Ben, Can you explain a little more about what you mean by "scripts containing compile errors"? Are you talking about ExecuteScript processors?
I would expect the following to work... - Take a brand new Apache NiFi 1.0.0 tar/zip and extract it - Copy flow.xml.gz from old NiFi to NiFi 1.0.0/conf/ - Configure nifi.properties for NiFi 1.0.0 to setup the https host/port and all the SSL properties, and specify the file-authorizer (nifi.security.user.authorizer=file-provider) - Configure the file-authorizer in NiFi 1.0.0/conf/authorizers.xml and set the path to old authorized-users.xml - Then start NiFi 1.0.0 If you are trying to reconfigure the NiFi 1.0.0 that you already setup, you will want to delete the users.xml and authorizations.xml from the conf directory if you want it to regenerate the conversion from the legacy authorized-users.xml. It only attempts the legacy conversion the first time when no users, groups, and policies exist. The app log you linked to shows that your nifi.properties did not have an authorizer set, basically nifi.security.user.authorize was empty in nifi.properties, and therefore NiFi could not start in secure mode. Thanks, Bryan On Thu, Sep 8, 2016 at 10:57 PM, bmichaud <ben_mich...@optum.com> wrote: > Thanks, Bryan and Andy. > > I initially tried to start up nifi with the old flow, but some of the > script > code was broken in the new NiFi. I was getting exceptions due to API > changes. Since I wanted to isolate the security, I removed the old flows > and > was eventually able to log in. Should I try again with the old flows even > though they contain compile errors? > > I did look at the help pages, but I could not activate group, and I did not > see a way to add > > > This nifi-app.log is perhaps not what you are looking for. The last time I > started nifi, I was trying to do it with security disabled after having > added out custom flows, then my attempt to get in from http. All I did to > disable security was to revert all the security properties in > nifi.properties to their default state. > > nifi-app.log > <http://apache-nifi-developer-list.39713.n7.nabble.com/file/ > n13294/nifi-app.log> > > > Bryan Bende wrote > > Hi Ben, > > > > In addition to what Andy said... did you also copy the flow.xml.gz from a > > previous instance, or were you starting with a new instance and just > > copying over the users? > > > > If you were only bringing over the users and no flow, then I think this > is > > behaving as expected... The policies in the admin guide for DFM are: > > > > 1) view the UI (READ on /flow) > > 2) view the controller (READ on /controller) > > 3) modify the controller (WRITE on /controller) > > 4) view system diagnostics (READ on /system) > > 5) view the dataflow (READ on /process-groups/ > > <root-group-id> > > ) > > 6) modify the dataflow (WRITE on /process-groups/ > > <root-group-id> > > ) > > 7) view the data (READ on /data/process-groups/ > > <root-group-id> > > ) > > 8) modify the data (WRITE on /data/process-groups/ > > <root-group-id> > > ) > > > > In your example the first four were created, but the last four were not. > > The last four are dependent on knowing a consistent root group id which > it > > doesn't know in a brand new instance, but if you copied over the previous > > flow.xml.gz I believe it should have created those. > > > > In the state you are in with a brand new flow, you have to create a > policy > > on the root group for your user. You can do that from the lock icon in > the > > palette on the left. > > Once you have created a policy for "view component" and "modify the > > component" for the root group, and added your user to both, you should > see > > the toolbar enabled. > > > > Let us know if this helps, or if there are still other challenges. > > > > -Bryan > > > > On Thu, Sep 8, 2016 at 5:50 PM, Andy LoPresto < > > > alopresto@ > > > > wrote: > > > >> Hi Ben, > >> > >> Sorry to hear you are having trouble with the new security authorizer. I > >> understand this is a big change and it is frustrating when it does not > >> work > >> as expected. > >> > >> I am surprised to hear that the legacy migration did not create policies > >> for the DFM role that you previously had. Could you please provide the > >> logs/nifi-app.log (with sensitive data sanitized) to help us understand > >> if > >> this is a bug? > >> > >> As for adding users and policies through the NiFi UI, there are > >> instructions here [1] and Bryan Bende has written a helpful blog post > >> about > >> this as well [2]. You can add users and then add global or > >> component-level > >> (i.e. access to a single process group or processor) access policies for > >> those users. > >> > >> Please let us know if this is still not clear or if you encounter other > >> challenges. > >> > >> [1] > >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html# > >> config-users-access-policies > >> [2] http://bryanbende.com/development/2016/08/17/apache- > >> nifi-1-0-0-authorization-and-multi-tenancy > >> > >> > >> Andy LoPresto > >> > > > alopresto@ > > >> * > > > alopresto.apache@ > > > < > > > alopresto.apache@ > > > >* > >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > >> > >> On Sep 8, 2016, at 1:27 PM, Michaud, Ben A < > > > ben_michaud@ > > > > wrote: > >> > >> Greetings. > >> > >> I have been trying to use the new release of NiFi today, and am frankly > >> at > >> a dead end. I can't use it with security enabled. > >> > >> We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the > >> recommendations of using the existing authorized-users.xml file to > >> migrate > >> to the new model. This process did allow me to log in, but did not give > >> me > >> any write access from the old DFM role. In fact, it did not even create > >> all > >> of the authorizations mentioned here (http://nifi.apache.org/docs/ > >> nifi-docs/html/administration-guide.html#authorizers-setup) It only > >> created write policies for the following: > >> > >> - Controller > >> > >> - Tenants > >> > >> - Policies > >> > >> - Site-to-site > >> > >> Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like > >> I > >> was only given admin rights. > >> > >> Furthermore, when I accessed the UI, I wanted to add groups and > policies, > >> but I can't for the life of me figure out how I'm supposed to do this. > It > >> seems like I can only add users to existing policies in the "Access > >> Policies" dialog or add users in general on the "NiFi Users" dialog. > >> Since > >> I am not supposed to manually edit these files, I am not sure how I am > >> supposed to fix this. > >> > >> Any help in this regard would be greatly appreciated. > >> > >> Here is the original authorized-users.xml snippet with my roles: > >> (NB: I have removed other users from the listings below. I was the > second > >> user out of six.) > >> $ cat authorized-users.xml > >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > >> > > <users> > >> > > <user dn="EMAILADDRESS=ben_mich...@optum.com, CN=bmichau1, CN=Users, > >> > > DC=ms, DC=ds, DC=uhc, DC=com"> > >> > > <role name="ROLE_DFM"/> > >> > > <role name="ROLE_ADMIN"/> > >> > > <role name="ROLE_PROVENANCE"/> > >> > > </user> > >> > > </users> > >> > >> Here is the resulting users.xml: > >> $ cat users.xml > >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > >> > > <tenants> > >> > > <groups/> > >> > > <users> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity=" > >> > > EMAILADDRESS= > > > ben_michaud@ > > > , CN=bmichau1, CN=Users, DC=ms, DC=ds, > >> DC=uhc, DC=com"/> > >> > > </users> > >> > > </tenants> > >> > >> Here is the resulting authorizations.xml: > >> $ cat authorizations.xml > >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > >> > > <authorizations> > >> > > <policies> > >> > > <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39" > >> > > resource="/system" action="R"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> > >> > > </policy> > >> > > <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947" > >> > > resource="/controller" action="W"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > </policy> > >> > > <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8" > >> > > resource="/flow" action="R"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> > >> > > </policy> > >> > > <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08" > >> > > resource="/controller" action="R"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> > >> > > </policy> > >> > > <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b" > >> > > resource="/policies" action="R"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > </policy> > >> > > <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70" > >> > > resource="/tenants" action="W"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > </policy> > >> > > <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039" > >> > > resource="/tenants" action="R"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > </policy> > >> > > <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8" > >> > > resource="/policies" action="W"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > </policy> > >> > > <policy identifier="49208654-71b3-37e9-a68f-7814015c1108" > >> > > resource="/provenance" action="R"> > >> > > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> > >> > > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> > >> > > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> > >> > > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > </policy> > >> > > <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1" > >> > > resource="/site-to-site" action="W"> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > </policy> > >> > > <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2" > >> > > resource="/site-to-site" action="R"> > >> > > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> > >> > > </policy> > >> > > </policies> > >> > > </authorizations> > >> > >> Regards, > >> Ben Michaud > >> > >> > >> > >> This e-mail, including attachments, may include confidential and/or > >> proprietary information, and may be used only by the person or entity > >> to which it is addressed. If the reader of this e-mail is not the > >> intended > >> recipient or his or her authorized agent, the reader is hereby notified > >> that any dissemination, distribution or copying of this e-mail is > >> prohibited. If you have received this e-mail in error, please notify the > >> sender by replying to this message and delete this e-mail immediately. > >> > >> > >> > > > > > > -- > View this message in context: http://apache-nifi-developer- > list.39713.n7.nabble.com/Questions-regarding-security- > set-up-in-NiFi-1-0-0-tp13288p13294.html > Sent from the Apache NiFi Developer List mailing list archive at > Nabble.com. >
