2

I understand how to use the Apache Nifi GUI to add new users and enforce policies. I am, however, trying to automate this process so that when I start up my Docker Nifi container, it already has three user groups (essentially an admin, user, and reader). I am using NiPyAPI, but to be honest, I cannot manage to get even a full list of policies to loop through.

I don't use the Registry component as I just need a simple workflow at the moment. If you have a great incentive for it in simple cases, I'm happy to listen.

The specific problem that I'm having is: I cannot figure out a solid list of policies that are available - all the methods and endpoints I can see require you to already know what those are. I can muck around in the GUI and print them all out once I add all the roles to the Admin user, but I feel like there should be a better way to get a consolidated and thorough list of all the options one has.

Any and all advice on getting all these user groups and policies automated (preferably with Python) would be appreciated.

Oh yes, and also, I'm using SSL and not LDAP.

Kelly P
  • 43
  • 5

1 Answers1

1

If you are using TLS client certificate authentication (not LDAP), the users are defined by static identifiers (derived from the DN of the certificate via the Identity Mapping rules located in the nifi.properties file). Each defined user has policies assigned to that user and a resource (component - PG, processor, etc.), determining the user's permissions to view/modify the resource.

There are a few suitable approaches you can use in this case:

  1. Create a "good" state using the UI and then export the authorizers.xml, users.xml, and authorizations.xml files from the $NIFI_HOME/conf/ directory. These XML files can be pre-loaded into your Docker container to have these same policies available from the first startup.
  2. All the operations done through the NiFi UI actually use the NiFi REST API behind the scenes. You can open your browser's Developer Tools panel to monitor the API calls used to list, create, and modify user definitions and access policy assignments, and copy those invocations to the scripting language of your choice to dynamically create these policies on container startup (using NiPyAPI, NiFi CLI, raw HTTP calls via curl, etc.)

The policies are documented in the Apache NiFi Admin Guide under the Global Access Policies and Component-level Access Policies sections.

Andy
  • 13,916
  • 1
  • 36
  • 78
  • 1. I was under the impression that replacing the XML files is bad practice - is this preferable? 2. That NiFi CLI looks really helpful, I appreciate that. – Kelly P Mar 05 '19 at 17:11
  • If you have known good XML files, it is perfectly fine to load them into a new instance of NiFi. Replacing existing XML files is discouraged but sometimes makes sense (when doing disaster recovery on a cluster node, for example). – Andy Mar 06 '19 at 20:09