Re: NiFi Read Only Registry Access
The special permission for "Can manage buckets - Read" equates to "Read all buckets" [1]. I agree we should probably make it clearer in the docs about what a nifi node needs. It is handled for you if you specify the node identities in registry's authorizers.xml during initial start up. [1] https://nifi.apache.org/docs/nifi-registry-docs/html/user-guide.html#special-privileges On Thu, Sep 16, 2021 at 9:59 AM Shawn Weeks wrote: > > We should probably update the documentation to spell out exactly what > permissions must be given to the NiFi host itself in Registry. There is no > READ special permission that I can assign the NiFi host for all buckets and I > didn't realize why it had to have READ on each bucket until you mentioned the > PG Status. > > Thanks > Shawn > > -Original Message- > From: Bryan Bende > Sent: Thursday, September 16, 2021 8:20 AM > To: users@nifi.apache.org > Subject: Re: NiFi Read Only Registry Access > > Hello, > > The correct approach should be # 1, removing the write and delete proxy > permissions so that no write or delete operations can be sent from the given > nifi instance. > > The NiFi node users should only have READ on the special permissions bucket > to be able to read all buckets. This is because the status of each PG is > calculated in a background thread in NiFi where the request is being made to > registry as the NiFi user itself (no proxying of an end user) to retrieve the > latest version of the flow. > > The special permissions take precedence over the specific bucket permissions, > so even if bucket1 has a policy that only user1 has READ, the NiFi User will > still have READ access if it has the special permissions READ for buckets. > > I'm not sure I totally follow your # 2, but overall I don't think there is a > way to make a whole nifi instance only be able to write to a specific bucket. > It would require moving the proxy concept from top-level to bucket-level so > that you could specify that a given NiFi node user can only proxy WRITE and > DELETE to this specific bucket. > > -Bryan > > > On Wed, Sep 15, 2021 at 5:30 PM Shawn Weeks wrote: > > > > Hi, I’m trying to configure NiFi Registry(1.14.0) so that some NiFi > > (1.14.0) instances are only able to pull versions and not push them. The > > behavior I ran into was not as intuitive as I’d have liked. > > > > > > > > Here is what I tried. > > > > Remove Write and Delete permission from NiFi Proxy User. This causes an > > error to raise when you try and commit a version from that cluster about > > the proxy user not having permission. > > Removed Write and Delete from NiFi User on the bucket but left write and > > delete on the proxy user. This caused the versioned process group to switch > > to a question mark and not allow any further interaction except stop > > version control. > > > > > > > > Number 1 works by preventing any writes however what if I want to limit > > write at the bucket level not at the cluster level. Number 2 seems bug-like > > since I’d expect an exception to popup or the commit option to be greyed > > out instead of leaving the process group in stuck state. > > > > > > > > Or maybe I’m just being dumb and trying to do this the wrong way, does > > anyone have a suggestion? > > > > > > > > > > > > Thanks > > > > Shawn
RE: NiFi Read Only Registry Access
We should probably update the documentation to spell out exactly what permissions must be given to the NiFi host itself in Registry. There is no READ special permission that I can assign the NiFi host for all buckets and I didn't realize why it had to have READ on each bucket until you mentioned the PG Status. Thanks Shawn -Original Message- From: Bryan Bende Sent: Thursday, September 16, 2021 8:20 AM To: users@nifi.apache.org Subject: Re: NiFi Read Only Registry Access Hello, The correct approach should be # 1, removing the write and delete proxy permissions so that no write or delete operations can be sent from the given nifi instance. The NiFi node users should only have READ on the special permissions bucket to be able to read all buckets. This is because the status of each PG is calculated in a background thread in NiFi where the request is being made to registry as the NiFi user itself (no proxying of an end user) to retrieve the latest version of the flow. The special permissions take precedence over the specific bucket permissions, so even if bucket1 has a policy that only user1 has READ, the NiFi User will still have READ access if it has the special permissions READ for buckets. I'm not sure I totally follow your # 2, but overall I don't think there is a way to make a whole nifi instance only be able to write to a specific bucket. It would require moving the proxy concept from top-level to bucket-level so that you could specify that a given NiFi node user can only proxy WRITE and DELETE to this specific bucket. -Bryan On Wed, Sep 15, 2021 at 5:30 PM Shawn Weeks wrote: > > Hi, I’m trying to configure NiFi Registry(1.14.0) so that some NiFi (1.14.0) > instances are only able to pull versions and not push them. The behavior I > ran into was not as intuitive as I’d have liked. > > > > Here is what I tried. > > Remove Write and Delete permission from NiFi Proxy User. This causes an error > to raise when you try and commit a version from that cluster about the proxy > user not having permission. > Removed Write and Delete from NiFi User on the bucket but left write and > delete on the proxy user. This caused the versioned process group to switch > to a question mark and not allow any further interaction except stop version > control. > > > > Number 1 works by preventing any writes however what if I want to limit write > at the bucket level not at the cluster level. Number 2 seems bug-like since > I’d expect an exception to popup or the commit option to be greyed out > instead of leaving the process group in stuck state. > > > > Or maybe I’m just being dumb and trying to do this the wrong way, does anyone > have a suggestion? > > > > > > Thanks > > Shawn
Re: NiFi Read Only Registry Access
Hello, The correct approach should be # 1, removing the write and delete proxy permissions so that no write or delete operations can be sent from the given nifi instance. The NiFi node users should only have READ on the special permissions bucket to be able to read all buckets. This is because the status of each PG is calculated in a background thread in NiFi where the request is being made to registry as the NiFi user itself (no proxying of an end user) to retrieve the latest version of the flow. The special permissions take precedence over the specific bucket permissions, so even if bucket1 has a policy that only user1 has READ, the NiFi User will still have READ access if it has the special permissions READ for buckets. I'm not sure I totally follow your # 2, but overall I don't think there is a way to make a whole nifi instance only be able to write to a specific bucket. It would require moving the proxy concept from top-level to bucket-level so that you could specify that a given NiFi node user can only proxy WRITE and DELETE to this specific bucket. -Bryan On Wed, Sep 15, 2021 at 5:30 PM Shawn Weeks wrote: > > Hi, I’m trying to configure NiFi Registry(1.14.0) so that some NiFi (1.14.0) > instances are only able to pull versions and not push them. The behavior I > ran into was not as intuitive as I’d have liked. > > > > Here is what I tried. > > Remove Write and Delete permission from NiFi Proxy User. This causes an error > to raise when you try and commit a version from that cluster about the proxy > user not having permission. > Removed Write and Delete from NiFi User on the bucket but left write and > delete on the proxy user. This caused the versioned process group to switch > to a question mark and not allow any further interaction except stop version > control. > > > > Number 1 works by preventing any writes however what if I want to limit write > at the bucket level not at the cluster level. Number 2 seems bug-like since > I’d expect an exception to popup or the commit option to be greyed out > instead of leaving the process group in stuck state. > > > > Or maybe I’m just being dumb and trying to do this the wrong way, does anyone > have a suggestion? > > > > > > Thanks > > Shawn