The initial admin policies are created here: https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java#L595 <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java#L595>
You can see where it will create the root group policies if rootGroupId is not null. The rootGroupId comes from the parseFlow() method above which tries to read the flow.xml.gz from disk, using the location from nifi.properties. > On Apr 2, 2019, at 9:57 PM, Mark Bean <mark.o.b...@gmail.com> wrote: > > When NiFi is started for the first time, the Component Access Policies are > not populated even for the Initial Admin or for legacy DFM_ROLE users in > authorized-users.xml file.That is, not unless a flow.xml.gz file exists. > The fact that the admin user does not have access to these policies has led > to confusion for a great number of users. > > I believe this came up before and an explanation was given that since the > flow.xml.gz does not yet exist (nor the root process group's UUID), the > Component Access Policies cannot be created. However, I have to believe > there is a mechanism that can be employed to return to policy generation > after the flow.xml.gz is created. > > Can someone provide some pointers to where in the code I can look to see > where the Global Policies are initially created and/or where Component > Policies are created when migrating with an existing flow.xml.gz? > > Thanks, > Mark
