If the user cannot access the component through an inherited Ranger access policy,
you must create a custom Ranger access policy for the specific component and add the user to
this policy. If all the users in a group require the same access, you can add the user group
to the Ranger access policy.
A user might need access to specific NiFi or NiFi Registry resources such as a
processor, processor group, remote process group, funnel, label, controller service,
or bucket. Each custom Ranger access policy provides access to a specific component.
First determine which NiFi or NiFi Registry components a user needs access to. Then
create a new policy for each component and add the user or user group to the new
policy.
When you create a new policy, you must specify the ID of the component that the user
requires access to.
From the NiFi canvas, copy the ID of the process group, SSL Context Service, or
controller service for reporting tasks that the user needs access to.
Locate the ID for a process group:
Click the process group.
The ID appears in the Operate
pane.
Copy the ID.
Locate the ID of the SSL Context Service:
Click the settings icon on the process group.
The NiFi Flow Configuration appears.
Click the Controller Services tab.
Click the Settings icon for the Default NiFi SSL
Context Service.
The Controller Service Details window
appears.
From the Settings tab, copy the ID from the
Id field.
Locate the ID of a controller service for reporting tasks:
Click the process group.
Click the menu on the top right of the UI and select
Controller Settings.
The NiFi Settings page appears.
Click the Reporting Tasks Controller Services
tab.
Click the Settings icon for the controller
service.
The Controller Service Details page
appears.
From the Settings tab, copy the ID from the
Id field.
Go back to the Ranger List of Policies page.
Click Add New Policy.
The Create Policy page appears.
Enter a unique name for the policy.
Optionally, enter a keyword in the Policy Label field to
aid in searching for a policy.
Enter the resource descriptor and the resource ID in the NiFi
Resource Identifier or NiFi Registry Resource
Identifier field in the following format: <resource
descriptor>/<resource ID>
To determine a NiFi resource descriptor, see Predefined Ranger
access policies for Apache NiFi.
To determine a NiFi Registry resource descriptor, see Predefined
Ranger access policies for Apache NiFI Registry.
Optional: Enter a description.
Add a user or a group.
Set the permission level for the user or group.
Click Add.
The user or group of users can now access the component specified in the custom
policy.