This sounds like a good idea to me.
Just to clarify how this would work, in the file-based policy provider
we'd have something like:
admin
cluster-nodes
During start up the "cluster-nodes" group gets granted permission to /proxy.
Then a separate piece of work would be to implement a
UserGroupProvider that knew about all the nodes in the cluster
(presumably from ZooKeeper?) and would internally create users for
those nodes and put them into the "cluster-nodes" group.
This way when nodes are added to the cluster they are automatically
picked up by the UserGroupProvider and automatically have the correct
permissions because of being in the Node Group.
If so, I think that sounds like nice way help with adding/removing nodes.
On Tue, Aug 21, 2018 at 10:18 AM, Andy Christianson
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi All,
>
> Currently FileAccessPolicyProvider supports specification of a static set of
> node identities. This is limiting in environments where the set of node
> identities is changing over time, for example during scale-up/down operations
> when NiFi is deployed to a clustering environment (e.g. Kubernetes).
>
> I have authored ticket NIFI-5542 [1] proposing a new "Node Group" property.
> All
> users added to this group will be treated as nodes. The group will be
> populated
> by a UserGroupProvider which dynamically provides the set of node identities
> that exist in the cluster. The UserGroupProvider will depend on the cluster
> environment NiFi is currently deployed to. In the future we may want to
> consider offering UserGroupProviders for a set of standard cluster
> environments, but that is out of scope for this initial change.
>
> How does the community feel about this proposed change? Is this a good way to
> add initial support for authorizing a dynamic set of NiFi nodes in a dynamic
> cluster environment?
>
> Regards,
>
> Andy I.C.
>
> 1: https://issues.apache.org/jira/browse/NIFI-5542?filter=-2
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJbfB6/AAoJEG1+mBKNMpID1kYH/2Fl6nTnunKkV1L0P1ls/gAZ
> Nu4KGS4RB0KZLl910IuYznIaRerQPIfw/bcJUJvcMJUGaSItxqRZkd7XuucjM2dj
> MoFIbvoiAGbTfKteF41yuj6iWmDuDGTMFRDf2ZDwuo4bbHdbXIt0IpEAzYW186e0
> D+Mzyz53/kkHxyKFFhuIII1hr93yG9leN+E7HTtEeZplpmuXQGXwf9s470TuD9mw
> 7YVeF9fLt8JB52hZ6E3s9q0wvf2ORkSNAL87YEN++ojPIcQOPyslIsyyu/zwycw5
> lWHeDZKh+SvS2IE2jwefSOPRYl6Z9wp0uggRMayiU4+7z5XtlVsdn7TtGYR7nFA=
> =NNPm
> -END PGP SIGNATURE-
>
> Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email.