When starting NiFi for the first time using the managed-authorizer, NiFi will put the Initial Admin Identity in certain Access Policies. However, it only does this for Global Access Policies, and does not add this user to any Component Access Policies, e.g. 'view/modify the component'.
This has been frustrating, but as I understand it is unavoidable because the UUID of the root process group has not yet been created (there is no flow.xml.gz) at the time the policies are generated. However, I found that if a flow.xml.gz existed without a corresponding authorizations.xml or users.xml, then the startup process would in fact create the Component Access Policies and add the admin user to them. Now, with the introduction of flow.json.gz, the root process group has both "identifier" and "instanceIdentifier" properties. The Component Access Policies created on startup as described above reference the "identifier" UUID, but the UI indicates the "instanceIdentifier" is the proper UUID for the root process group. Therefore, the Component Access Policies are ineffective as they reference an incorrect UUID value. Is generating the Component Access Policies in this way supported? If so, then I will submit a ticket for using the proper UUID value when creating the policies. Thanks, Mark
