[
https://issues.apache.org/jira/browse/NIFI-5470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann resolved NIFI-5470.
------------------------------------
Resolution: Won't Do
> Allow Initial Admin Identity to have full read/write access to new instance
> flow
> --------------------------------------------------------------------------------
>
> Key: NIFI-5470
> URL: https://issues.apache.org/jira/browse/NIFI-5470
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework, Security
> Affects Versions: 1.7.1
> Reporter: Andy LoPresto
> Priority: Major
> Labels: access_control, authorization, security, user
>
> As noted in the [Apache NiFi Admin Guide -- Initial Admin
> Identity|https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity],
> when a user configures a new secure NiFi instance, they must populate an
> *Initial Admin Identity* in {{authorizers.xml}}. However, if this is a
> instance, the IAI user does not have any access to the flow itself.
> {quote}
> For a brand new secure flow, providing the "Initial Admin Identity" gives
> that user access to get into the UI and to manage users, groups and policies.
> But if that user wants to start modifying the flow, they need to grant
> themselves policies for the root process group. The system is unable to do
> this automatically because in a new flow the UUID of the root process group
> is not permanent until the flow.xml.gz is generated. If the NiFi instance is
> an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure
> to secure, then the "Initial Admin Identity" user is automatically given the
> privileges to modify the flow.
> {quote}
> I believe there can be a workaround to determine the root process group UUID
> and grant the IAI user access automatically on startup. When starting a new
> instance, I can see the {{flow.xml.gz}} file persisted to disk with a
> generated root process group ID before granting the IAI user any additional
> permissions.
> Once the empty {{flow.xml.gz}} is persisted to disk and the root process
> group ID determined, the IAI user should be automatically granted write
> permissions to that group.
> {code}
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <flowController encoding-version="1.3">
> <maxTimerDrivenThreadCount>10</maxTimerDrivenThreadCount>
> <maxEventDrivenThreadCount>5</maxEventDrivenThreadCount>
> <registries/>
> <rootGroup>
> <id>de37762f-0164-1000-ca28-13cc9d45f41b</id>
> <name>NiFi Flow</name>
> <position x="0.0" y="0.0"/>
> <comment/>
> </rootGroup>
> <controllerServices/>
> <reportingTasks/>
> </flowController>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
