Multiple users or group as initial admin identity

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple users or group as initial admin identity

Fredrik Skolmli
Hi all.

With the ability to populate NiFi with users and groups from LDAP (as of
1.4.0(?)), I'm running into a few tasks that could be avoided or improved.

I would like to specify a group as the initial admin identity instead of a
single user, enabling the group members to log in and do the initial setup
of new NiFi instances.

Another option, as a quickfix, would be to allow the initial admin identity
property to be a comma separated value (i.e. "admin1,admin2").

The latter would be a rather small patch to implement, but I would some
appreciate feedback from the community on what the best and most reliable
approach would be. Or if both would be considered.

..or are there any other ideas on the roadmap to solve this that I haven't
found in JIRA or thought of myself?

Thanks.

BR,
Fredrik
Reply | Threaded
Open this post in threaded view
|

Re: Multiple users or group as initial admin identity

Bryan Bende
Hi Fredrik,

These are some good ideas.

If we did support multiple initial admins, I would suggest it be done
through multiple elements, rather than a comma separate list since
commas are part of a DN which could be a single user.

We already support this patter in the new user group provider:

<property name="Initial User Identity 1"></property>
<property name="Initial User Identity 2"></property>
<property name="Initial User Identity 3"></property>

Down in the policy provider we currently only support a single
property called "Initial Admin", but that could possibly be:

<property name="Initial Admin Identity 1"></property>
<property name="Initial Admin Identity 2"></property>
<property name="Initial Admin Identity 3"></property>

I would think groups could be done similarly by providing a group to
the user group provider and then declaring that group to be an admin,
possibly:

<property name="Initial User Group Identity 1"></property>

and

<property name="Initial Group Admin Identity 1"></property>

-Bryan


On Thu, Oct 19, 2017 at 10:56 AM, Fredrik Skolmli <[hidden email]> wrote:

> Hi all.
>
> With the ability to populate NiFi with users and groups from LDAP (as of
> 1.4.0(?)), I'm running into a few tasks that could be avoided or improved.
>
> I would like to specify a group as the initial admin identity instead of a
> single user, enabling the group members to log in and do the initial setup
> of new NiFi instances.
>
> Another option, as a quickfix, would be to allow the initial admin identity
> property to be a comma separated value (i.e. "admin1,admin2").
>
> The latter would be a rather small patch to implement, but I would some
> appreciate feedback from the community on what the best and most reliable
> approach would be. Or if both would be considered.
>
> ..or are there any other ideas on the roadmap to solve this that I haven't
> found in JIRA or thought of myself?
>
> Thanks.
>
> BR,
> Fredrik
Reply | Threaded
Open this post in threaded view
|

Re: Multiple users or group as initial admin identity

Kevin Doran
Hi Fredrik and Bryan,

I agree these changes would be fairly straightforward to make and could simplify deployment in some environments.

I'll also add that while we look into this, in the meantime a workaround would be to continue to use the use the Initial Admin user, and have an automated step in your deployment/configuration that uses that admin to script interaction with the REST API [1] to add the desired LDAP  group to the admin access policies using the /tenants and /policies endpoints. I.E.:

GET /tenants/users   # call this and determine the identifier for the admin identity
GET /tenants/users/{adminIdentifier}   # access policies is a list at component.accessPolicies in the resulting json

for each policy:
    # add the user group identifier to the policy's userGroups list
    PUT /policies/{id}  # write the updated policy back to the server

That would save the step of having to do this in the UI. I agree it would simplify things and save this unnecessary scripting to add something like Initial Group Admin Identity to the configuration XML.

[1] https://nifi.apache.org/docs/nifi-docs/rest-api/index.html 

Cheers,
Kevin

On 10/20/17, 09:28, "Bryan Bende" <[hidden email]> wrote:

    Hi Fredrik,
   
    These are some good ideas.
   
    If we did support multiple initial admins, I would suggest it be done
    through multiple elements, rather than a comma separate list since
    commas are part of a DN which could be a single user.
   
    We already support this patter in the new user group provider:
   
    <property name="Initial User Identity 1"></property>
    <property name="Initial User Identity 2"></property>
    <property name="Initial User Identity 3"></property>
   
    Down in the policy provider we currently only support a single
    property called "Initial Admin", but that could possibly be:
   
    <property name="Initial Admin Identity 1"></property>
    <property name="Initial Admin Identity 2"></property>
    <property name="Initial Admin Identity 3"></property>
   
    I would think groups could be done similarly by providing a group to
    the user group provider and then declaring that group to be an admin,
    possibly:
   
    <property name="Initial User Group Identity 1"></property>
   
    and
   
    <property name="Initial Group Admin Identity 1"></property>
   
    -Bryan
   
   
    On Thu, Oct 19, 2017 at 10:56 AM, Fredrik Skolmli <[hidden email]> wrote:
    > Hi all.
    >
    > With the ability to populate NiFi with users and groups from LDAP (as of
    > 1.4.0(?)), I'm running into a few tasks that could be avoided or improved.
    >
    > I would like to specify a group as the initial admin identity instead of a
    > single user, enabling the group members to log in and do the initial setup
    > of new NiFi instances.
    >
    > Another option, as a quickfix, would be to allow the initial admin identity
    > property to be a comma separated value (i.e. "admin1,admin2").
    >
    > The latter would be a rather small patch to implement, but I would some
    > appreciate feedback from the community on what the best and most reliable
    > approach would be. Or if both would be considered.
    >
    > ..or are there any other ideas on the roadmap to solve this that I haven't
    > found in JIRA or thought of myself?
    >
    > Thanks.
    >
    > BR,
    > Fredrik