Your description is exactly how I would expect things to work. However, the user is not able to access the graph.
The nifi-user.log indicates: o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<UserX>) GET https://<nifi-url>/nifi-api/flow/current-user o.a.n.w.s.NiFiAuthenticationFilter Authentication success for <UserX> o.a.n.w.a.c.AccessDeniedExceptionMapper <UserX> does not have permission to access the requested resource. Returning Forbidden response. On Fri, Feb 24, 2017 at 12:46 PM, Matt Gilman <[email protected]> wrote: > Mark, > > Adding the user and then granting that user permissions to 'view the user > interface' is all that is required for the user to access the UI. If you > check out the nifi-user.log you should be able to see which request failed. > In the coming 1.2.0 release, we've made the authorization error messages > more meaningful which should make it easier to see which policies the user > is lacking. > > Subsequently, the user can be granted to various parts of data flow > (through the policies access from the canvas Operate palette). This will > allow the user to see the types/configuration of various components and/or > modify them. Without these permissions, the user can still see the data > flow but they will not be able to see details of those components. > > Matt > > On Fri, Feb 24, 2017 at 12:32 PM, Mark Bean <[email protected]> wrote: > > > I am attempting to apply Access Policies appropriately. As a very first > > step, I want to grant a user access to the UI. From the global menu, I > > chose Users and added the user. Then, again from the global menu, I chose > > Policies. I added the user to "view the user interface" and "access the > > controller" ("view" only; not "modify"). > > > > When this failed to give the user access, I went to the component level > > policy at the root of the graph (i.e. "NiFi Flow" process group). I > granted > > "view the component". > > > > With the above policies, the user receives a message that states "Unable > to > > perform the desired action due to insufficient permissions. Contact the > > system administrator." > > > > How do I grant a user access to the UI? > > > > The Admin Guide has a section on Access Policy Configuration Examples. > > However, it begins with "The following scenarios assume User1 is an > > administrator and User2 is a newly added user that has only been given > > access to the UI." Suggestion: create a new example scenario which > > demonstrates "has been given access to the UI". > > > > Thanks, > > Mark > > >
