Hi Ben, Sorry to hear you are having trouble with the new security authorizer. I understand this is a big change and it is frustrating when it does not work as expected.
I am surprised to hear that the legacy migration did not create policies for the DFM role that you previously had. Could you please provide the logs/nifi-app.log (with sensitive data sanitized) to help us understand if this is a bug? As for adding users and policies through the NiFi UI, there are instructions here [1] and Bryan Bende has written a helpful blog post about this as well [2]. You can add users and then add global or component-level (i.e. access to a single process group or processor) access policies for those users. Please let us know if this is still not clear or if you encounter other challenges. [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#config-users-access-policies [2] http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy <http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy> Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Sep 8, 2016, at 1:27 PM, Michaud, Ben A <ben_mich...@optum.com> wrote: > > Greetings. > > I have been trying to use the new release of NiFi today, and am frankly at a > dead end. I can't use it with security enabled. > > We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the > recommendations of using the existing authorized-users.xml file to migrate to > the new model. This process did allow me to log in, but did not give me any > write access from the old DFM role. In fact, it did not even create all of > the authorizations mentioned here > (http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup) > It only created write policies for the following: > > - Controller > > - Tenants > > - Policies > > - Site-to-site > > Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like I > was only given admin rights. > > Furthermore, when I accessed the UI, I wanted to add groups and policies, but > I can't for the life of me figure out how I'm supposed to do this. It seems > like I can only add users to existing policies in the "Access Policies" > dialog or add users in general on the "NiFi Users" dialog. Since I am not > supposed to manually edit these files, I am not sure how I am supposed to fix > this. > > Any help in this regard would be greatly appreciated. > > Here is the original authorized-users.xml snippet with my roles: > (NB: I have removed other users from the listings below. I was the second > user out of six.) > $ cat authorized-users.xml > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <users> > <user dn="EMAILADDRESS=ben_mich...@optum.com, CN=bmichau1, CN=Users, > DC=ms, DC=ds, DC=uhc, DC=com"> > <role name="ROLE_DFM"/> > <role name="ROLE_ADMIN"/> > <role name="ROLE_PROVENANCE"/> > </user> > </users> > > Here is the resulting users.xml: > $ cat users.xml > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <tenants> > <groups/> > <users> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" > identity="EMAILADDRESS=ben_mich...@optum.com, CN=bmichau1, CN=Users, DC=ms, > DC=ds, DC=uhc, DC=com"/> > </users> > </tenants> > > Here is the resulting authorizations.xml: > $ cat authorizations.xml > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <authorizations> > <policies> > <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39" > resource="/system" action="R"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> > </policy> > <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947" > resource="/controller" action="W"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > </policy> > <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8" > resource="/flow" action="R"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> > </policy> > <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08" > resource="/controller" action="R"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> > </policy> > <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b" > resource="/policies" action="R"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > </policy> > <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70" > resource="/tenants" action="W"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > </policy> > <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039" > resource="/tenants" action="R"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > </policy> > <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8" > resource="/policies" action="W"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > </policy> > <policy identifier="49208654-71b3-37e9-a68f-7814015c1108" > resource="/provenance" action="R"> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > </policy> > <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1" > resource="/site-to-site" action="W"> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > </policy> > <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2" > resource="/site-to-site" action="R"> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > </policy> > </policies> > </authorizations> > > Regards, > Ben Michaud > > > > This e-mail, including attachments, may include confidential and/or > proprietary information, and may be used only by the person or entity > to which it is addressed. If the reader of this e-mail is not the intended > recipient or his or her authorized agent, the reader is hereby notified > that any dissemination, distribution or copying of this e-mail is > prohibited. If you have received this e-mail in error, please notify the > sender by replying to this message and delete this e-mail immediately.
signature.asc
Description: Message signed with OpenPGP using GPGMail
