Hi Fredrik and Bryan,
I agree these changes would be fairly straightforward to make and could
simplify deployment in some environments.
I'll also add that while we look into this, in the meantime a workaround would
be to continue to use the use the Initial Admin user, and have an automated
step in your deployment/configuration that uses that admin to script
interaction with the REST API [1] to add the desired LDAP group to the admin
access policies using the /tenants and /policies endpoints. I.E.:
GET /tenants/users # call this and determine the identifier for the admin
identity
GET /tenants/users/{adminIdentifier} # access policies is a list at
component.accessPolicies in the resulting json
for each policy:
# add the user group identifier to the policy's userGroups list
PUT /policies/{id} # write the updated policy back to the server
That would save the step of having to do this in the UI. I agree it would
simplify things and save this unnecessary scripting to add something like
Initial Group Admin Identity to the configuration XML.
[1] https://nifi.apache.org/docs/nifi-docs/rest-api/index.html
Cheers,
Kevin
On 10/20/17, 09:28, "Bryan Bende" <bbe...@gmail.com> wrote:
Hi Fredrik,
These are some good ideas.
If we did support multiple initial admins, I would suggest it be done
through multiple elements, rather than a comma separate list since
commas are part of a DN which could be a single user.
We already support this patter in the new user group provider:
<property name="Initial User Identity 1"></property>
<property name="Initial User Identity 2"></property>
<property name="Initial User Identity 3"></property>
Down in the policy provider we currently only support a single
property called "Initial Admin", but that could possibly be:
<property name="Initial Admin Identity 1"></property>
<property name="Initial Admin Identity 2"></property>
<property name="Initial Admin Identity 3"></property>
I would think groups could be done similarly by providing a group to
the user group provider and then declaring that group to be an admin,
possibly:
<property name="Initial User Group Identity 1"></property>
and
<property name="Initial Group Admin Identity 1"></property>
-Bryan
On Thu, Oct 19, 2017 at 10:56 AM, Fredrik Skolmli <fred...@skolmli.no>
wrote:
> Hi all.
>
> With the ability to populate NiFi with users and groups from LDAP (as of
> 1.4.0(?)), I'm running into a few tasks that could be avoided or improved.
>
> I would like to specify a group as the initial admin identity instead of a
> single user, enabling the group members to log in and do the initial setup
> of new NiFi instances.
>
> Another option, as a quickfix, would be to allow the initial admin
identity
> property to be a comma separated value (i.e. "admin1,admin2").
>
> The latter would be a rather small patch to implement, but I would some
> appreciate feedback from the community on what the best and most reliable
> approach would be. Or if both would be considered.
>
> ..or are there any other ideas on the roadmap to solve this that I haven't
> found in JIRA or thought of myself?
>
> Thanks.
>
> BR,
> Fredrik
