Hi Matt, Thanks for filed the ticket for this issue.I hope, it would help to find the solution soon.
I feel that when there is only one user with that policy, they should not be able to remove any access policy.I would suggest appear any alert dialog or disable remove icon when their delete access polices for some times, or change its admin behavior. Thanks, Matheswaran. S On Tue, Jun 27, 2017 at 10:45 PM, Matt Gilman <[email protected]> wrote: > Matheswaran, > > Here is the JIRA [1] for the discussed improvement. > > Thanks > > Matt > > [1] https://issues.apache.org/jira/browse/NIFI-4134 > > On Tue, Jun 27, 2017 at 8:31 AM, Matt Gilman <[email protected]> > wrote: > >> Matheswaran, >> >> The Initial Admin grants the user with that identity the required >> permissions to administer that instance including adding/updating/removing >> users, groups, and policies. The policies are granted at a resource level. >> This means that you can introduce new administers at a Process Group level >> if you desire. The Initial Admin is not considered a special user. If they >> add another user and assign that user to the same policies, the new user >> will have equivalent permissions. >> >> That said, I think it may make sense to prevent a user from removing >> themselves from the global/top level admin policies. I'll file a JIRA to >> this effect later today. >> >> I saw your other email and SO post. If you don't have >> users/groups/policies that you had previously set up, you can just delete >> your <NIFI_HOME>/conf/authorizations.xml and restart. The Initial Admin >> policies will be restored. If you do have other users/groups/policies that >> you don't want to lose, I can help you restore the lost permissions by hand >> editing the authorizations.xml. Just let me know. >> >> Thanks. >> >> Matt >> >> On Tue, Jun 27, 2017 at 6:53 AM, mathes waran <[email protected]> >> wrote: >> >>> Hi, >>> >>> I am using nifi -1.2.0, enabled Kerberos authentication. I set the admin >>> user in initial admin Identity property of authorizers.xml file. By >>> Default, admin have full permission in NiFi. But admin can able to delete >>> his own permission. >>> >>> Once access policy removed for the admin user, then policies cannot be >>> set to any other users by admin. This behaviour looks odd. Policy for admin >>> should not be removed in any cases as we set admin user in authorizers.xml >>> file. >>> >>> Why nifi shouldn't restricted policy removal for admin user? Is there >>> any need to delete permission for admin user itself. >>> >>> Help me to understand the security flow. >>> >>> Please let me know if you have any queries, >>> >>> Thanks, >>> Matheswaran. S >>> >> >> >
