Greetings. I have been trying to use the new release of NiFi today, and am frankly at a dead end. I can't use it with security enabled.
We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the recommendations of using the existing authorized-users.xml file to migrate to the new model. This process did allow me to log in, but did not give me any write access from the old DFM role. In fact, it did not even create all of the authorizations mentioned here (http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup) It only created write policies for the following: - Controller - Tenants - Policies - Site-to-site Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like I was only given admin rights. Furthermore, when I accessed the UI, I wanted to add groups and policies, but I can't for the life of me figure out how I'm supposed to do this. It seems like I can only add users to existing policies in the "Access Policies" dialog or add users in general on the "NiFi Users" dialog. Since I am not supposed to manually edit these files, I am not sure how I am supposed to fix this. Any help in this regard would be greatly appreciated. Here is the original authorized-users.xml snippet with my roles: (NB: I have removed other users from the listings below. I was the second user out of six.) $ cat authorized-users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <users> <user dn="[email protected], CN=bmichau1, CN=Users, DC=ms, DC=ds, DC=uhc, DC=com"> <role name="ROLE_DFM"/> <role name="ROLE_ADMIN"/> <role name="ROLE_PROVENANCE"/> </user> </users> Here is the resulting users.xml: $ cat users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <tenants> <groups/> <users> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity="[email protected], CN=bmichau1, CN=Users, DC=ms, DC=ds, DC=uhc, DC=com"/> </users> </tenants> Here is the resulting authorizations.xml: $ cat authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39" resource="/system" action="R"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> </policy> <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947" resource="/controller" action="W"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> </policy> <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8" resource="/flow" action="R"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> </policy> <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08" resource="/controller" action="R"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> </policy> <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b" resource="/policies" action="R"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> </policy> <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70" resource="/tenants" action="W"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> </policy> <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039" resource="/tenants" action="R"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> </policy> <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8" resource="/policies" action="W"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> </policy> <policy identifier="49208654-71b3-37e9-a68f-7814015c1108" resource="/provenance" action="R"> <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> </policy> <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1" resource="/site-to-site" action="W"> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> </policy> <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2" resource="/site-to-site" action="R"> <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> </policy> </policies> </authorizations> Regards, Ben Michaud This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
