You should be able to include a canned flow.xml.gz in your in your container, just have nothing under the root group.
On Mon, Feb 26, 2018 at 3:50 PM, Matt Gilman <matt.c.gil...@gmail.com> wrote: > Daniel, > > Unfortunately, there is no way to set this currently. This is ultimately a > lifecycle issue. The UUID of the root group may be inherited from a cluster > or randomly generated if a node is standalone. From the admin guide: > > "For a brand new secure flow, providing the "Initial Admin Identity" gives > that user access to get into the UI and to manage users, groups and > policies. But if that user wants to start modifying the flow, they need to > grant themselves policies for the root process group. The system is unable > to do this automatically because in a new flow the UUID of the root process > group is not permanent until the flow.xml.gz is generated. If the NiFi > instance is an upgrade from an existing flow.xml.gz or a 1.x instance going > from unsecure to secure, then the "Initial Admin Identity" user is > automatically given the privileges to modify the flow." > > Because of this, when there is no existing flow, granting permissions to > the root group would need to happen after this initial startup. > > Matt > > > On Mon, Feb 26, 2018 at 3:26 PM, Daniel Hernandez < > daniel.hernan...@civitaslearning.com> wrote: > >> Hi Matt, >> >> Thanks for your answer. >> >> Do you know if there is a way to preconfigure this value when running >> Nifi's Docker image? I am making the calls from an integration test that >> runs a docker container with the Nifi server. I already check and the value >> under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy >> the container, I guess it is created at startup. Is it possible that I can >> change my docker image to get a fix root group value? >> >> Thanks, >> >> Daniel >> >> On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez < >> daniel.hernan...@civitaslearning.com> wrote: >> >> > Hi, >> > >> > I am currently working on calling the Nifi REST API to get the 'root' >> > process group and setting it as parent for a new process-group. >> > >> > However I am getting the next messages: >> > >> > Attempting GET request to: JerseyWebTarget { >> https://127.0.0.1:8443/nifi- >> > api/process-groups/root } >> > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main] >> > c.c.p.n.c.i.b.BootApiClient : >> > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main] >> > c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET >> > to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root >> } >> > >> > com.civitaslearning.platform.nifi.client.invoker.boot.exception. >> NifiForbiddenException: >> > No applicable policies could be found. Contact the system administrator. >> > >> > This is the content of my authorizations.xml file: >> > >> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> > >> > <authorizations> >> > >> > <policies> >> > >> > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" >> > resource="/flow" action="R"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" >> > resource="/restricted-components" action="W"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" >> > resource="/tenants" action="R"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" >> > resource="/tenants" action="W"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" >> > resource="/policies" action="R"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" >> > resource="/policies" action="W"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" >> > resource="/controller" action="R"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" >> > resource="/controller" action="W"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006" >> > resource="/process-groups/root" action="R"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68" >> > resource="/process-groups/root" action="W"> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/> >> > >> > </policy> >> > >> > </policies> >> > >> > </authorizations> >> > >> > And this is the content of authorizations.xml >> > >> > <authorizers> >> > >> > <accessPolicyProvider> >> > >> > <identifier>file-access-policy-provider</identifier> >> > >> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</ >> > class> >> > >> > <property name="User Group Provider">file-user-group- >> > provider</property> >> > >> > <property name="Authorizations File">./conf/authorizations. >> > xml</property> >> > >> > <property name="Initial Admin Identity">CN=civitas, >> > OU=ApacheNifi</property> >> > >> > <property name="Legacy Authorized Users File"></property> >> > >> > >> > <property name="Node Identity 1"></property> >> > >> > </accessPolicyProvider> >> > >> > <authorizer> >> > >> > <identifier>managed-authorizer</identifier> >> > >> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</ >> > class> >> > >> > <property name="Access Policy Provider">file-access-policy- >> > provider</property> >> > >> > </authorizer> >> > >> > </authorizers> >> > >> > >> > And users.xml >> > >> > >> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> > >> > <tenants> >> > >> > <groups/> >> > >> > <users> >> > >> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51" >> > identity="CN=civitas, OU=ApacheNifi"/> >> > >> > </users> >> > >> > </tenants> >> > >> > I already create a policy using the same user cert so I guess the DN is >> > valid. >> > Am I defining the policy or making the call in a wrong way? >> > >> > Thanks in advance, >> > >> > Daniel Hernandez >> > >> > >> > >>