Accessing the UI with Multi-Tenant Authorization
Multi-tenant authorization enables multiple groups of users (tenants) to command, control, and observe different parts of the dataflow, with varying levels of authorization. When an authenticated user attempts to view or modify a NiFi resource, the system checks whether the user has privileges to perform that action. These privileges are defined by policies that you can apply system wide or to individual components. What this means from a Dataflow Manager perspective is that once you have access to the NiFi canvas, a range of functionality is visible and available to you, depending on the privileges assigned to you.
The available global access policies are:
| Policy | Privilege |
|---|---|
|
view the UI |
Allows users to view the UI |
|
access the controller |
Allows users to view and modify the controller including reporting tasks, Controller Services, and nodes in the cluster |
|
query provenance |
Allows users to submit a provenance search and request even lineage |
|
access restricted components |
Allows users to create/modify restricted components assuming other permissions are sufficient. The restricted components may indicate which specific permissions are required. Permissions can be granted for specific restrictions or be granted regardless of restrictions. If permission is granted regardless of restrictions, the user can create/modify all restricted components. |
|
access all policies |
Allows users to view and modify the policies for all components |
|
access users/groups |
Allows users view and modify the users and user groups |
|
retrieve site-to-site details |
Allows other NiFi instances to retrieve Site-To-Site details |
|
view system diagnostics |
Allows users to view System Diagnostics |
|
proxy user requests |
Allows proxy machines to send requests on the behalf of others |
|
access counters |
Allows users to view and modify counters |
The available component-level access policies are:
| Policy | Privilege |
|---|---|
|
view the component |
Allows users to view component configuration details |
|
modify the component |
Allows users to modify component configuration details |
|
view provenance |
Allows users to view provenance events generated by this component |
|
view the data |
Allows users to view metadata and content for this component in flowfile queues in outbound connections and through provenance events |
|
modify the data |
Allows users to empty flowfile queues in outbound connections and submit replays through provenance events |
|
view the policies |
Allows users to view the list of users who can view and modify a component |
|
modify the policies |
Allows users to modify the list of users who can view and modify a component |
|
retrieve data via site-to-site |
Allows a port to receive data from NiFi instances |
|
send data via site-to-site |
Allows a port to send data from NiFi instances |