no effect for componentId in NifiUser / NifiUserGroup (accessPolicies)

konpyutaika / nifikop

The NiFiKop NiFi Kubernetes operator makes it easy to run Apache NiFi on Kubernetes. Apache NiFI is a free, open-source solution that support powerful and scalable directed graphs of data routing, transformation, and system mediation logic.

Apache License 2.0

121 stars 39 forks source link

Bug Report

What did you do? I want to grant permission on specific "components" (let's call it "itam". So it is a process group under "NiFi Flow") via CR "NifiUserGroup". Doc is here: https://orange-opensource.github.io/nifikop/docs/v0.4.3/3_tasks/4_nifi_user_group

... - type: component action: read resource: / componentType: process-groups componentId: 1ac3ab15-0177-1000-0000-000017feb4b2 # componentId: "1ac3ab15-0177-1000-0000-000017feb4b2" # componentId: "itam"

I tried different things for componentId.

What did you expect to see? User policy should be for example: "Component policy for process Group itam"

What did you see instead? Under which circumstances? No such policy. If I don't specify "componentId" then it is: "Component policy for process Group NiFi Flow"

Environment

nifikop version: nifikop: v0.4.2-alpha-release

go version: -

Kubernetes version information: OpenShift 4.6.z, K8s 1.19

Kubernetes cluster kind: ?

NiFi version: nifi-1.11.4-RC1

Would be very nice if someone can help!

Tested with NiFiKop 1.5.0.

apiVersion: nifi.konpyutaika.com/v1
kind: NifiUser
metadata:
  name: myuser
spec:
  identity: myuser@konpyutaika.com
  clusterRef:
    name: nifikop
  createCert: false
  accessPolicies:
  - type: global
    action: read
    resource: /flow
  - type: component
    action: read
    resource: /
    componentType: process-groups
    componentId: f14df4f6-018b-1000-0000-0000746142ad

apiVersion: nifi.konpyutaika.com/v1
kind: NifiUser
metadata:
  name: myuser
spec:
  identity: myuser@konpyutaika.com
  clusterRef:
    name: nifikop
  createCert: false
  accessPolicies:
  - type: global
    action: read
    resource: /flow
  - type: component
    action: read
    resource: /
    componentType: process-groups
    componentId: foo

Same result with a group.

apiVersion: nifi.konpyutaika.com/v1
kind: NifiUser
metadata:
  name: myuser
spec:
  identity: myuser@konpyutaika.com
  clusterRef:
    name: nifikop
  createCert: false
---
apiVersion: nifi.konpyutaika.com/v1
kind: NifiUserGroup
metadata:
  name: mygroup
spec:
  clusterRef:
    name: nifikop
  usersRef:
    - name: myuser
  accessPolicies:
  - type: global
    action: read
    resource: /flow
  - type: component
    action: read
    resource: /
    componentType: process-groups
    componentId: f1485c40-018b-1000-7290-9ed76423fd90

apiVersion: nifi.konpyutaika.com/v1
kind: NifiUser
metadata:
  name: myuser
spec:
  identity: myuser@konpyutaika.com
  clusterRef:
    name: nifikop
  createCert: false
---
apiVersion: nifi.konpyutaika.com/v1
kind: NifiUserGroup
metadata:
  name: mygroup
spec:
  clusterRef:
    name: nifikop
  usersRef:
    - name: myuser
  accessPolicies:
  - type: global
    action: read
    resource: /flow
  - type: component
    action: read
    resource: /
    componentType: process-groups
    componentId: foo

The componentId field is effective.

konpyutaika / nifikop

no effect for componentId in NifiUser / NifiUserGroup (accessPolicies) #39

Bug Report