Hi @Zeeshan Cornelius,

To have something configurable from NiFi UI (allowing you to manage users/groups from the Users view), I believe you'd need to go through the definition of a Composite Configurable User Group provider. Your authorizers.xml file should look like:

<authorizers>

    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Initial User Identity 1">admin</property>
    </userGroupProvider>

    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">composite-configurable-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">admin</property>
        <property name="Legacy Authorized Users File"></property>
    </accessPolicyProvider>

    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

</authorizers>

Let me know if this helps,

Pierre.

Or... since you're not using a LDAP, you could directly use the File Authorizer instead of the managed one:

    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity"></property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1"></property>
    </authorizer>

And then just reference this idenfitier in nifi.properties file:

nifi.security.user.authorizer=file-provider