Pre-defined Ranger access policies for Apache NiFi

Based on a user’s responsibilities, you can add users to one or more of the following Ranger access policies. When you create a custom policy, use the resource descriptor in the NiFi Resource Identifier field.

The following table lists the pre-defined Ranger access policies for NiFi.
Ranger Policy Description Resource Descriptor
Controller Allows users to view and modify the controller including Reporting Tasks, Controller Services, Parameter Contexts and Nodes in the Cluster. /controller
Flow Allows users to view the NiFi UI. /flow
Policies Allows users to view the policies for all components. /policies
Provenance Allows users to submit a Provenance Search and request Event Lineage. /provenance
Proxies Allows NiFi and Knox hosts to proxy user requests. Does not apply to users or user groups. /proxy
Restricted Components

Allows users to create/modify restricted components assuming other permissions are sufficient.

The restricted components may indicate the specific permissions that are required.

Permissions can be granted for specific restrictions or be granted regardless of restrictions. If permission is granted regardless of restrictions, the user can create/modify all restricted components.

Some examples of restricted components are ExecuteScript, List/FetchHDFS, and TailFile.
/restricted-components
Root Group Data Allows users and the nifi group to view and delete data from the root group and down the hierarchy unless there is a more specific policy on a component. /data/process-groups
Root Group Provenance Data Allows users to view provenance data. /provenance-data/process-groups/
Root Process Group Allows users to view and modify the root process group including adding/removing processors to the canvas.

This policy is inherited down the hierarchy unless there is a more specific policy on a component.

/process-groups
Tenants Allows users to view and modify user accounts and user groups. /tenants