[jira] [Created] (NIFI-5470) Allow Initial Admin Identity to have full read/write access to new instance flow

Fri, 27 Jul 2018 17:17:42 -0700 

Andy LoPresto created NIFI-5470:
-----------------------------------

             Summary: Allow Initial Admin Identity to have full read/write 
access to new instance flow
                 Key: NIFI-5470
                 URL: https://issues.apache.org/jira/browse/NIFI-5470
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Core Framework, Security
    Affects Versions: 1.7.1
            Reporter: Andy LoPresto


As noted in the [Apache NiFi Admin Guide -- Initial Admin 
Identity|https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#initial-admin-identity],
 when a user configures a new secure NiFi instance, they must populate an 
*Initial Admin Identity* in {{authorizers.xml}}. However, if this is a 
instance, the IAI user does not have any access to the flow itself. 

{quote}
For a brand new secure flow, providing the "Initial Admin Identity" gives that 
user access to get into the UI and to manage users, groups and policies. But if 
that user wants to start modifying the flow, they need to grant themselves 
policies for the root process group. The system is unable to do this 
automatically because in a new flow the UUID of the root process group is not 
permanent until the flow.xml.gz is generated. If the NiFi instance is an 
upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure to 
secure, then the "Initial Admin Identity" user is automatically given the 
privileges to modify the flow.
{quote}

I believe there can be a workaround to determine the root process group UUID 
and grant the IAI user access automatically on startup. When starting a new 
instance, I can see the {{flow.xml.gz}} file persisted to disk with a generated 
root process group ID before granting the IAI user any additional permissions. 

Once the empty {{flow.xml.gz}} is persisted to disk and the root process group 
ID determined, the IAI user should be automatically granted write permissions 
to that group. 

{code}
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<flowController encoding-version="1.3">
  <maxTimerDrivenThreadCount>10</maxTimerDrivenThreadCount>
  <maxEventDrivenThreadCount>5</maxEventDrivenThreadCount>
  <registries/>
  <rootGroup>
    <id>de37762f-0164-1000-ca28-13cc9d45f41b</id>
    <name>NiFi Flow</name>
    <position x="0.0" y="0.0"/>
    <comment/>
  </rootGroup>
  <controllerServices/>
  <reportingTasks/>
</flowController>
{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to