You should be able to include a canned flow.xml.gz in your in your
container, just have nothing under the root group.
On Mon, Feb 26, 2018 at 3:50 PM, Matt Gilman <matt.c.gil...@gmail.com> wrote:
> Daniel,
>
> Unfortunately, there is no way to set this currently. This is ultimately a
> lifecycle issue. The UUID of the root group may be inherited from a cluster
> or randomly generated if a node is standalone. From the admin guide:
>
> "For a brand new secure flow, providing the "Initial Admin Identity" gives
> that user access to get into the UI and to manage users, groups and
> policies. But if that user wants to start modifying the flow, they need to
> grant themselves policies for the root process group. The system is unable
> to do this automatically because in a new flow the UUID of the root process
> group is not permanent until the flow.xml.gz is generated. If the NiFi
> instance is an upgrade from an existing flow.xml.gz or a 1.x instance going
> from unsecure to secure, then the "Initial Admin Identity" user is
> automatically given the privileges to modify the flow."
>
> Because of this, when there is no existing flow, granting permissions to
> the root group would need to happen after this initial startup.
>
> Matt
>
>
> On Mon, Feb 26, 2018 at 3:26 PM, Daniel Hernandez <
> daniel.hernan...@civitaslearning.com> wrote:
>
>> Hi Matt,
>>
>> Thanks for your answer.
>>
>> Do you know if there is a way to preconfigure this value when running
>> Nifi's Docker image? I am making the calls from an integration test that
>> runs a docker container with the Nifi server. I already check and the value
>> under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy
>> the container, I guess it is created at startup. Is it possible that I can
>> change my docker image to get a fix root group value?
>>
>> Thanks,
>>
>> Daniel
>>
>> On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <
>> daniel.hernan...@civitaslearning.com> wrote:
>>
>> > Hi,
>> >
>> > I am currently working on calling the Nifi REST API to get the 'root'
>> > process group and setting it as parent for a new process-group.
>> >
>> > However I am getting the next messages:
>> >
>> > Attempting GET request to: JerseyWebTarget {
>> https://127.0.0.1:8443/nifi-
>> > api/process-groups/root }
>> > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
>> > c.c.p.n.c.i.b.BootApiClient :
>> > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
>> > c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET
>> > to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root
>> }
>> >
>> > com.civitaslearning.platform.nifi.client.invoker.boot.exception.
>> NifiForbiddenException:
>> > No applicable policies could be found. Contact the system administrator.
>> >
>> > This is the content of my authorizations.xml file:
>> >
>> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> >
>> > <authorizations>
>> >
>> > <policies>
>> >
>> > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>> > resource="/flow" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>> > resource="/restricted-components" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>> > resource="/tenants" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>> > resource="/tenants" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>> > resource="/policies" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>> > resource="/policies" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>> > resource="/controller" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>> > resource="/controller" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
>> > resource="/process-groups/root" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
>> > resource="/process-groups/root" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > </policies>
>> >
>> > </authorizations>
>> >
>> > And this is the content of authorizations.xml
>> >
>> > <authorizers>
>> >
>> > <accessPolicyProvider>
>> >
>> > <identifier>file-access-policy-provider</identifier>
>> >
>> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</
>> > class>
>> >
>> > <property name="User Group Provider">file-user-group-
>> > provider</property>
>> >
>> > <property name="Authorizations File">./conf/authorizations.
>> > xml</property>
>> >
>> > <property name="Initial Admin Identity">CN=civitas,
>> > OU=ApacheNifi</property>
>> >
>> > <property name="Legacy Authorized Users File"></property>
>> >
>> >
>> > <property name="Node Identity 1"></property>
>> >
>> > </accessPolicyProvider>
>> >
>> > <authorizer>
>> >
>> > <identifier>managed-authorizer</identifier>
>> >
>> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</
>> > class>
>> >
>> > <property name="Access Policy Provider">file-access-policy-
>> > provider</property>
>> >
>> > </authorizer>
>> >
>> > </authorizers>
>> >
>> >
>> > And users.xml
>> >
>> >
>> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> >
>> > <tenants>
>> >
>> > <groups/>
>> >
>> > <users>
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
>> > identity="CN=civitas, OU=ApacheNifi"/>
>> >
>> > </users>
>> >
>> > </tenants>
>> >
>> > I already create a policy using the same user cert so I guess the DN is
>> > valid.
>> > Am I defining the policy or making the call in a wrong way?
>> >
>> > Thanks in advance,
>> >
>> > Daniel Hernandez
>> >
>> >
>> >
>>
