Predefined component-level policies for Apache NiFi
The component-level granular policies are based on the UUID of each component. For connections, the policies are enforced based upon the processor component that the connection originates from.
Note the following:
- There is a unique policy for every component based on the specific components assigned UUID.
- Component level authorizations are inherited from the parent process group when no specific processor or sub process group component level policy is set.
- Ranger supports the " * " wildcard when assigning policies.
- In a NiFi cluster, all nodes must be granted the ability to view and modify component data
in order for user to list or empty queues in processor component outbound connections. With
Ranger this can be accomplished by using the a wildcard to grant all the NiFi nodes read and
write to the
/data/*
NiFi resource.
Ranger component-level policies | NiFi component-based policy: Component | Equivalent NiFi file-based authorizer policy: Policy | Ranger permissions |
---|---|---|---|
/data-transfer/input-ports/<UUID> |
Each NiFi remote input port is assigned a unique <UUID> | Send data through site-to-site. | Both read and write is required and should be granted to the source NIFi servers sending data to this NiFi through this input port. |
/data-transfer/output-ports/<UUID> | Each NiFi remote output port is assigned a unique <UUID> | Retrieve data through site-to-site. | Both read and write is required and should be granted to the source NIFi servers pulling data from this NiFi via this output port. |
/process-groups/<UUID> | Each NiFi process group is assigned a unique <UUID> | View or modify the component. | Read - (allows user to view process group details only)Write - (allows user to start, stop or delete process group. Users are able to added components inside process group and add controller services to process group) |
/data/process-groups/<UUID> | Each NiFi process group is assigned a unique <UUID> | View or modify the data. | Read - (allows user to view data was processed by components in this process group and list queues)Write - (allows users to empty queues/purge data from queues within process group) |
/policies/process-groups/<UUID> | Each NiFi process group is assigned a unique <UUID> | View or modify the policies. | Read - N/A in RangerWrite - N/A in Ranger |
/processors/<UUID> | Each NiFi processor is assigned a unique <UUID> | View or modify the component. | Read - (Allows user to view processor configuration only)Write - (Allows user to start, stop, configure and delete processor) |
/data/processors/<UUID> | Each NiFi processor is assigned a unique <UUID> | View or modify the data. | Read - (allows user to view data processed this processor and list queues on this processors outbound connections)Write - (allows users to empty queues/purge data from this processors outbound connections) |
/policies/processors/<UUID> | Each NiFi processor is assigned a unique <UUID> | View or modify the policies. | Read - N/A in RangerWrite - N/A in Ranger |
/controller-services/<UUID> | Each NiFi controller services is assigned a unique <UUID> |
View or modify the component. |
Read - (Allows user to view controller service configuration only)Write - (Allows user to enable, disable, configure and delete controller services) |
/provenance-data/<component-type>/<component-UUID> | Each NiFi component is assigned a unique <UUID> | View provenance. | Read - Allows users to view provenance events generated by this componentWrite - N/A in Ranger |
/operation/<component-type>/<component-UUID> | Each NiFi component is assigned a unique <UUID> | Operate the component. | Read - N/A in RangerWrite - Allows users to operate components by changing component run status (start/stop/enable/disable), remote port transmission status, or terminating processor threads |