Re: Policies for root Process Group.

Mon, 26 Feb 2018 11:01:00 -0800 

Daniel,

The policy should use the UUID of the root Process Group.

If your seeding the authorizations.xml as part of your initial start-up,
these policies will be automatically applied to your initial admin if there
is an existing flow.xml.gz. If there is no flow.xml.gz, you'll need to
define these policies manually after starting up. You can see these
endpoints in action if you open your browser's Developer Tools and you
perform these actions in the UI. You should be able to update your client
following these examples.

Matt

On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <
daniel.hernan...@civitaslearning.com> wrote:

> Hi,
>
> I am currently working on calling the Nifi REST API to get the 'root'
> process group and setting it as parent for a new process-group.
>
> However I am getting the next messages:
>
> Attempting GET request to: JerseyWebTarget {
> https://127.0.0.1:8443/nifi-api/process-groups/root }
> 2018-02-26 11:06:55.341 DEBUG ???? --- [           main]
> c.c.p.n.c.i.b.BootApiClient              :
> 2018-02-26 11:06:55.341 DEBUG ???? --- [           main]
> c.c.p.n.c.i.b.BootApiClient              : Received 403 response from GET
> to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root }
>
> com.civitaslearning.platform.nifi.client.invoker.boot.exception.
> NifiForbiddenException:
> No applicable policies could be found. Contact the system administrator.
>
> This is the content of my authorizations.xml file:
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <authorizations>
>
>     <policies>
>
>         <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
> resource="/process-groups/root" action="R">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>         <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
> resource="/process-groups/root" action="W">
>
>             <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
>         </policy>
>
>     </policies>
>
> </authorizations>
>
> And this is the content of authorizations.xml
>
> <authorizers>
>
> <accessPolicyProvider>
>
>         <identifier>file-access-policy-provider</identifier>
>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>
>         <property name="User Group
> Provider">file-user-group-provider</property>
>
>         <property name="Authorizations
> File">./conf/authorizations.xml</property>
>
>         <property name="Initial Admin Identity">CN=civitas,
> OU=ApacheNifi</property>
>
>         <property name="Legacy Authorized Users File"></property>
>
>
>         <property name="Node Identity 1"></property>
>
>     </accessPolicyProvider>
>
> <authorizer>
>
>         <identifier>managed-authorizer</identifier>
>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>
>         <property name="Access Policy
> Provider">file-access-policy-provider</property>
>
>     </authorizer>
>
> </authorizers>
>
>
> And users.xml
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <tenants>
>
>     <groups/>
>
>     <users>
>
>         <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
> identity="CN=civitas, OU=ApacheNifi"/>
>
>     </users>
>
> </tenants>
>
> I already create a policy using the same user cert so I guess the DN is
> valid.
> Am I defining the policy or making the call in a wrong way?
>
> Thanks in advance,
>
> Daniel Hernandez
>

Reply via email to