Bryan, Ok, thanks. Now, the issue is when there is no flow established yet. In that case, FileAccessPolicyProvider.populateInitialAdmin will not find the rootGroupId; it doesn't exist yet in cases where there is no flow.xml.gz on startup. So, component access policies cannot be created.
The flow.xml.gz is initially created in StandardFlowService.load(DataFlow). Here, the rootGroupId is known (or can be derived from the controller.) However, at this point, there is no access to the FileAccessPolicyProvider which is required to updated the policies. Hence, the problem of not completing the authorizations (i.e. component policies) for an Initial Admin User. Do you have suggestions on how to access the FileAccessPolicyProvider (or more generally a ConfigurableAccessPolicyProvider)? Thanks again, Mark On Tue, Apr 2, 2019 at 10:35 PM Bryan Bende <bbe...@gmail.com> wrote: > The initial admin policies are created here: > > > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java#L595 > < > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/src/main/java/org/apache/nifi/authorization/FileAccessPolicyProvider.java#L595 > > > > You can see where it will create the root group policies if rootGroupId is > not null. > > The rootGroupId comes from the parseFlow() method above which tries to > read the flow.xml.gz from disk, using the location from nifi.properties. > > > > On Apr 2, 2019, at 9:57 PM, Mark Bean <mark.o.b...@gmail.com> wrote: > > > > When NiFi is started for the first time, the Component Access Policies > are > > not populated even for the Initial Admin or for legacy DFM_ROLE users in > > authorized-users.xml file.That is, not unless a flow.xml.gz file exists. > > The fact that the admin user does not have access to these policies has > led > > to confusion for a great number of users. > > > > I believe this came up before and an explanation was given that since the > > flow.xml.gz does not yet exist (nor the root process group's UUID), the > > Component Access Policies cannot be created. However, I have to believe > > there is a mechanism that can be employed to return to policy generation > > after the flow.xml.gz is created. > > > > Can someone provide some pointers to where in the code I can look to see > > where the Global Policies are initially created and/or where Component > > Policies are created when migrating with an existing flow.xml.gz? > > > > Thanks, > > Mark > >
