Andre, Is your target for NIFI-1500 the default installation permission scheme, or just that NiFi does not fail to start without the permissions in a customized scheme? Would it be acceptable to distinguish between permissions required to initialize NiFi the first time, and the permissions required for ongoing use?
With respect to #3, conf directory permissions -- I like the ./conf/flows/... directory idea (or ./flows/...). But there are other writes to ./conf, including: * Start-time initialization of users.xml, authorizations.xml, conversion from legacy authorized-users.xml, etc. * Existing UI for configuration of policies, users, and groups * Any future UI-driven management options I believe these can be optional to the experienced admin, but the default installation requires write access to create and update these files. Thanks, James On Tue, Sep 27, 2016 at 8:13 AM, Andre <[email protected]> wrote: > devs, > > A while ago (0.4.0 IIRC) we had a brief exchange of messages around the > permissions NiFi requires to run (NIFI-1500). > > The debate revolved mostly around 4 things: > > 1 - write access to $NIFI_HOME/bin > > 2. write access to $NIFI_HOME/lib - NIFI-2818 / #1059 (review is welcome) > > 3. write access to $NIFI_HOME/conf (i.e. by default the flow is saved under > "conf/") > > 4. write access to $NIFI_HOME/. (i.e. creates the missing repo and working > folders upon boot). > > Good news is that inspection of the code suggests #1 has been solved when > we re-wrote the nifi.sh script and that #3 and #4 may be solved just by > small changes to default configuration and documentation. > > > Would anyone have thoughts on what would be the preferred approach to deal > with issues #3 and #4? > > > IMNSHO, the least impacting way of addressing #3 is to modify the default > behaviour, and ship NiFi with the following settings: > > nifi.flow.configuration.file=./conf/flows/flow.xml.gz > nifi.flow.configuration.archive.dir=./conf/flows/archive/ > > instead of the currently used: > > nifi.flow.configuration.file=./conf/flow.xml.gz > nifi.flow.configuration.archive.dir=./conf/archive/ > > This way, ./conf and all files could be owned by root.root and have fs > permissions set to 755 (drwxr-xr-x) > > while conf/flows could be set to runsasuser.runasgroup and fs permissions > set to 700 (drwx------). > > > #4 Can be solved by modifying the pom files to add the adequate directory > structure to the tar and gzip archives (i.e. pre-populating the directory > structure) or by adjusting rpm and deb files > > > We would also update the documentation to ensure people installing NiFi are > informed of the ideal filesystem permissions. > > > Would everyone be in agreement with this approach? > > > On a related note: > > I would truly appreciate if we could get some eyes over PR-1059 as early as > possible . Whilst a minor change to the code, I suspect it needs to be well > thought off and tested before we commit. > > > Cheers >
