-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
write access on a process-group always creates write access on NifiFlow process group (top level) #419
Comments
This does seem like an issue. Thank you for reporting. Will dig into this. |
I think this is an unusual use case, since nifikop is designed to deploy & access control versioned process groups from NiFi registry, but it should be able to assume control of existing or manually created process groups as well. So i think we should address this. |
@koehljaSICKAG : Can you please share the entire |
@mh013370 here are the files. i just changed the identity tag of users.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96" name="nifi-nifi.managed-admins">
<user identifier="04df347d-018f-1000-0000-00000f1c8447"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</group>
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0" name="nifi-nifi.managed-readers">
<user identifier="f5626843-018e-1000-0000-00004548e31c"/>
</group>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1" name="nifi-nifi.managed-nodes">
<user identifier="198fdabb-bbf2-347b-ac56-8516587efed6"/>
</group>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb" name="nifi-custom.reader">
<user identifier="f585211d-018e-1000-0000-0000088cac1d"/>
</group>
<group identifier="f58beaaa-018e-1000-0000-00006da00fee" name="nifi-custom.smax">
<user identifier="f585211d-018e-1000-0000-0000088cac1d"/>
</group>
</groups>
<users>
<user identifier="198fdabb-bbf2-347b-ac56-8516587efed6" identity="nifi-1-node.nifi-headless.nifi.svc.cluster.local"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610" identity="nifi-controller"/>
<user identifier="f5626843-018e-1000-0000-00004548e31c" identity="[email protected]"/>
<user identifier="f585211d-018e-1000-0000-0000088cac1d" identity="[email protected]"/>
<user identifier="04df347d-018f-1000-0000-00000f1c8447" identity="[email protected]"/>
</users>
</tenants> authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="198fdabb-bbf2-347b-ac56-8516587efed6"/>
</policy>
<policy identifier="f5624a1e-018e-1000-ffff-fffff6018cd3" resource="/proxy" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
<user identifier="198fdabb-bbf2-347b-ac56-8516587efed6"/>
</policy>
<policy identifier="f5624b61-018e-1000-ffff-fffff07e74f2" resource="/flow" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="f5624c14-018e-1000-ffff-ffffd500bf27" resource="/restricted-components" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="f5626645-018e-1000-0000-00005d64a752" resource="/parameter-context" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f56266fb-018e-1000-0000-00004aae4274" resource="/parameter-context" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f56267d2-018e-1000-0000-000050b77c8c" resource="/provenance" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5626892-018e-1000-ffff-ffffbe714732" resource="/provenance" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f5626c04-018e-1000-ffff-ffffc46d82dd" resource="/site-to-site" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5626c8d-018e-1000-ffff-ffffe0383cbf" resource="/system" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5626d20-018e-1000-0000-00000a199f00" resource="/site-to-site" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f5626e78-018e-1000-ffff-ffff989d7225" resource="/counters" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5626f08-018e-1000-0000-00001222df50" resource="/counters" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f5626f93-018e-1000-ffff-ffffb2b5e0d4" resource="/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5627020-018e-1000-ffff-ffff91b6b892" resource="/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="W">
<group identifier="f58beaaa-018e-1000-0000-00006da00fee"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f56270b1-018e-1000-ffff-ffffb61cb75b" resource="/operation/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f5627138-018e-1000-0000-00002732bca9" resource="/provenance-data/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
</policy>
<policy identifier="f56271be-018e-1000-ffff-ffffb4ce5e4f" resource="/data/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
</policy>
<policy identifier="f562724b-018e-1000-0000-00005a6caf21" resource="/data/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
</policy>
<policy identifier="f56277c3-018e-1000-0000-000018f0f0a1" resource="/operation/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5627a60-018e-1000-ffff-ffffdaf26b28" resource="/provenance-data/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="W">
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
</policy>
</policies>
</authorizations> grp.smax.yml apiVersion: nifi.konpyutaika.com/v1
kind: NifiUserGroup
metadata:
name: custom.smax
spec:
accessPolicies:
- action: write
resource: /
type: component
componentType: process-groups
componentId: f5892907-018e-1000-ffff-ffffb2346c55
clusterRef:
name: nifi
namespace: nifi
usersRef:
- name: user0 |
@mh013370 but even when i am generating the flow DataFlow using a crd i would have to create a separate policy to give a group write access to this DataFlow. So I think the problem would stay the same |
This is true. I had thought you could provide a |
Any news on this?
|
There is a way to bypass it. If you override the policy of the specific process-group or parameter-context that is not behaving as intended, then on the new overridden policy the user/usergroup CR applies the desired policy as normal. |
What steps will reproduce the bug?
What is the expected behavior?
The user should now have read access to everything and write access only on everything below the ProcessGroup
f02c2450-018e-1000-0000-0000771ba5bc
This should result in a user file like this
and a
authorizations.xml
like thisthe important part is this
resource="/process-groups/f0241a9c-018e-1000-ffff-ffffc6e93eb8"
. here should be the componentId of the process group specified above.What do you see instead?
Instead the user gets write access from the top canvas (NifiFlow,
e65a4f68-018e-1000-1027-316d1d593bd6
) down. He bascially gests global write by this setting.In the
authorizations.xml
one can see the error.nifikop added the the group the the the main canvas
resource="/process-groups/e65a4f68-018e-1000-1027-316d1d593bd6"
with a write priviledgePossible solution
No response
NiFiKop version
v1.8.0
Golang version
1.22.1
Kubernetes version
Client Version: v1.28.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.4+k0s
NiFi version
1.24.0
Additional context
this also happend using nifikop 1.6 with nifi 1.23.2
The text was updated successfully, but these errors were encountered: