File-based authorization

When Ranger is not selected as a dependency during installation, NiFi or NiFi Registry’s internal file-based authorizer will be used for authorization.

When Ranger is not selected, the NiFi and NiFi Registry CSD scripts will perform the following steps:
  • By default, during start-up, NiFi and NiFi Registry will create the following files in /var/lib/nifi and /var/lib/nifiregistry:
    • users.xml
    • authorizations.xml

    These files will include the users and policies for the Initial Admin Identity, Initial Admin Groups, and proxy group.

  • Create policies for the following Initial Admin Identity and Initial Admin Groups:
    • For NiFi: nifi.initial.admin.identity and nifi.initial.admin.groups
    • For NiFi Registry: nifi.registry.initial.admin.identity and nifi.registry.initial.admin.groups
  • Create policies for proxies specified by nifi.proxy.group or nifi.registry.proxy.group.

Each authorizers.xml file produced in NiFi and NiFi Registry when using file-based authorization contains the following logical configuration:

  • CompositeConfigurableUserGroupProvider
    • FileUserGroupProvider
    • CMUserGroupProvider
  • FileAccessPolicyProvider
    • Configured with the CompositeConfigurableUserGroupProvider
  • StandardManagedAuthorizer
    • Configured with FileAccessPolicyProvider