I think you are right, it looks like in FlowParser parseJson, the returned FlowInfo comes from this...
final VersionedProcessGroup rootGroup = dataflow.getRootGroup(); return new FlowInfo(rootGroup.getIdentifier(), ports); Which I think should be the instance identifier there. On Wed, Jul 13, 2022 at 11:57 AM Mark Bean <mark.o.b...@gmail.com> wrote: > > When starting NiFi for the first time using the managed-authorizer, NiFi > will put the Initial Admin Identity in certain Access Policies. However, it > only does this for Global Access Policies, and does not add this user to > any Component Access Policies, e.g. 'view/modify the component'. > > This has been frustrating, but as I understand it is unavoidable because > the UUID of the root process group has not yet been created (there is no > flow.xml.gz) at the time the policies are generated. > > However, I found that if a flow.xml.gz existed without a corresponding > authorizations.xml or users.xml, then the startup process would in fact > create the Component Access Policies and add the admin user to them. > > Now, with the introduction of flow.json.gz, the root process group has > both "identifier" and "instanceIdentifier" properties. The Component > Access Policies created on startup as described above reference the > "identifier" UUID, but the UI indicates the "instanceIdentifier" is the > proper UUID for the root process group. Therefore, the Component Access > Policies are ineffective as they reference an incorrect UUID value. > > Is generating the Component Access Policies in this way supported? > > If so, then I will submit a ticket for using the proper UUID value when > creating the policies. > > Thanks, > Mark