Thanks, Bryan and Andy. I initially tried to start up nifi with the old flow, but some of the script code was broken in the new NiFi. I was getting exceptions due to API changes. Since I wanted to isolate the security, I removed the old flows and was eventually able to log in. Should I try again with the old flows even though they contain compile errors?
I did look at the help pages, but I could not activate group, and I did not see a way to add This nifi-app.log is perhaps not what you are looking for. The last time I started nifi, I was trying to do it with security disabled after having added out custom flows, then my attempt to get in from http. All I did to disable security was to revert all the security properties in nifi.properties to their default state. nifi-app.log <http://apache-nifi-developer-list.39713.n7.nabble.com/file/n13294/nifi-app.log> Bryan Bende wrote > Hi Ben, > > In addition to what Andy said... did you also copy the flow.xml.gz from a > previous instance, or were you starting with a new instance and just > copying over the users? > > If you were only bringing over the users and no flow, then I think this is > behaving as expected... The policies in the admin guide for DFM are: > > 1) view the UI (READ on /flow) > 2) view the controller (READ on /controller) > 3) modify the controller (WRITE on /controller) > 4) view system diagnostics (READ on /system) > 5) view the dataflow (READ on /process-groups/ > <root-group-id> > ) > 6) modify the dataflow (WRITE on /process-groups/ > <root-group-id> > ) > 7) view the data (READ on /data/process-groups/ > <root-group-id> > ) > 8) modify the data (WRITE on /data/process-groups/ > <root-group-id> > ) > > In your example the first four were created, but the last four were not. > The last four are dependent on knowing a consistent root group id which it > doesn't know in a brand new instance, but if you copied over the previous > flow.xml.gz I believe it should have created those. > > In the state you are in with a brand new flow, you have to create a policy > on the root group for your user. You can do that from the lock icon in the > palette on the left. > Once you have created a policy for "view component" and "modify the > component" for the root group, and added your user to both, you should see > the toolbar enabled. > > Let us know if this helps, or if there are still other challenges. > > -Bryan > > On Thu, Sep 8, 2016 at 5:50 PM, Andy LoPresto < > alopresto@ > > wrote: > >> Hi Ben, >> >> Sorry to hear you are having trouble with the new security authorizer. I >> understand this is a big change and it is frustrating when it does not >> work >> as expected. >> >> I am surprised to hear that the legacy migration did not create policies >> for the DFM role that you previously had. Could you please provide the >> logs/nifi-app.log (with sensitive data sanitized) to help us understand >> if >> this is a bug? >> >> As for adding users and policies through the NiFi UI, there are >> instructions here [1] and Bryan Bende has written a helpful blog post >> about >> this as well [2]. You can add users and then add global or >> component-level >> (i.e. access to a single process group or processor) access policies for >> those users. >> >> Please let us know if this is still not clear or if you encounter other >> challenges. >> >> [1] >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html# >> config-users-access-policies >> [2] http://bryanbende.com/development/2016/08/17/apache- >> nifi-1-0-0-authorization-and-multi-tenancy >> >> >> Andy LoPresto >> > alopresto@ >> * > alopresto.apache@ > < > alopresto.apache@ > >* >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> On Sep 8, 2016, at 1:27 PM, Michaud, Ben A < > ben_michaud@ > > wrote: >> >> Greetings. >> >> I have been trying to use the new release of NiFi today, and am frankly >> at >> a dead end. I can't use it with security enabled. >> >> We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the >> recommendations of using the existing authorized-users.xml file to >> migrate >> to the new model. This process did allow me to log in, but did not give >> me >> any write access from the old DFM role. In fact, it did not even create >> all >> of the authorizations mentioned here (http://nifi.apache.org/docs/ >> nifi-docs/html/administration-guide.html#authorizers-setup) It only >> created write policies for the following: >> >> - Controller >> >> - Tenants >> >> - Policies >> >> - Site-to-site >> >> Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like >> I >> was only given admin rights. >> >> Furthermore, when I accessed the UI, I wanted to add groups and policies, >> but I can't for the life of me figure out how I'm supposed to do this. It >> seems like I can only add users to existing policies in the "Access >> Policies" dialog or add users in general on the "NiFi Users" dialog. >> Since >> I am not supposed to manually edit these files, I am not sure how I am >> supposed to fix this. >> >> Any help in this regard would be greatly appreciated. >> >> Here is the original authorized-users.xml snippet with my roles: >> (NB: I have removed other users from the listings below. I was the second >> user out of six.) >> $ cat authorized-users.xml >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> > <users> >> > <user dn="EMAILADDRESS=ben_mich...@optum.com, CN=bmichau1, CN=Users, >> > DC=ms, DC=ds, DC=uhc, DC=com"> >> > <role name="ROLE_DFM"/> >> > <role name="ROLE_ADMIN"/> >> > <role name="ROLE_PROVENANCE"/> >> > </user> >> > </users> >> >> Here is the resulting users.xml: >> $ cat users.xml >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> > <tenants> >> > <groups/> >> > <users> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity=" >> > EMAILADDRESS= > ben_michaud@ > , CN=bmichau1, CN=Users, DC=ms, DC=ds, >> DC=uhc, DC=com"/> >> > </users> >> > </tenants> >> >> Here is the resulting authorizations.xml: >> $ cat authorizations.xml >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> >> > <authorizations> >> > <policies> >> > <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39" >> > resource="/system" action="R"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> >> > </policy> >> > <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947" >> > resource="/controller" action="W"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > </policy> >> > <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8" >> > resource="/flow" action="R"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> >> > </policy> >> > <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08" >> > resource="/controller" action="R"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/> >> > </policy> >> > <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b" >> > resource="/policies" action="R"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > </policy> >> > <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70" >> > resource="/tenants" action="W"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > </policy> >> > <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039" >> > resource="/tenants" action="R"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > </policy> >> > <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8" >> > resource="/policies" action="W"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > </policy> >> > <policy identifier="49208654-71b3-37e9-a68f-7814015c1108" >> > resource="/provenance" action="R"> >> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/> >> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/> >> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/> >> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > </policy> >> > <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1" >> > resource="/site-to-site" action="W"> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > </policy> >> > <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2" >> > resource="/site-to-site" action="R"> >> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/> >> > </policy> >> > </policies> >> > </authorizations> >> >> Regards, >> Ben Michaud >> >> >> >> This e-mail, including attachments, may include confidential and/or >> proprietary information, and may be used only by the person or entity >> to which it is addressed. If the reader of this e-mail is not the >> intended >> recipient or his or her authorized agent, the reader is hereby notified >> that any dissemination, distribution or copying of this e-mail is >> prohibited. If you have received this e-mail in error, please notify the >> sender by replying to this message and delete this e-mail immediately. >> >> >> -- View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/Questions-regarding-security-set-up-in-NiFi-1-0-0-tp13288p13294.html Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
