Questions regarding security set-up in NiFi 1.0.0

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions regarding security set-up in NiFi 1.0.0

bmichaud
Greetings.

I have been trying to use the new release of NiFi today, and am frankly at a dead end. I can't use it with security enabled.

We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the recommendations of using the existing authorized-users.xml file to migrate to the new model.  This process did allow me to log in, but did not give me any write access from the old DFM role. In fact, it did not even create all of the authorizations mentioned here (http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup) It only created write policies for the following:

-        Controller

-        Tenants

-        Policies

-        Site-to-site

Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like I was only given admin rights.

Furthermore, when I accessed the UI, I wanted to add groups and policies, but I can't for the life of me figure out how I'm supposed to do this. It seems like I can only add users to existing policies in the "Access Policies" dialog or add users in general on the "NiFi Users" dialog. Since I am not supposed to manually edit these files, I am not sure how I am supposed to fix this.

Any help in this regard would be greatly appreciated.

Here is the original authorized-users.xml snippet with my roles:
(NB: I have removed other users from the listings below. I was the second user out of six.)
$ cat authorized-users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users>
    <user dn="EMAILADDRESS=[hidden email], CN=bmichau1, CN=Users, DC=ms, DC=ds, DC=uhc, DC=com">
        <role name="ROLE_DFM"/>
        <role name="ROLE_ADMIN"/>
        <role name="ROLE_PROVENANCE"/>
    </user>
</users>

Here is the resulting users.xml:
$ cat users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity="EMAILADDRESS=[hidden email], CN=bmichau1, CN=Users, DC=ms, DC=ds, DC=uhc, DC=com"/>
    </users>
</tenants>

Here is the resulting authorizations.xml:
$ cat authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39" resource="/system" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
        </policy>
        <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947" resource="/controller" action="W">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8" resource="/flow" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
        </policy>
        <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08" resource="/controller" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
        </policy>
        <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b" resource="/policies" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70" resource="/tenants" action="W">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039" resource="/tenants" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8" resource="/policies" action="W">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="49208654-71b3-37e9-a68f-7814015c1108" resource="/provenance" action="R">
            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1" resource="/site-to-site" action="W">
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
        <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2" resource="/site-to-site" action="R">
            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
        </policy>
    </policies>
</authorizations>

Regards,
Ben Michaud



This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
Reply | Threaded
Open this post in threaded view
|

Re: Questions regarding security set-up in NiFi 1.0.0

Andy LoPresto-2
Hi Ben,

Sorry to hear you are having trouble with the new security authorizer. I understand this is a big change and it is frustrating when it does not work as expected. 

I am surprised to hear that the legacy migration did not create policies for the DFM role that you previously had. Could you please provide the logs/nifi-app.log (with sensitive data sanitized) to help us understand if this is a bug?

As for adding users and policies through the NiFi UI, there are instructions here [1] and Bryan Bende has written a helpful blog post about this as well [2]. You can add users and then add global or component-level (i.e. access to a single process group or processor) access policies for those users. 

Please let us know if this is still not clear or if you encounter other challenges. 



Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Sep 8, 2016, at 1:27 PM, Michaud, Ben A <[hidden email]> wrote:

Greetings.

I have been trying to use the new release of NiFi today, and am frankly at a dead end. I can't use it with security enabled.

We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the recommendations of using the existing authorized-users.xml file to migrate to the new model.  This process did allow me to log in, but did not give me any write access from the old DFM role. In fact, it did not even create all of the authorizations mentioned here (http://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup) It only created write policies for the following:

-        Controller

-        Tenants

-        Policies

-        Site-to-site

Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like I was only given admin rights.

Furthermore, when I accessed the UI, I wanted to add groups and policies, but I can't for the life of me figure out how I'm supposed to do this. It seems like I can only add users to existing policies in the "Access Policies" dialog or add users in general on the "NiFi Users" dialog. Since I am not supposed to manually edit these files, I am not sure how I am supposed to fix this.

Any help in this regard would be greatly appreciated.

Here is the original authorized-users.xml snippet with my roles:
(NB: I have removed other users from the listings below. I was the second user out of six.)
$ cat authorized-users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users>
   <user dn="[hidden email], CN=bmichau1, CN=Users, DC=ms, DC=ds, DC=uhc, DC=com">
       <role name="ROLE_DFM"/>
       <role name="ROLE_ADMIN"/>
       <role name="ROLE_PROVENANCE"/>
   </user>
</users>

Here is the resulting users.xml:
$ cat users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
   <groups/>
   <users>
       <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity="[hidden email], CN=bmichau1, CN=Users, DC=ms, DC=ds, DC=uhc, DC=com"/>
   </users>
</tenants>

Here is the resulting authorizations.xml:
$ cat authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
   <policies>
       <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39" resource="/system" action="R">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
           <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
       </policy>
       <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947" resource="/controller" action="W">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
       </policy>
       <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8" resource="/flow" action="R">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
           <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
       </policy>
       <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08" resource="/controller" action="R">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
           <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
       </policy>
       <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b" resource="/policies" action="R">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
       </policy>
       <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70" resource="/tenants" action="W">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
       </policy>
       <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039" resource="/tenants" action="R">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
       </policy>
       <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8" resource="/policies" action="W">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
       </policy>
       <policy identifier="49208654-71b3-37e9-a68f-7814015c1108" resource="/provenance" action="R">
           <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
           <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
           <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
           <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
       </policy>
       <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1" resource="/site-to-site" action="W">
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
       </policy>
       <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2" resource="/site-to-site" action="R">
           <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
       </policy>
   </policies>
</authorizations>

Regards,
Ben Michaud



This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.


signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Questions regarding security set-up in NiFi 1.0.0

Bryan Bende
Hi Ben,

In addition to what Andy said... did you also copy the flow.xml.gz from a
previous instance, or were you starting with a new instance and just
copying over the users?

If you were only bringing over the users and no flow, then I think this is
behaving as expected... The policies in the admin guide for DFM are:

1) view the UI (READ on /flow)
2) view the controller (READ on /controller)
3) modify the controller (WRITE on /controller)
4) view system diagnostics (READ on /system)
5) view the dataflow (READ on /process-groups/<root-group-id>)
6) modify the dataflow (WRITE on /process-groups/<root-group-id>)
7) view the data (READ on /data/process-groups/<root-group-id>)
8) modify the data (WRITE on /data/process-groups/<root-group-id>)

In your example the first four were created, but the last four were not.
The last four are dependent on knowing a consistent root group id which it
doesn't know in a brand new instance, but if you copied over the previous
flow.xml.gz I believe it should have created those.

In the state you are in with a brand new flow, you have to create a policy
on the root group for your user. You can do that from the lock icon in the
palette on the left.
Once you have created a policy for "view component" and "modify the
component" for the root group, and added your user to both, you should see
the toolbar enabled.

Let us know if this helps, or if there are still other challenges.

-Bryan

On Thu, Sep 8, 2016 at 5:50 PM, Andy LoPresto <[hidden email]> wrote:

> Hi Ben,
>
> Sorry to hear you are having trouble with the new security authorizer. I
> understand this is a big change and it is frustrating when it does not work
> as expected.
>
> I am surprised to hear that the legacy migration did not create policies
> for the DFM role that you previously had. Could you please provide the
> logs/nifi-app.log (with sensitive data sanitized) to help us understand if
> this is a bug?
>
> As for adding users and policies through the NiFi UI, there are
> instructions here [1] and Bryan Bende has written a helpful blog post about
> this as well [2]. You can add users and then add global or component-level
> (i.e. access to a single process group or processor) access policies for
> those users.
>
> Please let us know if this is still not clear or if you encounter other
> challenges.
>
> [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#
> config-users-access-policies
> [2] http://bryanbende.com/development/2016/08/17/apache-
> nifi-1-0-0-authorization-and-multi-tenancy
>
>
> Andy LoPresto
> [hidden email]
> *[hidden email] <[hidden email]>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Sep 8, 2016, at 1:27 PM, Michaud, Ben A <[hidden email]> wrote:
>
> Greetings.
>
> I have been trying to use the new release of NiFi today, and am frankly at
> a dead end. I can't use it with security enabled.
>
> We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the
> recommendations of using the existing authorized-users.xml file to migrate
> to the new model.  This process did allow me to log in, but did not give me
> any write access from the old DFM role. In fact, it did not even create all
> of the authorizations mentioned here (http://nifi.apache.org/docs/
> nifi-docs/html/administration-guide.html#authorizers-setup) It only
> created write policies for the following:
>
> -        Controller
>
> -        Tenants
>
> -        Policies
>
> -        Site-to-site
>
> Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like I
> was only given admin rights.
>
> Furthermore, when I accessed the UI, I wanted to add groups and policies,
> but I can't for the life of me figure out how I'm supposed to do this. It
> seems like I can only add users to existing policies in the "Access
> Policies" dialog or add users in general on the "NiFi Users" dialog. Since
> I am not supposed to manually edit these files, I am not sure how I am
> supposed to fix this.
>
> Any help in this regard would be greatly appreciated.
>
> Here is the original authorized-users.xml snippet with my roles:
> (NB: I have removed other users from the listings below. I was the second
> user out of six.)
> $ cat authorized-users.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <users>
>    <user dn="EMAILADDRESS=[hidden email], CN=bmichau1, CN=Users,
> DC=ms, DC=ds, DC=uhc, DC=com">
>        <role name="ROLE_DFM"/>
>        <role name="ROLE_ADMIN"/>
>        <role name="ROLE_PROVENANCE"/>
>    </user>
> </users>
>
> Here is the resulting users.xml:
> $ cat users.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
>    <groups/>
>    <users>
>        <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity="
> EMAILADDRESS=[hidden email], CN=bmichau1, CN=Users, DC=ms, DC=ds,
> DC=uhc, DC=com"/>
>    </users>
> </tenants>
>
> Here is the resulting authorizations.xml:
> $ cat authorizations.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
>    <policies>
>        <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39"
> resource="/system" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947"
> resource="/controller" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8"
> resource="/flow" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08"
> resource="/controller" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b"
> resource="/policies" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70"
> resource="/tenants" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039"
> resource="/tenants" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8"
> resource="/policies" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="49208654-71b3-37e9-a68f-7814015c1108"
> resource="/provenance" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1"
> resource="/site-to-site" action="W">
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2"
> resource="/site-to-site" action="R">
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>    </policies>
> </authorizations>
>
> Regards,
> Ben Michaud
>
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Questions regarding security set-up in NiFi 1.0.0

bmichaud
Thanks, Bryan and Andy.

I initially tried to start up nifi with the old flow, but some of the script code was broken in the new NiFi. I was getting exceptions due to API changes. Since I wanted to isolate the security, I removed the old flows and was eventually able to log in. Should I try again with the old flows even though they contain compile errors?

I did look at the help pages, but I could not activate group, and I did not see a way to add


This nifi-app.log is perhaps not what you are looking for. The last time I started nifi, I was trying to do it with security disabled after having added out custom flows, then my attempt to get in from http. All I did to disable security was to revert all the security properties in nifi.properties to their default state.

nifi-app.log

Bryan Bende wrote
Hi Ben,

In addition to what Andy said... did you also copy the flow.xml.gz from a
previous instance, or were you starting with a new instance and just
copying over the users?

If you were only bringing over the users and no flow, then I think this is
behaving as expected... The policies in the admin guide for DFM are:

1) view the UI (READ on /flow)
2) view the controller (READ on /controller)
3) modify the controller (WRITE on /controller)
4) view system diagnostics (READ on /system)
5) view the dataflow (READ on /process-groups/<root-group-id>)
6) modify the dataflow (WRITE on /process-groups/<root-group-id>)
7) view the data (READ on /data/process-groups/<root-group-id>)
8) modify the data (WRITE on /data/process-groups/<root-group-id>)

In your example the first four were created, but the last four were not.
The last four are dependent on knowing a consistent root group id which it
doesn't know in a brand new instance, but if you copied over the previous
flow.xml.gz I believe it should have created those.

In the state you are in with a brand new flow, you have to create a policy
on the root group for your user. You can do that from the lock icon in the
palette on the left.
Once you have created a policy for "view component" and "modify the
component" for the root group, and added your user to both, you should see
the toolbar enabled.

Let us know if this helps, or if there are still other challenges.

-Bryan

On Thu, Sep 8, 2016 at 5:50 PM, Andy LoPresto <[hidden email]> wrote:

> Hi Ben,
>
> Sorry to hear you are having trouble with the new security authorizer. I
> understand this is a big change and it is frustrating when it does not work
> as expected.
>
> I am surprised to hear that the legacy migration did not create policies
> for the DFM role that you previously had. Could you please provide the
> logs/nifi-app.log (with sensitive data sanitized) to help us understand if
> this is a bug?
>
> As for adding users and policies through the NiFi UI, there are
> instructions here [1] and Bryan Bende has written a helpful blog post about
> this as well [2]. You can add users and then add global or component-level
> (i.e. access to a single process group or processor) access policies for
> those users.
>
> Please let us know if this is still not clear or if you encounter other
> challenges.
>
> [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#
> config-users-access-policies
> [2] http://bryanbende.com/development/2016/08/17/apache-
> nifi-1-0-0-authorization-and-multi-tenancy
>
>
> Andy LoPresto
> [hidden email]
> *[hidden email] <[hidden email]>*
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> On Sep 8, 2016, at 1:27 PM, Michaud, Ben A <[hidden email]> wrote:
>
> Greetings.
>
> I have been trying to use the new release of NiFi today, and am frankly at
> a dead end. I can't use it with security enabled.
>
> We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the
> recommendations of using the existing authorized-users.xml file to migrate
> to the new model.  This process did allow me to log in, but did not give me
> any write access from the old DFM role. In fact, it did not even create all
> of the authorizations mentioned here (http://nifi.apache.org/docs/
> nifi-docs/html/administration-guide.html#authorizers-setup) It only
> created write policies for the following:
>
> -        Controller
>
> -        Tenants
>
> -        Policies
>
> -        Site-to-site
>
> Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like I
> was only given admin rights.
>
> Furthermore, when I accessed the UI, I wanted to add groups and policies,
> but I can't for the life of me figure out how I'm supposed to do this. It
> seems like I can only add users to existing policies in the "Access
> Policies" dialog or add users in general on the "NiFi Users" dialog. Since
> I am not supposed to manually edit these files, I am not sure how I am
> supposed to fix this.
>
> Any help in this regard would be greatly appreciated.
>
> Here is the original authorized-users.xml snippet with my roles:
> (NB: I have removed other users from the listings below. I was the second
> user out of six.)
> $ cat authorized-users.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <users>
>    <user dn="EMAILADDRESS=ben_michaud@optum.com, CN=bmichau1, CN=Users,
> DC=ms, DC=ds, DC=uhc, DC=com">
>        <role name="ROLE_DFM"/>
>        <role name="ROLE_ADMIN"/>
>        <role name="ROLE_PROVENANCE"/>
>    </user>
> </users>
>
> Here is the resulting users.xml:
> $ cat users.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <tenants>
>    <groups/>
>    <users>
>        <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity="
> EMAILADDRESS=[hidden email], CN=bmichau1, CN=Users, DC=ms, DC=ds,
> DC=uhc, DC=com"/>
>    </users>
> </tenants>
>
> Here is the resulting authorizations.xml:
> $ cat authorizations.xml
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <authorizations>
>    <policies>
>        <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39"
> resource="/system" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947"
> resource="/controller" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8"
> resource="/flow" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08"
> resource="/controller" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>            <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
>        </policy>
>        <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b"
> resource="/policies" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70"
> resource="/tenants" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039"
> resource="/tenants" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8"
> resource="/policies" action="W">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="49208654-71b3-37e9-a68f-7814015c1108"
> resource="/provenance" action="R">
>            <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
>            <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
>            <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
>            <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1"
> resource="/site-to-site" action="W">
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>        <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2"
> resource="/site-to-site" action="R">
>            <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
>        </policy>
>    </policies>
> </authorizations>
>
> Regards,
> Ben Michaud
>
>
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Questions regarding security set-up in NiFi 1.0.0

Bryan Bende
Ben,

Can you explain a little more about what you mean by "scripts containing
compile errors"? Are you talking about ExecuteScript processors?

I would expect the following to work...

- Take a brand new Apache NiFi 1.0.0 tar/zip and extract it
- Copy flow.xml.gz from old NiFi to NiFi 1.0.0/conf/
- Configure nifi.properties for NiFi 1.0.0 to setup the https host/port and
all the SSL properties, and specify the file-authorizer
(nifi.security.user.authorizer=file-provider)
- Configure the file-authorizer in NiFi 1.0.0/conf/authorizers.xml and set
the path to old authorized-users.xml
- Then start NiFi 1.0.0

If you are trying to reconfigure the NiFi 1.0.0 that you already setup, you
will want to delete the users.xml and authorizations.xml from the conf
directory if you want it to regenerate the conversion from the legacy
authorized-users.xml.
It only attempts the legacy conversion the first time when no users,
groups, and policies exist.

The app log you linked to shows that your nifi.properties did not have an
authorizer set, basically nifi.security.user.authorize was empty in
nifi.properties, and therefore NiFi could not start in secure mode.

Thanks,

Bryan

On Thu, Sep 8, 2016 at 10:57 PM, bmichaud <[hidden email]> wrote:

> Thanks, Bryan and Andy.
>
> I initially tried to start up nifi with the old flow, but some of the
> script
> code was broken in the new NiFi. I was getting exceptions due to API
> changes. Since I wanted to isolate the security, I removed the old flows
> and
> was eventually able to log in. Should I try again with the old flows even
> though they contain compile errors?
>
> I did look at the help pages, but I could not activate group, and I did not
> see a way to add
>
>
> This nifi-app.log is perhaps not what you are looking for. The last time I
> started nifi, I was trying to do it with security disabled after having
> added out custom flows, then my attempt to get in from http. All I did to
> disable security was to revert all the security properties in
> nifi.properties to their default state.
>
> nifi-app.log
> <http://apache-nifi-developer-list.39713.n7.nabble.com/file/
> n13294/nifi-app.log>
>
>
> Bryan Bende wrote
> > Hi Ben,
> >
> > In addition to what Andy said... did you also copy the flow.xml.gz from a
> > previous instance, or were you starting with a new instance and just
> > copying over the users?
> >
> > If you were only bringing over the users and no flow, then I think this
> is
> > behaving as expected... The policies in the admin guide for DFM are:
> >
> > 1) view the UI (READ on /flow)
> > 2) view the controller (READ on /controller)
> > 3) modify the controller (WRITE on /controller)
> > 4) view system diagnostics (READ on /system)
> > 5) view the dataflow (READ on /process-groups/
> > <root-group-id>
> > )
> > 6) modify the dataflow (WRITE on /process-groups/
> > <root-group-id>
> > )
> > 7) view the data (READ on /data/process-groups/
> > <root-group-id>
> > )
> > 8) modify the data (WRITE on /data/process-groups/
> > <root-group-id>
> > )
> >
> > In your example the first four were created, but the last four were not.
> > The last four are dependent on knowing a consistent root group id which
> it
> > doesn't know in a brand new instance, but if you copied over the previous
> > flow.xml.gz I believe it should have created those.
> >
> > In the state you are in with a brand new flow, you have to create a
> policy
> > on the root group for your user. You can do that from the lock icon in
> the
> > palette on the left.
> > Once you have created a policy for "view component" and "modify the
> > component" for the root group, and added your user to both, you should
> see
> > the toolbar enabled.
> >
> > Let us know if this helps, or if there are still other challenges.
> >
> > -Bryan
> >
> > On Thu, Sep 8, 2016 at 5:50 PM, Andy LoPresto &lt;
>
> > alopresto@
>
> > &gt; wrote:
> >
> >> Hi Ben,
> >>
> >> Sorry to hear you are having trouble with the new security authorizer. I
> >> understand this is a big change and it is frustrating when it does not
> >> work
> >> as expected.
> >>
> >> I am surprised to hear that the legacy migration did not create policies
> >> for the DFM role that you previously had. Could you please provide the
> >> logs/nifi-app.log (with sensitive data sanitized) to help us understand
> >> if
> >> this is a bug?
> >>
> >> As for adding users and policies through the NiFi UI, there are
> >> instructions here [1] and Bryan Bende has written a helpful blog post
> >> about
> >> this as well [2]. You can add users and then add global or
> >> component-level
> >> (i.e. access to a single process group or processor) access policies for
> >> those users.
> >>
> >> Please let us know if this is still not clear or if you encounter other
> >> challenges.
> >>
> >> [1]
> >> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#
> >> config-users-access-policies
> >> [2] http://bryanbende.com/development/2016/08/17/apache-
> >> nifi-1-0-0-authorization-and-multi-tenancy
> >>
> >>
> >> Andy LoPresto
> >>
>
> > alopresto@
>
> >> *
>
> > alopresto.apache@
>
> >  &lt;
>
> > alopresto.apache@
>
> > &gt;*
> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >>
> >> On Sep 8, 2016, at 1:27 PM, Michaud, Ben A &lt;
>
> > ben_michaud@
>
> > &gt; wrote:
> >>
> >> Greetings.
> >>
> >> I have been trying to use the new release of NiFi today, and am frankly
> >> at
> >> a dead end. I can't use it with security enabled.
> >>
> >> We have been using 0.6.1, 0.7, and 0.8 recently, so I followed the
> >> recommendations of using the existing authorized-users.xml file to
> >> migrate
> >> to the new model.  This process did allow me to log in, but did not give
> >> me
> >> any write access from the old DFM role. In fact, it did not even create
> >> all
> >> of the authorizations mentioned here (http://nifi.apache.org/docs/
> >> nifi-docs/html/administration-guide.html#authorizers-setup) It only
> >> created write policies for the following:
> >>
> >> -        Controller
> >>
> >> -        Tenants
> >>
> >> -        Policies
> >>
> >> -        Site-to-site
> >>
> >> Thus, even though I had ADMIN, DFM, and PROVENANCE before, it looks like
> >> I
> >> was only given admin rights.
> >>
> >> Furthermore, when I accessed the UI, I wanted to add groups and
> policies,
> >> but I can't for the life of me figure out how I'm supposed to do this.
> It
> >> seems like I can only add users to existing policies in the "Access
> >> Policies" dialog or add users in general on the "NiFi Users" dialog.
> >> Since
> >> I am not supposed to manually edit these files, I am not sure how I am
> >> supposed to fix this.
> >>
> >> Any help in this regard would be greatly appreciated.
> >>
> >> Here is the original authorized-users.xml snippet with my roles:
> >> (NB: I have removed other users from the listings below. I was the
> second
> >> user out of six.)
> >> $ cat authorized-users.xml
> >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> >>
> > <users>
> >>
> > <user dn="EMAILADDRESS=[hidden email], CN=bmichau1, CN=Users,
> >>
> >  DC=ms, DC=ds, DC=uhc, DC=com">
> >>
> > <role name="ROLE_DFM"/>
> >>
> > <role name="ROLE_ADMIN"/>
> >>
> > <role name="ROLE_PROVENANCE"/>
> >>
> > </user>
> >>
> > </users>
> >>
> >> Here is the resulting users.xml:
> >> $ cat users.xml
> >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> >>
> > <tenants>
> >>
> > <groups/>
> >>
> > <users>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8" identity="
> >>
> >  EMAILADDRESS=
>
> > ben_michaud@
>
> > , CN=bmichau1, CN=Users, DC=ms, DC=ds,
> >> DC=uhc, DC=com"/>
> >>
> > </users>
> >>
> > </tenants>
> >>
> >> Here is the resulting authorizations.xml:
> >> $ cat authorizations.xml
> >> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> >>
> > <authorizations>
> >>
> > <policies>
> >>
> > <policy identifier="eb862c3a-2fe8-34e9-9c0f-80baa7efff39"
> >>
> >  resource="/system" action="R">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
> >>
> > </policy>
> >>
> > <policy identifier="990eecb1-f8d1-328e-9c99-10ff405ab947"
> >>
> >  resource="/controller" action="W">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > </policy>
> >>
> > <policy identifier="06d26c63-7897-3631-9b36-c4f417db3bf8"
> >>
> >  resource="/flow" action="R">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
> >>
> > </policy>
> >>
> > <policy identifier="0e057dc6-6ce6-354b-b713-503a7ccb0c08"
> >>
> >  resource="/controller" action="R">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > <user identifier="dcc9682f-9e95-3ada-a7a9-6c3d56be61e5"/>
> >>
> > </policy>
> >>
> > <policy identifier="85677cad-82db-31fd-a2fb-e2205b7ece3b"
> >>
> >  resource="/policies" action="R">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > </policy>
> >>
> > <policy identifier="8eb2c570-fb57-39fe-b1c3-afeb03c37f70"
> >>
> >  resource="/tenants" action="W">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > </policy>
> >>
> > <policy identifier="b835d4ed-8fcb-36e0-ae54-617a0fb07039"
> >>
> >  resource="/tenants" action="R">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > </policy>
> >>
> > <policy identifier="1fd242e6-f1af-3d6d-84ec-bb27c9b848e8"
> >>
> >  resource="/policies" action="W">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > </policy>
> >>
> > <policy identifier="49208654-71b3-37e9-a68f-7814015c1108"
> >>
> >  resource="/provenance" action="R">
> >>
> > <user identifier="6e10e917-8c2d-35e1-933c-0a00b067ed8f"/>
> >>
> > <user identifier="2df4c9c6-1552-36f5-8aee-59b5ca9b98c8"/>
> >>
> > <user identifier="f227dd57-421f-38fe-9995-b3bdcd714c02"/>
> >>
> > <user identifier="4dc020db-7d00-39f1-ae83-e2cdb780c263"/>
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > </policy>
> >>
> > <policy identifier="3643173c-47b4-3186-aeeb-9e901ed139b1"
> >>
> >  resource="/site-to-site" action="W">
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > </policy>
> >>
> > <policy identifier="e40617ff-84e1-31db-b5c7-9a219439acb2"
> >>
> >  resource="/site-to-site" action="R">
> >>
> > <user identifier="dfe62501-8e0a-3d86-a03c-7642f7e2fc4d"/>
> >>
> > </policy>
> >>
> > </policies>
> >>
> > </authorizations>
> >>
> >> Regards,
> >> Ben Michaud
> >>
> >>
> >>
> >> This e-mail, including attachments, may include confidential and/or
> >> proprietary information, and may be used only by the person or entity
> >> to which it is addressed. If the reader of this e-mail is not the
> >> intended
> >> recipient or his or her authorized agent, the reader is hereby notified
> >> that any dissemination, distribution or copying of this e-mail is
> >> prohibited. If you have received this e-mail in error, please notify the
> >> sender by replying to this message and delete this e-mail immediately.
> >>
> >>
> >>
>
>
>
>
>
> --
> View this message in context: http://apache-nifi-developer-
> list.39713.n7.nabble.com/Questions-regarding-security-
> set-up-in-NiFi-1-0-0-tp13288p13294.html
> Sent from the Apache NiFi Developer List mailing list archive at
> Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Questions regarding security set-up in NiFi 1.0.0

bmichaud
Thank for the quick turn-around on this, Bryan. Responses are in-line, below.

Bryan Bende wrote
Can you explain a little more about what you mean by "scripts containing
compile errors"? Are you talking about ExecuteScript processors?
Yes, they are errors in the Groovy code inserted into ExecuteScript Processor. Mostly, the error lies in the change from "ProcessLog" to "ComponentLog". My question is can the security migration work and can I use the NiFi GUI when such errors exist in the flow.xml.gz file?

Bryan Bende wrote
I would expect the following to work...

- Take a brand new Apache NiFi 1.0.0 tar/zip and extract it
- Copy flow.xml.gz from old NiFi to NiFi 1.0.0/conf/
- Configure nifi.properties for NiFi 1.0.0 to setup the https host/port and
all the SSL properties, and specify the file-authorizer
(nifi.security.user.authorizer=file-provider)
- Configure the file-authorizer in NiFi 1.0.0/conf/authorizers.xml and set
the path to old authorized-users.xml
- Then start NiFi 1.0.0
This is how I finally got it working, but I did it without using the old flow file, due to the errors I was getting. This apparently resulted in my not being able to edit my flows once I stopped, added my old flows, started, and logged in.

Bryan Bende wrote
If you are trying to reconfigure the NiFi 1.0.0 that you already setup, you
will want to delete the users.xml and authorizations.xml from the conf
directory if you want it to regenerate the conversion from the legacy
authorized-users.xml.
It only attempts the legacy conversion the first time when no users,
groups, and policies exist.
Yes, I have done this once before based on your documentation on the Wiki. However, with a blank flow file.

Bryan Bende wrote
The app log you linked to shows that your nifi.properties did not have an
authorizer set, basically nifi.security.user.authorize was empty in
nifi.properties, and therefore NiFi could not start in secure mode.
I apologize, I was in the process of reverting to version 0.8.0, so may have sent you the wrong properties file. I have also tried to disable security in 1.0.0, but I still cannot get it working.

I will try one more time to start from the initial start-up and build the users.xml and authorizations.xml from the old authorized-users.xml as you described, but this time with my 0.8.0 flows in place (errors and all). If that does not work, I will create another flow in another instance that does not have any ScriptExecutor processors in it, then use that as a starting point.

Does that sound like a good plan?
Reply | Threaded
Open this post in threaded view
|

Re: Questions regarding security set-up in NiFi 1.0.0

bmichaud
bmichaud wrote
Bryan Bende wrote
Can you explain a little more about what you mean by "scripts containing
compile errors"? Are you talking about ExecuteScript processors?
bmichaud wrote
Yes, they are errors in the Groovy code inserted into ExecuteScript Processor. Mostly, the error lies in the change from "ProcessLog" to "ComponentLog". My question is can the security migration work and can I use the NiFi GUI when such errors exist in the flow.xml.gz file?
I beg your pardon. It was not ExecuteScript, it was a different processor whose name I cannot remember at the moment, and I cannot see it right now, that a colleague of mine created. This processor allows you to put an entire processor extension (a full Processor class) into it.


Reply | Threaded
Open this post in threaded view
|

Re: Questions regarding security set-up in NiFi 1.0.0

Bryan Bende
That sounds like a good plan, sorry it has been so challenging to get setup.

I'm hoping that the old flow will still start up despite the API changes
that are affecting the scripting processor, but I'm actually not sure when
the errors would end up being detected (start up vs. runtime of processor).

Let us know.

-Bryan

On Fri, Sep 9, 2016 at 8:15 AM, bmichaud <[hidden email]> wrote:

> bmichaud wrote
> >
> > Bryan Bende wrote
> >> Can you explain a little more about what you mean by "scripts containing
> >> compile errors"? Are you talking about ExecuteScript processors?
> >
> > bmichaud wrote
> >> Yes, they are errors in the Groovy code inserted into ExecuteScript
> >> Processor. Mostly, the error lies in the change from "ProcessLog" to
> >> "ComponentLog". My question is can the security migration work and can I
> >> use the NiFi GUI when such errors exist in the flow.xml.gz file?
>
> I beg your pardon. It was not ExecuteScript, it was a different processor
> whose name I cannot remember at the moment, and I cannot see it right now,
> that a colleague of mine created. This processor allows you to put an
> entire
> processor extension (a full Processor class) into it.
>
>
>
>
>
>
> --
> View this message in context: http://apache-nifi-developer-
> list.39713.n7.nabble.com/Questions-regarding-security-
> set-up-in-NiFi-1-0-0-tp13288p13301.html
> Sent from the Apache NiFi Developer List mailing list archive at
> Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Questions regarding security set-up in NiFi 1.0.0

bmichaud
Bryan Bende wrote
That sounds like a good plan, sorry it has been so challenging to get setup.

I'm hoping that the old flow will still start up despite the API changes
that are affecting the scripting processor, but I'm actually not sure when
the errors would end up being detected (start up vs. runtime of processor).

Let us know.
-Bryan
It worked! I can see the processor names and move them and the tool bar is not active. Thanks!