[ https://issues.apache.org/jira/browse/NIFI-5470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann resolved NIFI-5470. ------------------------------------ Resolution: Won't Do > Allow Initial Admin Identity to have full read/write access to new instance > flow > -------------------------------------------------------------------------------- > > Key: NIFI-5470 > URL: https://issues.apache.org/jira/browse/NIFI-5470 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework, Security > Affects Versions: 1.7.1 > Reporter: Andy LoPresto > Priority: Major > Labels: access_control, authorization, security, user > > As noted in the [Apache NiFi Admin Guide -- Initial Admin > Identity|https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity], > when a user configures a new secure NiFi instance, they must populate an > *Initial Admin Identity* in {{authorizers.xml}}. However, if this is a > instance, the IAI user does not have any access to the flow itself. > {quote} > For a brand new secure flow, providing the "Initial Admin Identity" gives > that user access to get into the UI and to manage users, groups and policies. > But if that user wants to start modifying the flow, they need to grant > themselves policies for the root process group. The system is unable to do > this automatically because in a new flow the UUID of the root process group > is not permanent until the flow.xml.gz is generated. If the NiFi instance is > an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure > to secure, then the "Initial Admin Identity" user is automatically given the > privileges to modify the flow. > {quote} > I believe there can be a workaround to determine the root process group UUID > and grant the IAI user access automatically on startup. When starting a new > instance, I can see the {{flow.xml.gz}} file persisted to disk with a > generated root process group ID before granting the IAI user any additional > permissions. > Once the empty {{flow.xml.gz}} is persisted to disk and the root process > group ID determined, the IAI user should be automatically granted write > permissions to that group. > {code} > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > <flowController encoding-version="1.3"> > <maxTimerDrivenThreadCount>10</maxTimerDrivenThreadCount> > <maxEventDrivenThreadCount>5</maxEventDrivenThreadCount> > <registries/> > <rootGroup> > <id>de37762f-0164-1000-ca28-13cc9d45f41b</id> > <name>NiFi Flow</name> > <position x="0.0" y="0.0"/> > <comment/> > </rootGroup> > <controllerServices/> > <reportingTasks/> > </flowController> > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)