Daniel, Unfortunately, there is no way to set this currently. This is ultimately a lifecycle issue. The UUID of the root group may be inherited from a cluster or randomly generated if a node is standalone. From the admin guide:
"For a brand new secure flow, providing the "Initial Admin Identity" gives that user access to get into the UI and to manage users, groups and policies. But if that user wants to start modifying the flow, they need to grant themselves policies for the root process group. The system is unable to do this automatically because in a new flow the UUID of the root process group is not permanent until the flow.xml.gz is generated. If the NiFi instance is an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure to secure, then the "Initial Admin Identity" user is automatically given the privileges to modify the flow." Because of this, when there is no existing flow, granting permissions to the root group would need to happen after this initial startup. Matt On Mon, Feb 26, 2018 at 3:26 PM, Daniel Hernandez < [email protected]> wrote: > Hi Matt, > > Thanks for your answer. > > Do you know if there is a way to preconfigure this value when running > Nifi's Docker image? I am making the calls from an integration test that > runs a docker container with the Nifi server. I already check and the value > under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy > the container, I guess it is created at startup. Is it possible that I can > change my docker image to get a fix root group value? > > Thanks, > > Daniel > > On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez < > [email protected]> wrote: > > > Hi, > > > > I am currently working on calling the Nifi REST API to get the 'root' > > process group and setting it as parent for a new process-group. > > > > However I am getting the next messages: > > > > Attempting GET request to: JerseyWebTarget { > https://127.0.0.1:8443/nifi- > > api/process-groups/root } > > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main] > > c.c.p.n.c.i.b.BootApiClient : > > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main] > > c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET > > to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root > } > > > > com.civitaslearning.platform.nifi.client.invoker.boot.exception. > NifiForbiddenException: > > No applicable policies could be found. Contact the system administrator. > > > > This is the content of my authorizations.xml file: > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > > > <authorizations> > > > > <policies> > > > > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" > > resource="/flow" action="R"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" > > resource="/restricted-components" action="W"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" > > resource="/tenants" action="R"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" > > resource="/tenants" action="W"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" > > resource="/policies" action="R"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" > > resource="/policies" action="W"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" > > resource="/controller" action="R"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" > > resource="/controller" action="W"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006" > > resource="/process-groups/root" action="R"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68" > > resource="/process-groups/root" action="W"> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> > > > > </policy> > > > > </policies> > > > > </authorizations> > > > > And this is the content of authorizations.xml > > > > <authorizers> > > > > <accessPolicyProvider> > > > > <identifier>file-access-policy-provider</identifier> > > > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</ > > class> > > > > <property name="User Group Provider">file-user-group- > > provider</property> > > > > <property name="Authorizations File">./conf/authorizations. > > xml</property> > > > > <property name="Initial Admin Identity">CN=civitas, > > OU=ApacheNifi</property> > > > > <property name="Legacy Authorized Users File"></property> > > > > > > <property name="Node Identity 1"></property> > > > > </accessPolicyProvider> > > > > <authorizer> > > > > <identifier>managed-authorizer</identifier> > > > > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</ > > class> > > > > <property name="Access Policy Provider">file-access-policy- > > provider</property> > > > > </authorizer> > > > > </authorizers> > > > > > > And users.xml > > > > > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > > > <tenants> > > > > <groups/> > > > > <users> > > > > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51" > > identity="CN=civitas, OU=ApacheNifi"/> > > > > </users> > > > > </tenants> > > > > I already create a policy using the same user cert so I guess the DN is > > valid. > > Am I defining the policy or making the call in a wrong way? > > > > Thanks in advance, > > > > Daniel Hernandez > > > > > > >
