Cloudera Docs

Configuring NiFi access policy profiles

An AccessPolicyProfile is a reusable collection of NiFi access policies that can be shared across multiple User resources. Instead of repeating the same policy list on every user, define the policies once in an AccessPolicyProfile and reference it from each user.

Defining an AccessPolicyProfile

apiVersion: cfm.cloudera.com/v1alpha1
kind: AccessPolicyProfile
metadata:
  name: read-only-profile
  namespace: nifi
spec:
  accessPolicies:
    - actions: 
        - "read"
      resources:
        - /flow
        - /process-groups/root
    - actions: 
        - "read"
      resources:
        - /data/process-groups/root

Each entry in accessPolicies pairs one or more actions (read, write) with one or more NiFi resource paths.

Referencing a profile from a User

Use accessPolicyProfileRef on the User to attach one or more profiles:

apiVersion: cfm.cloudera.com/v1alpha1
kind: User
metadata:
  name: alice
  namespace: nifi
spec:
  instanceTarget:
    name: my-nifi
    namespace: nifi
  identity: alice@example.com
  accessPolicyProfileRef:
    - name: read-only-profile
      namespace: nifi

Multiple profiles can be listed and their policies are unioned together:

accessPolicyProfileRef:
    - name: read-only-profile
      namespace: nifi
    - name: component-admin-profile
      namespace: nifi

The namespace field in each entry defaults to the User resource's own namespace when omitted.

Inline policies override profile policies

Policies defined directly in spec.accessPolicies take precedence over policies from referenced profiles. When the same NiFi resource appears in both places, the inline policy wins and the policy from the AccessPolicyProfile for that resource is ignored entirely.

spec:
  accessPolicies:
    # This write policy for /flow overrides any /flow policy from
    # the profile.
    - actions: ["read", "write"]
      resources:
        - /flow
  accessPolicyProfileRef:
    # has read-only /flow — ignored for /flow
    - name: read-only-profile
      namespace: nifi

The override is per-resource: other resources in the profile that are not covered by inline policies are still applied.

Reconciliation behaviour

The user controller watches AccessPolicyProfile resources. When a profile is updated, every User that references it is automatically re-reconciled, so NiFi access policies are kept in sync without manual intervention.

All referenced AccessPolicyProfile resources must exist before the User is reconciled. If any profile is not found, the reconciliation fails without updating the NiFi User and is retried until all profiles are available.