"Node Group" property of FileAccessPolicyProvider

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

"Node Group" property of FileAccessPolicyProvider

Andy Christianson-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

Currently FileAccessPolicyProvider supports specification of a static set of
node identities. This is limiting in environments where the set of node
identities is changing over time, for example during scale-up/down operations
when NiFi is deployed to a clustering environment (e.g. Kubernetes).

I have authored ticket NIFI-5542 [1] proposing a new "Node Group" property. All
users added to this group will be treated as nodes. The group will be populated
by a UserGroupProvider which dynamically provides the set of node identities
that exist in the cluster. The UserGroupProvider will depend on the cluster
environment NiFi is currently deployed to. In the future we may want to
consider offering UserGroupProviders for a set of standard cluster
environments, but that is out of scope for this initial change.

How does the community feel about this proposed change? Is this a good way to
add initial support for authorizing a dynamic set of NiFi nodes in a dynamic
cluster environment?

Regards,

Andy I.C.

1: https://issues.apache.org/jira/browse/NIFI-5542?filter=-2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJbfB6/AAoJEG1+mBKNMpID1kYH/2Fl6nTnunKkV1L0P1ls/gAZ
Nu4KGS4RB0KZLl910IuYznIaRerQPIfw/bcJUJvcMJUGaSItxqRZkd7XuucjM2dj
MoFIbvoiAGbTfKteF41yuj6iWmDuDGTMFRDf2ZDwuo4bbHdbXIt0IpEAzYW186e0
D+Mzyz53/kkHxyKFFhuIII1hr93yG9leN+E7HTtEeZplpmuXQGXwf9s470TuD9mw
7YVeF9fLt8JB52hZ6E3s9q0wvf2ORkSNAL87YEN++ojPIcQOPyslIsyyu/zwycw5
lWHeDZKh+SvS2IE2jwefSOPRYl6Z9wp0uggRMayiU4+7z5XtlVsdn7TtGYR7nFA=
=NNPm
-----END PGP SIGNATURE-----

Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email.
Reply | Threaded
Open this post in threaded view
|

Re: "Node Group" property of FileAccessPolicyProvider

Bryan Bende
This sounds like a good idea to me.

Just to clarify how this would work, in the file-based policy provider
we'd have something like:

<property name="Initial Admin Identity">admin</property>
<property name="Node Group">cluster-nodes</property>

During start up the "cluster-nodes" group gets granted permission to /proxy.

Then a separate piece of work would be to implement a
UserGroupProvider that knew about all the nodes in the cluster
(presumably from ZooKeeper?) and would internally create users for
those nodes and put them into the "cluster-nodes" group.

This way when nodes are added to the cluster they are automatically
picked up by the UserGroupProvider and automatically have the correct
permissions because of being in the Node Group.

If so, I think that sounds like nice way help with adding/removing nodes.


On Tue, Aug 21, 2018 at 10:18 AM, Andy Christianson
<[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi All,
>
> Currently FileAccessPolicyProvider supports specification of a static set of
> node identities. This is limiting in environments where the set of node
> identities is changing over time, for example during scale-up/down operations
> when NiFi is deployed to a clustering environment (e.g. Kubernetes).
>
> I have authored ticket NIFI-5542 [1] proposing a new "Node Group" property. All
> users added to this group will be treated as nodes. The group will be populated
> by a UserGroupProvider which dynamically provides the set of node identities
> that exist in the cluster. The UserGroupProvider will depend on the cluster
> environment NiFi is currently deployed to. In the future we may want to
> consider offering UserGroupProviders for a set of standard cluster
> environments, but that is out of scope for this initial change.
>
> How does the community feel about this proposed change? Is this a good way to
> add initial support for authorizing a dynamic set of NiFi nodes in a dynamic
> cluster environment?
>
> Regards,
>
> Andy I.C.
>
> 1: https://issues.apache.org/jira/browse/NIFI-5542?filter=-2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJbfB6/AAoJEG1+mBKNMpID1kYH/2Fl6nTnunKkV1L0P1ls/gAZ
> Nu4KGS4RB0KZLl910IuYznIaRerQPIfw/bcJUJvcMJUGaSItxqRZkd7XuucjM2dj
> MoFIbvoiAGbTfKteF41yuj6iWmDuDGTMFRDf2ZDwuo4bbHdbXIt0IpEAzYW186e0
> D+Mzyz53/kkHxyKFFhuIII1hr93yG9leN+E7HTtEeZplpmuXQGXwf9s470TuD9mw
> 7YVeF9fLt8JB52hZ6E3s9q0wvf2ORkSNAL87YEN++ojPIcQOPyslIsyyu/zwycw5
> lWHeDZKh+SvS2IE2jwefSOPRYl6Z9wp0uggRMayiU4+7z5XtlVsdn7TtGYR7nFA=
> =NNPm
> -----END PGP SIGNATURE-----
>
> Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email.