You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2018/06/27 00:37:52 UTC
svn commit: r1834461 [39/42] - in /nifi/site/trunk/docs: ./ nifi-docs/
nifi-docs/components/org.apache.nifi/nifi-ambari-nar/1.7.0/
nifi-docs/components/org.apache.nifi/nifi-ambari-nar/1.7.0/org.apache.nifi.reporting.ambari.AmbariReportingTask/
nifi-doc...
Modified: nifi/site/trunk/docs/nifi-docs/html/user-guide.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/docs/nifi-docs/html/user-guide.html?rev=1834461&r1=1834460&r2=1834461&view=diff
==============================================================================
--- nifi/site/trunk/docs/nifi-docs/html/user-guide.html (original)
+++ nifi/site/trunk/docs/nifi-docs/html/user-guide.html Wed Jun 27 00:37:46 2018
@@ -1,4 +1,20 @@
-<!DOCTYPE html>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+ <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
@@ -499,6 +515,8 @@ body.book #toc,body.book #preamble,body.
<li><a href="user-guide.html#change-version">Change Version</a></li>
<li><a href="user-guide.html#stop-version-control">Stop Version Control</a></li>
<li><a href="user-guide.html#nested-versioned-flows">Nested Versioned Flows</a></li>
+<li><a href="user-guide.html#Variables_in_Versioned_Flows">Variables in Versioned Flows</a></li>
+<li><a href="user-guide.html#Restricted_Components_in_Versioned_Flows">Restricted Components in Versioned Flows</a></li>
</ul>
</li>
<li><a href="user-guide.html#templates">Templates</a>
@@ -857,12 +875,16 @@ of restrictions. If permission is grante
<td class="tableblock halign-left valign-top"><p class="tableblock">Allows users to modify component configuration details</p></td>
</tr>
<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">view provenance</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Allows users to view provenance events generated by this component</p></td>
+</tr>
+<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">view the data</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">Allows users to view metadata and content for this component through provenance data and flowfile queues in outbound connection</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Allows users to view metadata and content for this component in flowfile queues in outbound connections and through provenance events</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">modify the data</p></td>
-<td class="tableblock halign-left valign-top"><p class="tableblock">Allows users to empty flowfile queues in outbound connections and to submit replays</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Allows users to empty flowfile queues in outbound connections and submit replays through provenance events</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">view the policies</p></td>
@@ -955,20 +977,17 @@ Processors that allow us to ingest files
<div class="paragraph">
<p>Restricted components will be marked with a
<span class="image"><img src="images/restricted.png" alt="Restricted"></span>
-icon next to their name. Hovering over the tooltip will display the specific restrictions this component requires. If the component
-does not list any specific restrictions it will require access to restricted components regardless of restrictions. These are components
+icon next to their name. These are components
that can be used to execute arbitrary unsanitized code provided by the operator through the NiFi REST API/UI or can be used to obtain
or alter data on the NiFi host system using the NiFi OS credentials. These components could be used by an otherwise authorized NiFi
user to go beyond the intended use of the application, escalate privilege, or could expose data about the internals of the NiFi process
or the host system. All of these capabilities should be considered privileged, and admins should be aware of these capabilities and
-explicitly enable them for a subset of trusted users.</p>
-</div>
-<div class="paragraph">
-<p>Before a user is allowed to create and modify restricted components they must be granted access to restricted components. This can be
+explicitly enable them for a subset of trusted users. Before a user is allowed to create and modify restricted components they must be granted access. Hovering over the <span class="image"><img src="images/restricted.png" alt="Restricted"></span>
+icon will display the specific permissions a restricted component requires. Permissions can be
assigned regardless of restrictions. In this case, the user will have access to all restricted components. Alternatively, users can
be assigned access to specific restrictions. If the user has been granted access to all restrictions a component requires, they will
have access to that component assuming otherwise sufficient permissions. For more information refer to
-<a href="user-guide.html#UI-with-multi-tenant-authorization">Accessing the UI with Multi-Tenant Authorization</a>.</p>
+<a href="user-guide.html#UI-with-multi-tenant-authorization">Accessing the UI with Multi-Tenant Authorization</a> and <a href="user-guide.html#Restricted_Components_in_Versioned_Flows">Restricted Components in Versioned Flows</a>.</p>
</div>
<div class="paragraph">
<p>Clicking the <code>Add</code> button or double-clicking on a Processor Type will add the selected Processor to the canvas at the
@@ -1434,20 +1453,20 @@ such as when a DFM starts an entire Proc
<p>Below the Name configuration, the Processor’s unique identifier is displayed along with the Processor’s type and NAR bundle. These values cannot be modified.</p>
</div>
<div class="paragraph">
-<p>Next are two dialogues for configuring `Penalty duration' and `Yield duration'. During the normal course of processing a
+<p>Next are two dialogues for configuring 'Penalty Duration' and 'Yield Duration'. During the normal course of processing a
piece of data (a FlowFile), an event may occur that indicates that the data cannot be processed at this time but the
data may be processable at a later time. When this occurs, the Processor may choose to Penalize the FlowFile. This will
prevent the FlowFile from being Processed for some period of time. For example, if the Processor is to push the data
to a remote service, but the remote service already has a file with the same name as the filename that the Processor
-is specifying, the Processor may penalize the FlowFile. The `Penalty duration' allows the DFM to specify how long the
+is specifying, the Processor may penalize the FlowFile. The 'Penalty Duration' allows the DFM to specify how long the
FlowFile should be penalized. The default value is 30 seconds.</p>
</div>
<div class="paragraph">
<p>Similarly, the Processor may determine that some situation exists such that the Processor can no longer make any progress,
regardless of the data that it is processing. For example, if a Processor is to push data to a remote service and that
-service is not responding, the Processor cannot make any progress. As a result, the Processor should `yield,' which will
+service is not responding, the Processor cannot make any progress. As a result, the Processor should 'yield', which will
prevent the Processor from being scheduled to run for some period of time. That period of time is specified by setting
-the `Yield duration.' The default value is 1 second.</p>
+the 'Yield Duration'. The default value is 1 second.</p>
</div>
<div class="paragraph">
<p>The last configurable option on the left-hand side of the Settings tab is the Bulletin level. Whenever the Processor writes
@@ -1456,7 +1475,7 @@ shown in the User Interface. By default,
bulletins.</p>
</div>
<div class="paragraph">
-<p>The right-hand side of the Settings tab contains an `Auto-terminate relationships' section. Each of the Relationships that is
+<p>The right-hand side of the Settings tab contains an 'Automatically Terminate Relationships' section. Each of the Relationships that is
defined by the Processor is listed here, along with its description. In order for a Processor to be considered valid and
able to run, each Relationship defined by the Processor must be either connected to a downstream component or auto-terminated.
If a Relationship is auto-terminated, any FlowFile that is routed to that Relationship will be removed from the flow and
@@ -1480,13 +1499,13 @@ auto-terminated, the auto-termination st
</div>
<div class="paragraph">
<p><strong>Timer driven</strong>: This is the default mode. The Processor will be scheduled to run on a regular interval. The interval
- at which the Processor is run is defined by the `Run schedule' option (see below).</p>
+ at which the Processor is run is defined by the 'Run Schedule' option (see below).</p>
</div>
<div class="paragraph">
<p><strong>Event driven</strong>: When this mode is selected, the Processor will be triggered to run by an event, and that event occurs when FlowFiles enter Connections
feeding this Processor. This mode is currently considered experimental and is not supported by all Processors. When this mode is
- selected, the `Run schedule' option is not configurable, as the Processor is not triggered to run periodically but
- as the result of an event. Additionally, this is the only mode for which the `Concurrent tasks'
+ selected, the 'Run Schedule' option is not configurable, as the Processor is not triggered to run periodically but
+ as the result of an event. Additionally, this is the only mode for which the 'Concurrent Tasks'
option can be set to 0. In this case, the number of threads is limited only by the size of the Event-Driven Thread Pool that
the administrator has configured.</p>
</div>
@@ -1591,7 +1610,7 @@ example, 1L indicates the last Sunday of
<p>For additional information and examples, see the <a href="http://www.quartz-scheduler.org/documentation/quartz-2.x/tutorials/crontrigger.html" target="_blank">Chron Trigger Tutorial</a> in the Quartz documentation.</p>
</div>
<div class="paragraph">
-<p>Next, the Scheduling Tab provides a configuration option named <code>Concurrent tasks</code>. This controls how many threads the Processor
+<p>Next, the Scheduling Tab provides a configuration option named 'Concurrent Tasks'. This controls how many threads the Processor
will use. Said a different way, this controls how many FlowFiles should be processed by this Processor at the same time. Increasing
this value will typically allow the Processor to handle more data in the same amount of time. However, it does this by using system
resources that then are not usable by other Processors. This essentially provides a relative weighting of Processors — it controls
@@ -1599,7 +1618,7 @@ how much of the system’s resources
most Processors. There are, however, some types of Processors that can only be scheduled with a single Concurrent task.</p>
</div>
<div class="paragraph">
-<p>The "Run schedule" dictates how often the Processor should be scheduled to run. The valid values for this field depend on the selected
+<p>The 'Run Schedule' dictates how often the Processor should be scheduled to run. The valid values for this field depend on the selected
Scheduling Strategy (see above). If using the Event driven Scheduling Strategy, this field is not available. When using the Timer driven
Scheduling Strategy, this value is a time duration specified by a number followed by a time unit. For example, <code>1 second</code> or <code>5 mins</code>.
The default value of <code>0 sec</code> means that the Processor should run as often as possible as long as it has data to process. This is true
@@ -1609,12 +1628,25 @@ applicable for the CRON driven Schedulin
<div class="paragraph">
<p>When configured for clustering, an Execution setting will be available. This setting is used to determine which node(s) the Processor will be
scheduled to execute. Selecting 'All Nodes' will result in this Processor being scheduled on every node in the cluster. Selecting
-'Primary Node' will result in this Processor being scheduled on the Primary Node only.</p>
+'Primary Node' will result in this Processor being scheduled on the Primary Node only. Processors that have been configured for 'Primary Node' execution are identified by a "P" next to the processor icon:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/primary-node-processor.png" alt="Primary Node Processor">
+</div>
</div>
<div class="paragraph">
-<p>The right-hand side of the tab contains a slider for choosing the `Run duration.' This controls how long the Processor should be scheduled
-to run each time that it is triggered. On the left-hand side of the slider, it is marked `Lower latency' while the right-hand side
-is marked `Higher throughput.' When a Processor finishes running, it must update the repository in order to transfer the FlowFiles to
+<p>To quickly identify 'Primary Node' processors, the "P" icon is also shown in the Processors tab on the Summary page:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/primary-node-processors-summary.png" alt="Primary Node Processors in Summary Page">
+</div>
+</div>
+<div class="paragraph">
+<p>The right-hand side of the Scheduling tab contains a slider for choosing the 'Run Duration'. This controls how long the Processor should be scheduled
+to run each time that it is triggered. On the left-hand side of the slider, it is marked 'Lower latency' while the right-hand side
+is marked 'Higher throughput'. When a Processor finishes running, it must update the repository in order to transfer the FlowFiles to
the next Connection. Updating the repository is expensive, so the more work that can be done at once before updating the repository,
the more work the Processor can handle (Higher throughput). However, this means that the next Processor cannot start processing
those FlowFiles until the previous Process updates this repository. As a result, the latency will be longer (the time required to process
@@ -1634,7 +1666,7 @@ must define which Properties make sense
</div>
</div>
<div class="paragraph">
-<p>This Processor, by default, has only a single property: `Routing Strategy.' The default value is `Route to Property name.' Next to
+<p>This Processor, by default, has only a single property: 'Routing Strategy'. The default value is 'Route to Property name'. Next to
the name of this property is a small question-mark symbol (
<span class="image"><img src="images/iconInfo.png" alt="Question Mark"></span>
). This help symbol is seen in other places throughout the User Interface, and it indicates that more information is available.
@@ -1690,7 +1722,7 @@ whatever comments are appropriate for th
<div class="sect2">
<h3 id="additional-help"><a class="anchor" href="user-guide.html#additional-help"></a>Additional Help</h3>
<div class="paragraph">
-<p>You can access additional documentation about each Processor’s usage by right-clicking on the Processor and selecting `Usage' from the context menu. Alternatively, select Help from the Global Menu in the top-right corner of the UI to display a Help page with all of the documentation, including usage documentation for all the Processors that are available. Click on the desired Processor to view usage documentation.</p>
+<p>You can access additional documentation about each Processor’s usage by right-clicking on the Processor and selecting 'Usage' from the context menu. Alternatively, select Help from the Global Menu in the top-right corner of the UI to display a Help page with all of the documentation, including usage documentation for all the Processors that are available. Click on the desired Processor to view usage documentation.</p>
</div>
</div>
<div class="sect2">
@@ -2136,7 +2168,7 @@ Connection between each component. When
</div>
<div class="paragraph">
<p>The user drags the Connection bubble from one component to another until the second component is highlighted. When the user
-releases the mouse, a 'Create Connection' dialog appears. This dialog consists of two tabs: `Details' and `Settings'. They are
+releases the mouse, a 'Create Connection' dialog appears. This dialog consists of two tabs: 'Details' and 'Settings'. They are
discussed in detail below. Note that it is possible to draw a connection so that it loops back on the same processor. This can be
useful if the DFM wants the processor to try to re-process FlowFiles if they go down a failure Relationship. To create this type of looping
connection, simply drag the connection bubble away and then back to the same processor until it is highlighted. Then release the mouse
@@ -2165,7 +2197,7 @@ Relationship must be selected. If only o
</td>
<td class="content">
If multiple Connections are added with the same Relationship, any FlowFile that is routed to that Relationship will
-automatically be `cloned', and a copy will be sent to each of those Connections.
+automatically be 'cloned', and a copy will be sent to each of those Connections.
</td>
</tr>
</table>
@@ -2216,6 +2248,7 @@ kilobytes, <code>MB</code> for megabytes
</td>
<td class="content">
By default each new connection added will have a default Back Pressure Object Threshold of 10,000 objects and Back Pressure Data Size Threshold of 1 GB.
+These defaults can be changed by modifying the appropriate properties in the <code>nifi.properties</code> file.
</td>
</tr>
</table>
@@ -2243,11 +2276,11 @@ By default each new connection added wil
<h5 id="prioritization"><a class="anchor" href="user-guide.html#prioritization"></a>Prioritization</h5>
<div class="paragraph">
<p>The right-hand side of the tab provides the ability to prioritize the data in the queue so that higher priority data is
-processed first. Prioritizers can be dragged from the top (`Available prioritizers') to the bottom (`Selected prioritizers').
-Multiple prioritizers can be selected. The prioritizer that is at the top of the `Selected prioritizers' list is the highest
+processed first. Prioritizers can be dragged from the top ('Available prioritizers') to the bottom ('Selected prioritizers').
+Multiple prioritizers can be selected. The prioritizer that is at the top of the 'Selected prioritizers' list is the highest
priority. If two FlowFiles have the same value according to this prioritizer, the second prioritizer will determine which
-FlowFile to process first, and so on. If a prioritizer is no longer desired, it can then be dragged from the `Selected
-prioritizers' list to the `Available prioritizers' list.</p>
+FlowFile to process first, and so on. If a prioritizer is no longer desired, it can then be dragged from the 'Selected
+prioritizers' list to the 'Available prioritizers' list.</p>
</div>
<div class="paragraph">
<p>The following prioritizers are available:</p>
@@ -2261,7 +2294,7 @@ prioritizers' list to the `Available pri
<p><strong>NewestFlowFileFirstPrioritizer</strong>: Given two FlowFiles, the one that is newest in the dataflow will be processed first.</p>
</li>
<li>
-<p><strong>OldestFlowFileFirstPrioritizer</strong>: Given two FlowFiles, the one that is oldest in the dataflow will be processed first. 'This is the default scheme that is used if no prioritizers are selected.'</p>
+<p><strong>OldestFlowFileFirstPrioritizer</strong>: Given two FlowFiles, the one that is oldest in the dataflow will be processed first. 'This is the default scheme that is used if no prioritizers are selected'.</p>
</li>
<li>
<p><strong>PriorityAttributePrioritizer</strong>: Given two FlowFiles that both have a "priority" attribute, the one that has the highest priority value will be processed first. Note that an UpdateAttribute processor should be used to add the "priority" attribute to the FlowFiles before they reach a connection that has this prioritizer set. Values for the "priority" attribute may be alphanumeric, where "a" is a higher priority than "z", and "1" is a higher priority than "9", for example.</p>
@@ -3468,7 +3501,7 @@ Versioned flows are stored and organized
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
-To see the most recent version states, it may be necessary to right-click on the NiFi canvas and select `Refresh' from the context menu.
+To see the most recent version states, it may be necessary to right-click on the NiFi canvas and select 'Refresh' from the context menu.
</td>
</tr>
</table>
@@ -3596,7 +3629,7 @@ The root process group can not be placed
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
-Variables do not support sensitive values and will be included when versioning a Process Group.
+Variables do not support sensitive values and will be included when versioning a Process Group. See <a href="user-guide.html#Variables_in_Versioned_Flows">Variables in Versioned Flows</a> for more information.
</td>
</tr>
</table>
@@ -3744,6 +3777,239 @@ For "Change version" to be an available
<p>A versioned process group can contain other versioned process groups. However, local changes to a parent process group cannot be reverted or saved if it contains a child process group that also has local changes. The child process group must first be reverted or have its changes committed for those actions to be performed on the parent process group.</p>
</div>
</div>
+<div class="sect2">
+<h3 id="Variables_in_Versioned_Flows"><a class="anchor" href="user-guide.html#Variables_in_Versioned_Flows"></a>Variables in Versioned Flows</h3>
+<div class="paragraph">
+<p>Variables are included when a process group is placed under version control. If a versioned flow is imported that references a variable not defined in the versioned process group, the reference is maintained if the variable exists. If the referenced variable does not exist, a copy of the variable will be defined in the process group. To illustrate, assume the variable âRPG_Var" is defined in the root process group:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/rpg-variable.png" alt="Root Process Group Defined Variable">
+</div>
+</div>
+<div class="paragraph">
+<p>A process group PG1 is created:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/PG1_process_group.png" alt="PG1 Process Group">
+</div>
+</div>
+<div class="paragraph">
+<p>The GetFile processor in PG1 references the variable "RPG_Var":</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="http://localhost:8080/nifi-docs/html/images/PG1_variable_reference.png" alt="PG1 References RPG Variable">
+</div>
+</div>
+<div class="paragraph">
+<p>PG1 is saved as a versioned flow:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/PG1_versioned_flow.png" alt="PG1 Versioned Flow">
+</div>
+</div>
+<div class="paragraph">
+<p>If PG1 versioned flow is imported into this same NiFi instance:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/PG1_imported_same.png" alt="PG1 Imported to Same NiFi">
+</div>
+</div>
+<div class="paragraph">
+<p>the added GetFile processor will also reference the "RPG_Var" variable that exists in the root process group:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/PG1_variable_ref_2.png" alt="Both PG1 Reference RPG Variable">
+</div>
+</div>
+<div class="paragraph">
+<p>If PG1 versioned flow is imported into a different NiFi instance where "RPG_Var" does not exist:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/PG1_imported_diff.png" alt="PG1 Imported to Different NiFi">
+</div>
+</div>
+<div class="paragraph">
+<p>A "RPG_Var" variable is created in the PG1 process group:</p>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/PG1_variable_ref_PG.png" alt="PG1 References PG Variable Copy">
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="Restricted_Components_in_Versioned_Flows"><a class="anchor" href="user-guide.html#Restricted_Components_in_Versioned_Flows"></a>Restricted Components in Versioned Flows</h3>
+<div class="paragraph">
+<p>To import a versioned flow or revert local changes in a versioned flow, a user must have access to all the components in the versioned flow. As such, it is recommended that restricted components are created at the root process group level if they are to be utilized in versioned flows. Let’s walk through some examples to illustrate the benefits of this configuration. Assume the following:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>There are two users, "sys_admin" and "test_user" who have access to both view and modify the root process group.</p>
+</li>
+<li>
+<p>"sys_admin" has access to all restricted components.</p>
+<div class="imageblock">
+<div class="content">
+<img src="images/sys_admin-restricted-component-access-policy.png" alt="Sys_admin Restricted Component Access Policy">
+</div>
+</div>
+</li>
+<li>
+<p>"test_user" has access to restricted components requiring 'read filesystem' and 'write filesystem'.</p>
+<div class="imageblock">
+<div class="content">
+<img src="images/test_user-restricted-component-read-filesystem.png" alt="Test_user Restricted Component Read Filesystem">
+</div>
+</div>
+<div class="imageblock">
+<div class="content">
+<img src="images/test_user-restricted-component-write-filesystem.png" alt="Test_user Restricted Component Write Filesystem">
+</div>
+</div>
+</li>
+</ul>
+</div>
+<div class="sect3">
+<h4 id="restricted-controller-service-created-in-root-process-group"><a class="anchor" href="user-guide.html#restricted-controller-service-created-in-root-process-group"></a>Restricted Controller Service Created in Root Process Group</h4>
+<div class="paragraph">
+<p>In this first example, sys_admin creates a KeytabCredentialsService controller service at the root process group level.</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/keytabCredentialsService-rpg.png" alt="KeytabCredentialsService Controller Service RPG Level"></span></p>
+</div>
+<div class="paragraph">
+<p>KeytabCredentialService controller service is a restricted component that requires 'access keytab' permissions:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/keytabcredentialsservice-permissions.png" alt="KeytabCredentialService Required Permissions"></span></p>
+</div>
+<div class="paragraph">
+<p>Sys_admin creates a process group ABC containing a flow with GetFile and PutHDFS processors:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/abc-restricted-component-flow.png" alt="Restricted Component Flow"></span></p>
+</div>
+<div class="paragraph">
+<p>GetFile processor is a restricted component that requires 'write filesystem' and 'read filesystem' permissions:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/getfile-permissions.png" alt="GetFile Required Permissions"></span></p>
+</div>
+<div class="paragraph">
+<p>PutHDFS is a restricted component that requires 'write filesystem' permissions:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/puthdfs-permissions.png" alt="PutHDFS Required Permissions"></span></p>
+</div>
+<div class="paragraph">
+<p>The PutHDFS processor is configured to use the root process group level KeytabCredentialsService controller service:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/puthdfs-properties.png" alt="PutHDFS Properties"></span></p>
+</div>
+<div class="paragraph">
+<p>Sys_admin saves the process group as a versioned flow:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/abc-versioned-flow.png" alt="ABC Versioned Flow"></span></p>
+</div>
+<div class="paragraph">
+<p>Test_user changes the flow by removing the KeytabCredentialsService controller service:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/puthdfs-no-kerberosCS.png" alt="PutHDFS No Kerberos CS"></span></p>
+</div>
+<div class="paragraph">
+<p>If test_user chooses to revert this change:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/test_user-revert-local-changes.png" alt=""Test_user Revert Local Changes"></span></p>
+</div>
+<div class="paragraph">
+<p>the revert is successful:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/revert-success.png" alt="Revert Local Changes Successful"></span></p>
+</div>
+<div class="paragraph">
+<p>Additionally, if test_user chooses to import the ABC versioned flow:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/test_user-import-abc-flow.png" alt="Test_user Import Flow"></span></p>
+</div>
+<div class="paragraph">
+<p>The import is successful:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/test_user-import-success.png" alt="Test_user Import Successful"></span></p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="restricted-controller-service-created-in-process-group"><a class="anchor" href="user-guide.html#restricted-controller-service-created-in-process-group"></a>Restricted Controller Service Created in Process Group</h4>
+<div class="paragraph">
+<p>Now, consider a second scenario where the controller service is created on the process group level.</p>
+</div>
+<div class="paragraph">
+<p>Sys_admin creates a process group XYZ:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/xyz-process-group.png" alt="XYZ Process Group"></span></p>
+</div>
+<div class="paragraph">
+<p>Sys_admin creates a KeytabCredentialsService controller service at the process group level:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/keytabCredentialsService-pg.png" alt="KeytabCredentialsService Controller Service PG Level"></span></p>
+</div>
+<div class="paragraph">
+<p>The same GetFile and PutHDFS flow is created in the process group:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/xyz-flow.png" alt="XYZ Versioned Flow"></span></p>
+</div>
+<div class="paragraph">
+<p>However, PutHDFS now references the process group level controller service:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/puthdfs-properties_2.png" alt="PutHDFS Properties"></span></p>
+</div>
+<div class="paragraph">
+<p>Sys_admin saves the process group as a versioned flow.</p>
+</div>
+<div class="paragraph">
+<p>Test_user changes the flow by removing the KeytabCredentialsService controller service. However, with this configuration, if test_user attempts to revert this change:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/test_user-revert-local-changes-2.png" alt="Test_user Revert Local Changes"></span></p>
+</div>
+<div class="paragraph">
+<p>the revert is unsuccessful because test_user does not have the 'access keytab' permissions required by the KeytabCredentialService controller service:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/revert-failure.png" alt="Revert Local Changes Fails"></span></p>
+</div>
+<div class="paragraph">
+<p>Similarly, if test_user tries to import the XYZ versioned flow:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/test_user-import-xyz-flow.png" alt="Test_user Import Flow"></span></p>
+</div>
+<div class="paragraph">
+<p>The import fails:</p>
+</div>
+<div class="paragraph">
+<p><span class="image"><img src="images/import-xyz-flow-fails.png" alt="XYZ Import Fails"></span></p>
+</div>
+</div>
+</div>
</div>
</div>
<div class="sect1">
@@ -3883,6 +4149,11 @@ replay data at any point within the data
(These features are described in depth below.)</p>
</div>
<div class="paragraph">
+<p>When authorization is enabled, accessessing Data Provenance information requires the 'query provenance' Global Policy as well as the 'view provenance'
+Component Policy for the component which generated the event. In addition, access to event details which include FlowFile attributes and content require
+the 'view the data' Component Policy for the component which generated the event.</p>
+</div>
+<div class="paragraph">
<p><span class="image"><img src="images/provenance-annotated.png" alt="Provenance Table"></span></p>
</div>
<div class="sect2">
@@ -4319,7 +4590,7 @@ the <a href="administration-guide.html">
</div>
<div id="footer">
<div id="footer-text">
-Last updated 2018-04-03 08:25:54 -07:00
+Last updated 2018-06-19 22:13:11 -07:00
</div>
</div>
</body>