Open koehljaSICKAG opened 2 months ago
This does seem like an issue. Thank you for reporting. Will dig into this.
I think this is an unusual use case, since nifikop is designed to deploy & access control versioned process groups from NiFi registry, but it should be able to assume control of existing or manually created process groups as well. So i think we should address this.
@koehljaSICKAG : Can you please share the entire authorizations.xml
and users.xml
that gets generated in your case?
@mh013370 here are the files. i just changed the identity tag of user0
and user1
. besides that it is as it is in the container. I also included the NifiUserGroup
yml for you to see the correct component id. the id of the root canvas is f560ea4e-018e-1000-52c7-4bb47cffdf7d
.
users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96" name="nifi-nifi.managed-admins">
<user identifier="04df347d-018f-1000-0000-00000f1c8447"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</group>
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0" name="nifi-nifi.managed-readers">
<user identifier="f5626843-018e-1000-0000-00004548e31c"/>
</group>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1" name="nifi-nifi.managed-nodes">
<user identifier="198fdabb-bbf2-347b-ac56-8516587efed6"/>
</group>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb" name="nifi-custom.reader">
<user identifier="f585211d-018e-1000-0000-0000088cac1d"/>
</group>
<group identifier="f58beaaa-018e-1000-0000-00006da00fee" name="nifi-custom.smax">
<user identifier="f585211d-018e-1000-0000-0000088cac1d"/>
</group>
</groups>
<users>
<user identifier="198fdabb-bbf2-347b-ac56-8516587efed6" identity="nifi-1-node.nifi-headless.nifi.svc.cluster.local"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610" identity="nifi-controller"/>
<user identifier="f5626843-018e-1000-0000-00004548e31c" identity="dummy.user@example.com"/>
<user identifier="f585211d-018e-1000-0000-0000088cac1d" identity="user0@example.com"/>
<user identifier="04df347d-018f-1000-0000-00000f1c8447" identity="user1@example.com"/>
</users>
</tenants>
authorizations.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="287edf48-da72-359b-8f61-da5d4c45a270" resource="/proxy" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="198fdabb-bbf2-347b-ac56-8516587efed6"/>
</policy>
<policy identifier="f5624a1e-018e-1000-ffff-fffff6018cd3" resource="/proxy" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
<user identifier="198fdabb-bbf2-347b-ac56-8516587efed6"/>
</policy>
<policy identifier="f5624b61-018e-1000-ffff-fffff07e74f2" resource="/flow" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="f5624c14-018e-1000-ffff-ffffd500bf27" resource="/restricted-components" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<user identifier="00b12756-f761-329c-a808-51d31ba1c610"/>
</policy>
<policy identifier="f5626645-018e-1000-0000-00005d64a752" resource="/parameter-context" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f56266fb-018e-1000-0000-00004aae4274" resource="/parameter-context" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f56267d2-018e-1000-0000-000050b77c8c" resource="/provenance" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5626892-018e-1000-ffff-ffffbe714732" resource="/provenance" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f5626c04-018e-1000-ffff-ffffc46d82dd" resource="/site-to-site" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5626c8d-018e-1000-ffff-ffffe0383cbf" resource="/system" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5626d20-018e-1000-0000-00000a199f00" resource="/site-to-site" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f5626e78-018e-1000-ffff-ffff989d7225" resource="/counters" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5626f08-018e-1000-0000-00001222df50" resource="/counters" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f5626f93-018e-1000-ffff-ffffb2b5e0d4" resource="/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5627020-018e-1000-ffff-ffff91b6b892" resource="/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="W">
<group identifier="f58beaaa-018e-1000-0000-00006da00fee"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f56270b1-018e-1000-ffff-ffffb61cb75b" resource="/operation/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
</policy>
<policy identifier="f5627138-018e-1000-0000-00002732bca9" resource="/provenance-data/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
</policy>
<policy identifier="f56271be-018e-1000-ffff-ffffb4ce5e4f" resource="/data/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
</policy>
<policy identifier="f562724b-018e-1000-0000-00005a6caf21" resource="/data/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="W">
<group identifier="f562632d-018e-1000-ffff-ffffd8193d96"/>
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
</policy>
<policy identifier="f56277c3-018e-1000-0000-000018f0f0a1" resource="/operation/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="R">
<group identifier="f56272ca-018e-1000-ffff-ffff8a3d5db0"/>
<group identifier="f58be5ad-018e-1000-ffff-ffffb3f322fb"/>
</policy>
<policy identifier="f5627a60-018e-1000-ffff-ffffdaf26b28" resource="/provenance-data/process-groups/f560ea4e-018e-1000-52c7-4bb47cffdf7d" action="W">
<group identifier="f56278fa-018e-1000-ffff-ffff88d978f1"/>
</policy>
</policies>
</authorizations>
grp.smax.yml
apiVersion: nifi.konpyutaika.com/v1
kind: NifiUserGroup
metadata:
name: custom.smax
spec:
accessPolicies:
- action: write
resource: /
type: component
componentType: process-groups
componentId: f5892907-018e-1000-ffff-ffffb2346c55
clusterRef:
name: nifi
namespace: nifi
usersRef:
- name: user0
I think this is an unusual use case, since nifikop is designed to deploy & access control versioned process groups from NiFi registry, but it should be able to assume control of existing or manually created process groups as well. So i think we should address this.
@mh013370 but even when i am generating the flow DataFlow using a crd i would have to create a separate policy to give a group write access to this DataFlow. So I think the problem would stay the same
I think this is an unusual use case, since nifikop is designed to deploy & access control versioned process groups from NiFi registry, but it should be able to assume control of existing or manually created process groups as well. So i think we should address this.
@mh013370 but even when i am generating the flow DataFlow using a crd i would have to create a separate policy to give a group write access to this DataFlow. So I think the problem would stay the same
This is true. I had thought you could provide a NifiDataflow
reference for a group, but that is not the case. Your complete example should help enable tracking down what's actually causing this. Thank you
What steps will reproduce the bug?
What is the expected behavior?
The user should now have read access to everything and write access only on everything below the ProcessGroup
f02c2450-018e-1000-0000-0000771ba5bc
This should result in a user file like this
and a
authorizations.xml
like thisthe important part is this
resource="/process-groups/f0241a9c-018e-1000-ffff-ffffc6e93eb8"
. here should be the componentId of the process group specified above.What do you see instead?
Instead the user gets write access from the top canvas (NifiFlow,
e65a4f68-018e-1000-1027-316d1d593bd6
) down. He bascially gests global write by this setting.In the
authorizations.xml
one can see the error.nifikop added the the group the the the main canvas
resource="/process-groups/e65a4f68-018e-1000-1027-316d1d593bd6"
with a write priviledgePossible solution
No response
NiFiKop version
v1.8.0
Golang version
1.22.1
Kubernetes version
Client Version: v1.28.1 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.28.4+k0s
NiFi version
1.24.0
Additional context
this also happend using nifikop 1.6 with nifi 1.23.2