The special permission for "Can manage buckets - Read" equates to "Read all buckets" [1].
I agree we should probably make it clearer in the docs about what a nifi node needs. It is handled for you if you specify the node identities in registry's authorizers.xml during initial start up. [1] https://nifi.apache.org/docs/nifi-registry-docs/html/user-guide.html#special-privileges On Thu, Sep 16, 2021 at 9:59 AM Shawn Weeks <swe...@weeksconsulting.us> wrote: > > We should probably update the documentation to spell out exactly what > permissions must be given to the NiFi host itself in Registry. There is no > READ special permission that I can assign the NiFi host for all buckets and I > didn't realize why it had to have READ on each bucket until you mentioned the > PG Status. > > Thanks > Shawn > > -----Original Message----- > From: Bryan Bende <bbe...@gmail.com> > Sent: Thursday, September 16, 2021 8:20 AM > To: users@nifi.apache.org > Subject: Re: NiFi Read Only Registry Access > > Hello, > > The correct approach should be # 1, removing the write and delete proxy > permissions so that no write or delete operations can be sent from the given > nifi instance. > > The NiFi node users should only have READ on the special permissions bucket > to be able to read all buckets. This is because the status of each PG is > calculated in a background thread in NiFi where the request is being made to > registry as the NiFi user itself (no proxying of an end user) to retrieve the > latest version of the flow. > > The special permissions take precedence over the specific bucket permissions, > so even if bucket1 has a policy that only user1 has READ, the NiFi User will > still have READ access if it has the special permissions READ for buckets. > > I'm not sure I totally follow your # 2, but overall I don't think there is a > way to make a whole nifi instance only be able to write to a specific bucket. > It would require moving the proxy concept from top-level to bucket-level so > that you could specify that a given NiFi node user can only proxy WRITE and > DELETE to this specific bucket. > > -Bryan > > > On Wed, Sep 15, 2021 at 5:30 PM Shawn Weeks <swe...@weeksconsulting.us> wrote: > > > > Hi, I’m trying to configure NiFi Registry(1.14.0) so that some NiFi > > (1.14.0) instances are only able to pull versions and not push them. The > > behavior I ran into was not as intuitive as I’d have liked. > > > > > > > > Here is what I tried. > > > > Remove Write and Delete permission from NiFi Proxy User. This causes an > > error to raise when you try and commit a version from that cluster about > > the proxy user not having permission. > > Removed Write and Delete from NiFi User on the bucket but left write and > > delete on the proxy user. This caused the versioned process group to switch > > to a question mark and not allow any further interaction except stop > > version control. > > > > > > > > Number 1 works by preventing any writes however what if I want to limit > > write at the bucket level not at the cluster level. Number 2 seems bug-like > > since I’d expect an exception to popup or the commit option to be greyed > > out instead of leaving the process group in stuck state. > > > > > > > > Or maybe I’m just being dumb and trying to do this the wrong way, does > > anyone have a suggestion? > > > > > > > > > > > > Thanks > > > > Shawn