Configuring a user identity with access policies

The User custom resource creates and manages a user in a NiFi instance. Cloudera Flow Management Operator for Kubernetes reconciles the user in the NiFi API and optionally provisions a client certificate and access policies for that user.

Each User resource targets a single Nifi instance. When created, the operator registers the user in the NiFi API and writes the NiFi-assigned UUID back to status.identifier, which indicates the User was created successfully. Future reconciliations will update user identity, if it is changed, and keep access policies in sync. When the resource is deleted, the operator removes the user from NiFi and from all of its access policies before releasing the finalizer.

Spec fields


Field	Type	Required	Description
`instanceTarget`	`InstanceTarget`	Yes	The `Nifi` instance to manage the user in
`identity`	`string`	Yes	The username displayed in NiFi and used as the certificate CN / DNS SAN
`certificate`	`CertificateSpec`	No	Controls client certificate generation; omit to disable
`accessPolicies`	`[]AccessPolicy`	No	Inline access policies granted to this user
`accessPolicyProfileRef`	`[]ObjectReference`	No	References to `AccessPolicyProfile` resources

`instanceTarget`


Field	Type	Required	Description
`kind`	`Nifi`	Yes	Kind of the target resource
`name`	`string`	Yes	Name of the target resource
`namespace`	`string`	No	Namespace of the target; defaults to the User's namespace

`accessPolicies`

Each entry specifies one or more NiFi resource paths and the actions to grant on them.


Field	Type	Description
`resources`	`[]string`	NiFi resource paths, e.g. `/process-groups/root`, `/flow`, `/policies`
`actions`	`[]string`	`read`, `write`, or both

Policies specified inline in accessPolicies take precedence over any conflicting policy for the same resource inherited from an AccessPolicyProfile.

Examples

Minimal user

apiVersion: cfm.cloudera.com/v1alpha1
kind: User
metadata:
  name: alice
spec:
  instanceTarget:
    kind: Nifi
    name: my-nifi
  identity: alice

User with read access to the root process group

apiVersion: cfm.cloudera.com/v1alpha1
kind: User
metadata:
  name: alice
spec:
  instanceTarget:
    kind: Nifi
    name: my-nifi
  identity: alice
  accessPolicies:
    - resources:
        - /process-groups/root
        - /flow
      actions:
        - read

User with a generated client certificate

Requires the target Nifi to have spec.security.nodeCertGen configured. The operator creates a cert-manager Certificate in the same namespace, using spec.identity as both the CommonName and DNS SAN. The resulting Secret will contain a valid client certificate that can be used to authenticate as the user to the NiFi API.

apiVersion: cfm.cloudera.com/v1alpha1
kind: User
metadata:
  name: alice
spec:
  instanceTarget:
    kind: Nifi
    name: my-nifi
  identity: alice
  certificate:
    generate: true

User with policies from an AccessPolicyProfile

apiVersion: cfm.cloudera.com/v1alpha1
kind: User
metadata:
  name: alice
spec:
  instanceTarget:
    kind: Nifi
    name: my-nifi
  identity: alice
  accessPolicyProfileRef:
    - name: read-only-profile
      namespace: default

Lifecycle

Creation

The operator registers the user in the NiFi API. The NiFi-assigned UUID is written to status.identifier and used by the operator when making additional changes.

Identity Rename

Updating spec.identity renames the user in the NiFi API on the next reconciliation. The status.identifier is preserved, so NiFi-internal references (policy memberships, group memberships) are not affected.

Access policy changes

On each reconciliation the operator computes the desired policy set by merging inline accessPolicies with any referenced profiles and diffs it against the current NiFi state. Missing policies are added and stale policies are removed. Removing a policy only removes the user from that policy; the policy itself is never deleted.

Deletion

Deleting the User

resource removes the user from the NiFi API and from all access policies, then deletes the generated client certificate (if any) before releasing the finalizer. If the target Nifi resource is not found at deletion time, the NiFi-side cleanup is skipped and the finalizer is still removed.

Relationship to UserGroup

Users can be collected into UserGroup resources by direct reference (spec.userRefs). This will assign those users to the relevant user group in NiFi.