Andre, I have not fully digested the wiki page yet, but just thinking about the current model, would using groups work?
You would create a group in NiFI like "MiNiFi Agents" or whatever, create users for each DN of the MiNiFi agents and put those users in this group (I suppose this part is annoying but maybe could be scripted?). Then you just need to create a global policy for "retrieve site-to-site details" and add the "MiNiFi Agents" group, then create a policy on the Input Port for "receive data via site-to-site" and also add the "MiNiFi Agents" group. Are you trying to avoid having to define a user for each MiNiFi? -Bryan On Wed, Dec 7, 2016 at 1:22 AM, Andre <[email protected]> wrote: > Devs, > > Following up on this message I posted on Users, I have raised the following > Feature Proposal so we can cater for controlled access of MiNiFi agents > using exist, without creating too much overhead around access policy > management. > > https://cwiki.apache.org/confluence/display/NIFI/Feature+proposal+-+Trust+ > based+MiNiFi+identification+and+authorization > > While the primary use is MiNiFi, to certain extent the feature suggestion > is VERY similar to the anonymous roles we granted via > "nifi.security.anonymous.authorities" back in the olden days of 0.x > (albeit a bit more granular). > > Any thoughts? > > Cheers > > > > ---------- Forwarded message ---------- > From: Andre <[email protected]> > Date: Wed, Dec 7, 2016 at 8:40 AM > Subject: Large scale Secure MiNiFi deployments > To: [email protected] > > > All, > > Is anyone else using a large number of MiNiFi agents together with secure > Site to Site? > > How are you managing the authorization policy so that MiNiFi agents can > connect to the remote process groups ports? > > Cheers >
