Apache NiFi Security Reference
Also available as:
PDF

Legacy Authorized Users (NiFi Instance Upgrade)

If you are upgrading from a 0.x NiFi instance, you can convert your previously configured users and roles to the multi-tenant authorization model. In the authorizers.xml file, specify the location of your existing authorized-users.xml file in the Legacy Authorized Users File property.

Here is an example entry:

<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File">/Users/johnsmith/config_files/authorized-users.xml</property>

        <property name="Initial User Identity 1"></property>
    </userGroupProvider>
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity"></property>
        <property name="Legacy Authorized Users File">/Users/johnsmith/config_files/authorized-users.xml</property>

        <property name="Node Identity 1"></property>
    </accessPolicyProvider>
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>
</authorizers>

After you have edited and saved the authorizers.xml file, restart NiFi. Users and roles from the authorized-users.xml file are converted and added as identities and policies in the users.xml and authorizations.xml files. Once the application starts, users who previously had a legacy Administrator role can access the UI and begin managing users, groups, and policies.

The following tables summarize the global and component policies assigned to each legacy role if the NiFi instance has an existing flow.xml.gz:

Global Access Policies

Admin DFM Monitor Provenance NiFi Proxy

view the UI

*

*

*

access the controller - view

*

*

*

*

access the controller - modify

*

access parameter contexts - view

access parameter contexts - modify

query provenance

*

access restricted components

*

access all policies - view

*

access all policies - modify

*

access users/user groups - view

*

access users/user groups - modify

*

retrieve site-to-site details

*

view system diagnostics

*

*

proxy user requests

*

access counters

Component Access Policies on the Root Process Group

Admin DFM Monitor Provenance NiFi Proxy

view the component

*

*

*

modify the component

*

view the data

*

*

*

modify the data

*

*

view provenance

*

For details on the individual policies in the table, see Access Policies.

Note
Note
NiFi fails to restart if values exist for both the Initial Admin Identity and Legacy Authorized Users File properties. You can specify only one of these values to initialize authorizations.
Note
Note
Do not manually edit the authorizations.xml file. Create authorizations only during initial setup and afterwards using the NiFi UI.