Configuring user groups

The UserGroup custom resource creates and manages a user group in a NiFi instance. Cloudera Flow Management Operator for Kubernetes reconciles the group in the NiFi API, keeps its membership in sync with referenced User resources, and optionally provisions access policies for the group.

Each UserGroup resource targets a single Nifi instance. When created, the operator registers the group in the NiFi API and writes the NiFi-assigned UUID to status.identifier. Subsequent reconciliations detect identity renames, sync group membership from spec.userRefs, and diff access policies against the current NiFi state. When the resource is deleted, the operator removes the group from NiFi before releasing the finalizer.

Spec Fields


Field	Type	Required	Description
`instanceTarget`	`InstanceTarget`	Yes	The `Nifi` instance to manage the group in
`identity`	`string`	Yes	The group name displayed in NiFi
`userRefs`	`[]ObjectReference`	No	References to `User` resources whose members are added to this group
`accessPolicies`	`[]AccessPolicy`	No	Inline access policies granted to this group

`instanceTarget`


Field	Type	Required	Description
`kind`	`Nifi`	Yes	Kind of the target resource
`name`	`string`	Yes	Name of the target resource
`namespace`	`string`	No	Namespace of the target; defaults to the UserGroup's namespace

`userRefs`

Each entry is an object reference to a User resource in the same cluster. The namespace defaults to the UserGroup's own namespace if omitted.

userRefs:
  - name: alice
  - name: bobnamespace: other-ns

Users that have not yet been reconciled by the User controller (no status.identifier) are silently skipped and will be added on the next reconciliation once their identifier is available.

`accessPolicies`

Each entry specifies one or more NiFi resource paths and the actions to grant on them.


Field	Type	Description
`resources`	`[]string`	NiFi resource paths, e.g. `/process-groups/root`, `/flow`, `/policies`
`actions`	`[]string`	`read`, `write`, or both

The special token /process-groups/root is resolved at runtime to the root process group UUID of the target Nifi instance.

Status Fields


Field	Type	Description
`identifier`	`string`	NiFi-assigned UUID for this group; set after first successful reconciliation

Examples

Minimal group

A minimal UserGroup with no users or access policies assigned to it.

apiVersion: cfm.cloudera.com/v1alpha1
kind: UserGroup
metadata:
  name: operators
spec:
  instanceTarget:
    kind: Nifi
    name: my-nifi
  identity: operators

Group with members

This group contains users represented by Users alice and bob, both User custom resources in the same namespace as this operators UserGroup. Users alice and bob will be added to the operators UserGroup. This UserGroup does not have any access policies associated with it.

apiVersion: cfm.cloudera.com/v1alpha1
kind: UserGroup
metadata:
  name: operators
spec:
  instanceTarget:
    kind: Nifi
    name: my-nifi
  identity: operators
  userRefs:
    - name: alice
    - name: bob

Group with read access to the root process group

This group contains a single User alice and has read access to the root process group and the UI.

apiVersion: cfm.cloudera.com/v1alpha1
kind: UserGroup
metadata:
  name: readers
spec:
  instanceTarget:
    kind: Nifi
    name: my-nifi
  identity: readers
  userRefs:
    - name: alice
  accessPolicies:
    - resources:
        - /process-groups/root
        - /flowactions:
        - read

Lifecycle

Creation: The operator registers the group in the NiFi API on the first successful reconciliation. The NiFi-assigned UUID is written to status.identifier and used to identify the group in all subsequent reconciliations.
Identity rename: Updating spec.identity renames the group in the NiFi API on the next reconciliation. The status.identifier is preserved, so NiFi-internal references (policy memberships) are not affected.
Membership changes: On each reconciliation the operator resolves spec.userRefs to NiFi tenant UUIDs via user.status.identifier and calls the NiFi API to set the group's member list. Removing a User from spec.userRefs removes them from the group on the next reconciliation.
Access policy changes: On each reconciliation the operator diffs the desired policy set against the current NiFi state. Missing policies are added and stale policies are removed. Removing a policy only removes the group from that policy; the policy object itself is never deleted from NiFi.
Deletion: Deleting the UserGroup resource removes the group from the NiFi API before releasing the finalizer. If the target Nifi resource is not found at deletion time, the NiFi-side cleanup is skipped and the finalizer is still removed.

Relationship to User

User resources are added to a group by listing them in spec.userRefs. The operator watches User resources and re-reconciles any UserGroup that references them, so membership updates propagate automatically when a User is created or updated.