Matheswaran, Here is the JIRA [1] for the discussed improvement.
Thanks Matt [1] https://issues.apache.org/jira/browse/NIFI-4134 On Tue, Jun 27, 2017 at 8:31 AM, Matt Gilman <[email protected]> wrote: > Matheswaran, > > The Initial Admin grants the user with that identity the required > permissions to administer that instance including adding/updating/removing > users, groups, and policies. The policies are granted at a resource level. > This means that you can introduce new administers at a Process Group level > if you desire. The Initial Admin is not considered a special user. If they > add another user and assign that user to the same policies, the new user > will have equivalent permissions. > > That said, I think it may make sense to prevent a user from removing > themselves from the global/top level admin policies. I'll file a JIRA to > this effect later today. > > I saw your other email and SO post. If you don't have > users/groups/policies that you had previously set up, you can just delete > your <NIFI_HOME>/conf/authorizations.xml and restart. The Initial Admin > policies will be restored. If you do have other users/groups/policies that > you don't want to lose, I can help you restore the lost permissions by hand > editing the authorizations.xml. Just let me know. > > Thanks. > > Matt > > On Tue, Jun 27, 2017 at 6:53 AM, mathes waran <[email protected]> > wrote: > >> Hi, >> >> I am using nifi -1.2.0, enabled Kerberos authentication. I set the admin >> user in initial admin Identity property of authorizers.xml file. By >> Default, admin have full permission in NiFi. But admin can able to delete >> his own permission. >> >> Once access policy removed for the admin user, then policies cannot be >> set to any other users by admin. This behaviour looks odd. Policy for admin >> should not be removed in any cases as we set admin user in authorizers.xml >> file. >> >> Why nifi shouldn't restricted policy removal for admin user? Is there any >> need to delete permission for admin user itself. >> >> Help me to understand the security flow. >> >> Please let me know if you have any queries, >> >> Thanks, >> Matheswaran. S >> > >
