Policy to clear queues

[Phil H <gi...@gmail.com>]

Hi there,

I am trying to stratify my userbase. I need to allow certain users/groups
the ability to clear queues, but cannot find the right policy to allow that
without also allowing them to delete queues, which I absolutely don’t want
to do.

Am currently using 1.9.2 (putting off the upgrade process!)

Regards,
Phil

Re: Policy to clear queues

[Mark Bean <ma...@gmail.com>]

If you are able, try removing the node from the cluster and then empty the
queue. This will confirm the issue is with the one node and you can begin
further diagnostics and comparisons of this node relative to other nodes.

I would think you would have other symptoms if this was the problem, but
double-check the "user" specification for the node matches that node's
certificate DN exactly (including whitespace.)


On Thu, Jun 4, 2020 at 8:26 PM Phil H <gi...@gmail.com> wrote:

> Possibly related, but this same node is quite prone to losing the Nifi
> interface with a socket timeout exception. I don’t have any other network
> related issues with the server - are there any nifi settings I need to
> tweak related to this?!
>
> On Fri, 5 Jun 2020 at 09:50, Andy LoPresto <al...@apache.org> wrote:
>
> > Do the node identities themselves have the proper permissions as well?
> The
> > following is from the Admin Guide:
> >
> > > In order to access List Queue or Delete Queue for a connection, a user
> > requires permission to the "view the data" and "modify the data" policies
> > on the component. In a clustered environment, all nodes must be be added
> to
> > these policies as well, as a user request could be replicated through any
> > node in the cluster.
> >
> >
> > Andy LoPresto
> > alopresto@apache.org
> > alopresto.apache@gmail.com
> > He/Him
> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >
> > > On Jun 4, 2020, at 4:45 PM, Phil H <gi...@gmail.com> wrote:
> > >
> > > The action is available in the menu. I get the following pop up:
> > >
> > > *Insufficient Permissions*
> > >
> > > *Node nifiX.domain.com:443 <http://nifiX.domain.com:443> is unable to
> > > fulfil this request due to: Unable to modify the data for Processor
> with
> > ID
> > > {guid}. Contact the system administrator. Contact the system
> > administrator.*
> > >
> > > The nifi-user.log just shows successful authentication events for the
> > user
> > > in question (the system is locked down to authorized users)
> > >
> > > Phil
> > >
> > > On Fri, 5 Jun 2020 at 09:25, Andy LoPresto <al...@apache.org>
> wrote:
> > >
> > >> Are you seeing this behavior exhibited as the action is not even
> > available
> > >> to those users, or when they try to execute it, it returns an error?
> Can
> > >> you examine the logs/nifi-user.log file to see if the authorization is
> > >> occurring successfully?
> > >>
> > >> Andy LoPresto
> > >> alopresto@apache.org
> > >> alopresto.apache@gmail.com
> > >> He/Him
> > >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> > >>
> > >>> On Jun 4, 2020, at 4:22 PM, Phil H <gi...@gmail.com> wrote:
> > >>>
> > >>> Hi guys,
> > >>>
> > >>> So I checked this morning, and the users are members of a group that
> > has
> > >>> “modify the data” permission at the root level (and is inherited
> within
> > >> the
> > >>> process group). They can start/stop processors, but cannot empty (or
> > even
> > >>> list) the queues in said process group.
> > >>>
> > >>> I also set up a queue at the root level and confirmed the same
> > behaviour
> > >>> there.
> > >>>
> > >>> Thanks
> > >>>
> > >>> On Thu, 4 Jun 2020 at 23:22, Bryan Bende <bb...@gmail.com> wrote:
> > >>>
> > >>>> Would also add that if you don't have specific component policies on
> > >>>> processors, it should inherit from the process group. So at the
> > process
> > >>>> group level you can give some users write to the actual process
> group
> > >> which
> > >>>> should control creating/deleting connections, and give some users
> only
> > >>>> modify the data on the process group which would control clearing
> > >> queues.
> > >>>>
> > >>>> On Thu, Jun 4, 2020 at 8:55 AM Mark Bean <ma...@gmail.com>
> > wrote:
> > >>>>
> > >>>>> Phil,
> > >>>>>
> > >>>>> There is a 'modify the data' Component Access Policy. Use the key
> > icon
> > >> in
> > >>>>> the Operate palette (or right-click on the component) to access the
> > >>>>> Component Access Policies as opposed to using the Global Menu in
> the
> > >>>> upper
> > >>>>> right to access Global Access Policies.
> > >>>>>
> > >>>>> The user will be able to empty a queue if they are in the 'modify
> the
> > >>>> data'
> > >>>>> policy for the upstream component (processor) which generated the
> > data.
> > >>>>> This policy does not allow the user to delete the connection
> between
> > >>>>> processors. To do so requires the 'modify the component' policy.
> > >>>>>
> > >>>>> One additional nuance to consider: if you are operating a NiFi
> > Cluster,
> > >>>> you
> > >>>>> will need to add each of the cluster nodes to the 'modify the data'
> > >>>> policy
> > >>>>> as well. This is required because the request to empty a queue is
> > >> proxied
> > >>>>> from the node being used to access the UI out to the remaining
> nodes.
> > >>>>>
> > >>>>> -Mark
> > >>>>>
> > >>>>>
> > >>>>> On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:
> > >>>>>
> > >>>>>> Hi Andy,
> > >>>>>>
> > >>>>>> Thanks for your reply. I don’t recall seeing the modify data
> policy
> > in
> > >>>>> the
> > >>>>>> user interface. Is it possible this is something I would have to
> > >> change
> > >>>>> at
> > >>>>>> the back end?
> > >>>>>>
> > >>>>>> I don’t have the system in front of me now, will have to confirm
> > >>>>> tomorrow.
> > >>>>>>
> > >>>>>> Regards,
> > >>>>>> Phil
> > >>>>>>
> > >>>>>> On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org>
> > >>>> wrote:
> > >>>>>>
> > >>>>>>> Hi Phil,
> > >>>>>>>
> > >>>>>>> You might have uncovered a gap in the permission policy. Have you
> > >>>> tried
> > >>>>>>> using the “modify the data” permission [1]? If a user does not
> have
> > >>>>> write
> > >>>>>>> permission to the queue, I think they can empty it but not
> > >>>>> modify/delete
> > >>>>>>> the queue itself.
> > >>>>>>>
> > >>>>>>> I am speculating here because I haven’t had a chance to verify,
> > but I
> > >>>>>>> suspect that the same write permission which allows a user to
> clear
> > >>>> the
> > >>>>>>> queue would allow them to delete it as well. This may be
> something
> > we
> > >>>>>> could
> > >>>>>>> mitigate by using the “operate” permission, but I would have to
> > >>>>> validate
> > >>>>>>> this behavior first.
> > >>>>>>>
> > >>>>>>> Hope this helps for now.
> > >>>>>>>
> > >>>>>>> [1]
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>
> >
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> > >>>>>>>
> > >>>>>>> Andy LoPresto
> > >>>>>>> alopresto@apache.org
> > >>>>>>> alopresto.apache@gmail.com
> > >>>>>>> He/Him
> > >>>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D
> EF69
> > >>>>>>>
> > >>>>>>>> On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> > >>>>>>>>
> > >>>>>>>> Hi there,
> > >>>>>>>>
> > >>>>>>>> I am trying to stratify my userbase. I need to allow certain
> > >>>>>> users/groups
> > >>>>>>>> the ability to clear queues, but cannot find the right policy to
> > >>>>> allow
> > >>>>>>> that
> > >>>>>>>> without also allowing them to delete queues, which I absolutely
> > >>>> don’t
> > >>>>>>> want
> > >>>>>>>> to do.
> > >>>>>>>>
> > >>>>>>>> Am currently using 1.9.2 (putting off the upgrade process!)
> > >>>>>>>>
> > >>>>>>>> Regards,
> > >>>>>>>> Phil
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>
> > >>
> >
> >
>

Re: Policy to clear queues

[Phil H <gi...@gmail.com>]

Possibly related, but this same node is quite prone to losing the Nifi
interface with a socket timeout exception. I don’t have any other network
related issues with the server - are there any nifi settings I need to
tweak related to this?!

On Fri, 5 Jun 2020 at 09:50, Andy LoPresto <al...@apache.org> wrote:

> Do the node identities themselves have the proper permissions as well? The
> following is from the Admin Guide:
>
> > In order to access List Queue or Delete Queue for a connection, a user
> requires permission to the "view the data" and "modify the data" policies
> on the component. In a clustered environment, all nodes must be be added to
> these policies as well, as a user request could be replicated through any
> node in the cluster.
>
>
> Andy LoPresto
> alopresto@apache.org
> alopresto.apache@gmail.com
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> > On Jun 4, 2020, at 4:45 PM, Phil H <gi...@gmail.com> wrote:
> >
> > The action is available in the menu. I get the following pop up:
> >
> > *Insufficient Permissions*
> >
> > *Node nifiX.domain.com:443 <http://nifiX.domain.com:443> is unable to
> > fulfil this request due to: Unable to modify the data for Processor with
> ID
> > {guid}. Contact the system administrator. Contact the system
> administrator.*
> >
> > The nifi-user.log just shows successful authentication events for the
> user
> > in question (the system is locked down to authorized users)
> >
> > Phil
> >
> > On Fri, 5 Jun 2020 at 09:25, Andy LoPresto <al...@apache.org> wrote:
> >
> >> Are you seeing this behavior exhibited as the action is not even
> available
> >> to those users, or when they try to execute it, it returns an error? Can
> >> you examine the logs/nifi-user.log file to see if the authorization is
> >> occurring successfully?
> >>
> >> Andy LoPresto
> >> alopresto@apache.org
> >> alopresto.apache@gmail.com
> >> He/Him
> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >>
> >>> On Jun 4, 2020, at 4:22 PM, Phil H <gi...@gmail.com> wrote:
> >>>
> >>> Hi guys,
> >>>
> >>> So I checked this morning, and the users are members of a group that
> has
> >>> “modify the data” permission at the root level (and is inherited within
> >> the
> >>> process group). They can start/stop processors, but cannot empty (or
> even
> >>> list) the queues in said process group.
> >>>
> >>> I also set up a queue at the root level and confirmed the same
> behaviour
> >>> there.
> >>>
> >>> Thanks
> >>>
> >>> On Thu, 4 Jun 2020 at 23:22, Bryan Bende <bb...@gmail.com> wrote:
> >>>
> >>>> Would also add that if you don't have specific component policies on
> >>>> processors, it should inherit from the process group. So at the
> process
> >>>> group level you can give some users write to the actual process group
> >> which
> >>>> should control creating/deleting connections, and give some users only
> >>>> modify the data on the process group which would control clearing
> >> queues.
> >>>>
> >>>> On Thu, Jun 4, 2020 at 8:55 AM Mark Bean <ma...@gmail.com>
> wrote:
> >>>>
> >>>>> Phil,
> >>>>>
> >>>>> There is a 'modify the data' Component Access Policy. Use the key
> icon
> >> in
> >>>>> the Operate palette (or right-click on the component) to access the
> >>>>> Component Access Policies as opposed to using the Global Menu in the
> >>>> upper
> >>>>> right to access Global Access Policies.
> >>>>>
> >>>>> The user will be able to empty a queue if they are in the 'modify the
> >>>> data'
> >>>>> policy for the upstream component (processor) which generated the
> data.
> >>>>> This policy does not allow the user to delete the connection between
> >>>>> processors. To do so requires the 'modify the component' policy.
> >>>>>
> >>>>> One additional nuance to consider: if you are operating a NiFi
> Cluster,
> >>>> you
> >>>>> will need to add each of the cluster nodes to the 'modify the data'
> >>>> policy
> >>>>> as well. This is required because the request to empty a queue is
> >> proxied
> >>>>> from the node being used to access the UI out to the remaining nodes.
> >>>>>
> >>>>> -Mark
> >>>>>
> >>>>>
> >>>>> On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:
> >>>>>
> >>>>>> Hi Andy,
> >>>>>>
> >>>>>> Thanks for your reply. I don’t recall seeing the modify data policy
> in
> >>>>> the
> >>>>>> user interface. Is it possible this is something I would have to
> >> change
> >>>>> at
> >>>>>> the back end?
> >>>>>>
> >>>>>> I don’t have the system in front of me now, will have to confirm
> >>>>> tomorrow.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Phil
> >>>>>>
> >>>>>> On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org>
> >>>> wrote:
> >>>>>>
> >>>>>>> Hi Phil,
> >>>>>>>
> >>>>>>> You might have uncovered a gap in the permission policy. Have you
> >>>> tried
> >>>>>>> using the “modify the data” permission [1]? If a user does not have
> >>>>> write
> >>>>>>> permission to the queue, I think they can empty it but not
> >>>>> modify/delete
> >>>>>>> the queue itself.
> >>>>>>>
> >>>>>>> I am speculating here because I haven’t had a chance to verify,
> but I
> >>>>>>> suspect that the same write permission which allows a user to clear
> >>>> the
> >>>>>>> queue would allow them to delete it as well. This may be something
> we
> >>>>>> could
> >>>>>>> mitigate by using the “operate” permission, but I would have to
> >>>>> validate
> >>>>>>> this behavior first.
> >>>>>>>
> >>>>>>> Hope this helps for now.
> >>>>>>>
> >>>>>>> [1]
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> >>>>>>>
> >>>>>>> Andy LoPresto
> >>>>>>> alopresto@apache.org
> >>>>>>> alopresto.apache@gmail.com
> >>>>>>> He/Him
> >>>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >>>>>>>
> >>>>>>>> On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>> Hi there,
> >>>>>>>>
> >>>>>>>> I am trying to stratify my userbase. I need to allow certain
> >>>>>> users/groups
> >>>>>>>> the ability to clear queues, but cannot find the right policy to
> >>>>> allow
> >>>>>>> that
> >>>>>>>> without also allowing them to delete queues, which I absolutely
> >>>> don’t
> >>>>>>> want
> >>>>>>>> to do.
> >>>>>>>>
> >>>>>>>> Am currently using 1.9.2 (putting off the upgrade process!)
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Phil
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> >>
>
>

Re: Policy to clear queues

[Phil H <gi...@gmail.com>]

Yep, both the View Data and Modify Data policies contain the group of users
in question and all nodes in the cluster.

So I added the user group to the Modify the Component policy, and it still
fails.

I note that the error below refers to the same node in the cluster
regardless of which node I try and execute the operation from. All nodes
are in the policies though, and I have verified that is the same when I
look at the policies on each node (thought one may be out of sync somehow).

This is doing my head in

On Fri, 5 Jun 2020 at 09:50, Andy LoPresto <al...@apache.org> wrote:

> Do the node identities themselves have the proper permissions as well? The
> following is from the Admin Guide:
>
> > In order to access List Queue or Delete Queue for a connection, a user
> requires permission to the "view the data" and "modify the data" policies
> on the component. In a clustered environment, all nodes must be be added to
> these policies as well, as a user request could be replicated through any
> node in the cluster.
>
>
> Andy LoPresto
> alopresto@apache.org
> alopresto.apache@gmail.com
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> > On Jun 4, 2020, at 4:45 PM, Phil H <gi...@gmail.com> wrote:
> >
> > The action is available in the menu. I get the following pop up:
> >
> > *Insufficient Permissions*
> >
> > *Node nifiX.domain.com:443 <http://nifiX.domain.com:443> is unable to
> > fulfil this request due to: Unable to modify the data for Processor with
> ID
> > {guid}. Contact the system administrator. Contact the system
> administrator.*
> >
> > The nifi-user.log just shows successful authentication events for the
> user
> > in question (the system is locked down to authorized users)
> >
> > Phil
> >
> > On Fri, 5 Jun 2020 at 09:25, Andy LoPresto <al...@apache.org> wrote:
> >
> >> Are you seeing this behavior exhibited as the action is not even
> available
> >> to those users, or when they try to execute it, it returns an error? Can
> >> you examine the logs/nifi-user.log file to see if the authorization is
> >> occurring successfully?
> >>
> >> Andy LoPresto
> >> alopresto@apache.org
> >> alopresto.apache@gmail.com
> >> He/Him
> >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >>
> >>> On Jun 4, 2020, at 4:22 PM, Phil H <gi...@gmail.com> wrote:
> >>>
> >>> Hi guys,
> >>>
> >>> So I checked this morning, and the users are members of a group that
> has
> >>> “modify the data” permission at the root level (and is inherited within
> >> the
> >>> process group). They can start/stop processors, but cannot empty (or
> even
> >>> list) the queues in said process group.
> >>>
> >>> I also set up a queue at the root level and confirmed the same
> behaviour
> >>> there.
> >>>
> >>> Thanks
> >>>
> >>> On Thu, 4 Jun 2020 at 23:22, Bryan Bende <bb...@gmail.com> wrote:
> >>>
> >>>> Would also add that if you don't have specific component policies on
> >>>> processors, it should inherit from the process group. So at the
> process
> >>>> group level you can give some users write to the actual process group
> >> which
> >>>> should control creating/deleting connections, and give some users only
> >>>> modify the data on the process group which would control clearing
> >> queues.
> >>>>
> >>>> On Thu, Jun 4, 2020 at 8:55 AM Mark Bean <ma...@gmail.com>
> wrote:
> >>>>
> >>>>> Phil,
> >>>>>
> >>>>> There is a 'modify the data' Component Access Policy. Use the key
> icon
> >> in
> >>>>> the Operate palette (or right-click on the component) to access the
> >>>>> Component Access Policies as opposed to using the Global Menu in the
> >>>> upper
> >>>>> right to access Global Access Policies.
> >>>>>
> >>>>> The user will be able to empty a queue if they are in the 'modify the
> >>>> data'
> >>>>> policy for the upstream component (processor) which generated the
> data.
> >>>>> This policy does not allow the user to delete the connection between
> >>>>> processors. To do so requires the 'modify the component' policy.
> >>>>>
> >>>>> One additional nuance to consider: if you are operating a NiFi
> Cluster,
> >>>> you
> >>>>> will need to add each of the cluster nodes to the 'modify the data'
> >>>> policy
> >>>>> as well. This is required because the request to empty a queue is
> >> proxied
> >>>>> from the node being used to access the UI out to the remaining nodes.
> >>>>>
> >>>>> -Mark
> >>>>>
> >>>>>
> >>>>> On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:
> >>>>>
> >>>>>> Hi Andy,
> >>>>>>
> >>>>>> Thanks for your reply. I don’t recall seeing the modify data policy
> in
> >>>>> the
> >>>>>> user interface. Is it possible this is something I would have to
> >> change
> >>>>> at
> >>>>>> the back end?
> >>>>>>
> >>>>>> I don’t have the system in front of me now, will have to confirm
> >>>>> tomorrow.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Phil
> >>>>>>
> >>>>>> On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org>
> >>>> wrote:
> >>>>>>
> >>>>>>> Hi Phil,
> >>>>>>>
> >>>>>>> You might have uncovered a gap in the permission policy. Have you
> >>>> tried
> >>>>>>> using the “modify the data” permission [1]? If a user does not have
> >>>>> write
> >>>>>>> permission to the queue, I think they can empty it but not
> >>>>> modify/delete
> >>>>>>> the queue itself.
> >>>>>>>
> >>>>>>> I am speculating here because I haven’t had a chance to verify,
> but I
> >>>>>>> suspect that the same write permission which allows a user to clear
> >>>> the
> >>>>>>> queue would allow them to delete it as well. This may be something
> we
> >>>>>> could
> >>>>>>> mitigate by using the “operate” permission, but I would have to
> >>>>> validate
> >>>>>>> this behavior first.
> >>>>>>>
> >>>>>>> Hope this helps for now.
> >>>>>>>
> >>>>>>> [1]
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> >>>>>>>
> >>>>>>> Andy LoPresto
> >>>>>>> alopresto@apache.org
> >>>>>>> alopresto.apache@gmail.com
> >>>>>>> He/Him
> >>>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >>>>>>>
> >>>>>>>> On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>> Hi there,
> >>>>>>>>
> >>>>>>>> I am trying to stratify my userbase. I need to allow certain
> >>>>>> users/groups
> >>>>>>>> the ability to clear queues, but cannot find the right policy to
> >>>>> allow
> >>>>>>> that
> >>>>>>>> without also allowing them to delete queues, which I absolutely
> >>>> don’t
> >>>>>>> want
> >>>>>>>> to do.
> >>>>>>>>
> >>>>>>>> Am currently using 1.9.2 (putting off the upgrade process!)
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Phil
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> >>
>
>

Re: Policy to clear queues

[Andy LoPresto <al...@apache.org>]

Do the node identities themselves have the proper permissions as well? The following is from the Admin Guide: 

> In order to access List Queue or Delete Queue for a connection, a user requires permission to the "view the data" and "modify the data" policies on the component. In a clustered environment, all nodes must be be added to these policies as well, as a user request could be replicated through any node in the cluster.


Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Jun 4, 2020, at 4:45 PM, Phil H <gi...@gmail.com> wrote:
> 
> The action is available in the menu. I get the following pop up:
> 
> *Insufficient Permissions*
> 
> *Node nifiX.domain.com:443 <http://nifiX.domain.com:443> is unable to
> fulfil this request due to: Unable to modify the data for Processor with ID
> {guid}. Contact the system administrator. Contact the system administrator.*
> 
> The nifi-user.log just shows successful authentication events for the user
> in question (the system is locked down to authorized users)
> 
> Phil
> 
> On Fri, 5 Jun 2020 at 09:25, Andy LoPresto <al...@apache.org> wrote:
> 
>> Are you seeing this behavior exhibited as the action is not even available
>> to those users, or when they try to execute it, it returns an error? Can
>> you examine the logs/nifi-user.log file to see if the authorization is
>> occurring successfully?
>> 
>> Andy LoPresto
>> alopresto@apache.org
>> alopresto.apache@gmail.com
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>> 
>>> On Jun 4, 2020, at 4:22 PM, Phil H <gi...@gmail.com> wrote:
>>> 
>>> Hi guys,
>>> 
>>> So I checked this morning, and the users are members of a group that has
>>> “modify the data” permission at the root level (and is inherited within
>> the
>>> process group). They can start/stop processors, but cannot empty (or even
>>> list) the queues in said process group.
>>> 
>>> I also set up a queue at the root level and confirmed the same behaviour
>>> there.
>>> 
>>> Thanks
>>> 
>>> On Thu, 4 Jun 2020 at 23:22, Bryan Bende <bb...@gmail.com> wrote:
>>> 
>>>> Would also add that if you don't have specific component policies on
>>>> processors, it should inherit from the process group. So at the process
>>>> group level you can give some users write to the actual process group
>> which
>>>> should control creating/deleting connections, and give some users only
>>>> modify the data on the process group which would control clearing
>> queues.
>>>> 
>>>> On Thu, Jun 4, 2020 at 8:55 AM Mark Bean <ma...@gmail.com> wrote:
>>>> 
>>>>> Phil,
>>>>> 
>>>>> There is a 'modify the data' Component Access Policy. Use the key icon
>> in
>>>>> the Operate palette (or right-click on the component) to access the
>>>>> Component Access Policies as opposed to using the Global Menu in the
>>>> upper
>>>>> right to access Global Access Policies.
>>>>> 
>>>>> The user will be able to empty a queue if they are in the 'modify the
>>>> data'
>>>>> policy for the upstream component (processor) which generated the data.
>>>>> This policy does not allow the user to delete the connection between
>>>>> processors. To do so requires the 'modify the component' policy.
>>>>> 
>>>>> One additional nuance to consider: if you are operating a NiFi Cluster,
>>>> you
>>>>> will need to add each of the cluster nodes to the 'modify the data'
>>>> policy
>>>>> as well. This is required because the request to empty a queue is
>> proxied
>>>>> from the node being used to access the UI out to the remaining nodes.
>>>>> 
>>>>> -Mark
>>>>> 
>>>>> 
>>>>> On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:
>>>>> 
>>>>>> Hi Andy,
>>>>>> 
>>>>>> Thanks for your reply. I don’t recall seeing the modify data policy in
>>>>> the
>>>>>> user interface. Is it possible this is something I would have to
>> change
>>>>> at
>>>>>> the back end?
>>>>>> 
>>>>>> I don’t have the system in front of me now, will have to confirm
>>>>> tomorrow.
>>>>>> 
>>>>>> Regards,
>>>>>> Phil
>>>>>> 
>>>>>> On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org>
>>>> wrote:
>>>>>> 
>>>>>>> Hi Phil,
>>>>>>> 
>>>>>>> You might have uncovered a gap in the permission policy. Have you
>>>> tried
>>>>>>> using the “modify the data” permission [1]? If a user does not have
>>>>> write
>>>>>>> permission to the queue, I think they can empty it but not
>>>>> modify/delete
>>>>>>> the queue itself.
>>>>>>> 
>>>>>>> I am speculating here because I haven’t had a chance to verify, but I
>>>>>>> suspect that the same write permission which allows a user to clear
>>>> the
>>>>>>> queue would allow them to delete it as well. This may be something we
>>>>>> could
>>>>>>> mitigate by using the “operate” permission, but I would have to
>>>>> validate
>>>>>>> this behavior first.
>>>>>>> 
>>>>>>> Hope this helps for now.
>>>>>>> 
>>>>>>> [1]
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
>>>>>>> 
>>>>>>> Andy LoPresto
>>>>>>> alopresto@apache.org
>>>>>>> alopresto.apache@gmail.com
>>>>>>> He/Him
>>>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>>>>>>> 
>>>>>>>> On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
>>>>>>>> 
>>>>>>>> Hi there,
>>>>>>>> 
>>>>>>>> I am trying to stratify my userbase. I need to allow certain
>>>>>> users/groups
>>>>>>>> the ability to clear queues, but cannot find the right policy to
>>>>> allow
>>>>>>> that
>>>>>>>> without also allowing them to delete queues, which I absolutely
>>>> don’t
>>>>>>> want
>>>>>>>> to do.
>>>>>>>> 
>>>>>>>> Am currently using 1.9.2 (putting off the upgrade process!)
>>>>>>>> 
>>>>>>>> Regards,
>>>>>>>> Phil
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>> 
>> 

Re: Policy to clear queues

[Phil H <gi...@gmail.com>]

The action is available in the menu. I get the following pop up:

*Insufficient Permissions*

*Node nifiX.domain.com:443 <http://nifiX.domain.com:443> is unable to
fulfil this request due to: Unable to modify the data for Processor with ID
{guid}. Contact the system administrator. Contact the system administrator.*

The nifi-user.log just shows successful authentication events for the user
in question (the system is locked down to authorized users)

Phil

On Fri, 5 Jun 2020 at 09:25, Andy LoPresto <al...@apache.org> wrote:

> Are you seeing this behavior exhibited as the action is not even available
> to those users, or when they try to execute it, it returns an error? Can
> you examine the logs/nifi-user.log file to see if the authorization is
> occurring successfully?
>
> Andy LoPresto
> alopresto@apache.org
> alopresto.apache@gmail.com
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> > On Jun 4, 2020, at 4:22 PM, Phil H <gi...@gmail.com> wrote:
> >
> > Hi guys,
> >
> > So I checked this morning, and the users are members of a group that has
> > “modify the data” permission at the root level (and is inherited within
> the
> > process group). They can start/stop processors, but cannot empty (or even
> > list) the queues in said process group.
> >
> > I also set up a queue at the root level and confirmed the same behaviour
> > there.
> >
> > Thanks
> >
> > On Thu, 4 Jun 2020 at 23:22, Bryan Bende <bb...@gmail.com> wrote:
> >
> >> Would also add that if you don't have specific component policies on
> >> processors, it should inherit from the process group. So at the process
> >> group level you can give some users write to the actual process group
> which
> >> should control creating/deleting connections, and give some users only
> >> modify the data on the process group which would control clearing
> queues.
> >>
> >> On Thu, Jun 4, 2020 at 8:55 AM Mark Bean <ma...@gmail.com> wrote:
> >>
> >>> Phil,
> >>>
> >>> There is a 'modify the data' Component Access Policy. Use the key icon
> in
> >>> the Operate palette (or right-click on the component) to access the
> >>> Component Access Policies as opposed to using the Global Menu in the
> >> upper
> >>> right to access Global Access Policies.
> >>>
> >>> The user will be able to empty a queue if they are in the 'modify the
> >> data'
> >>> policy for the upstream component (processor) which generated the data.
> >>> This policy does not allow the user to delete the connection between
> >>> processors. To do so requires the 'modify the component' policy.
> >>>
> >>> One additional nuance to consider: if you are operating a NiFi Cluster,
> >> you
> >>> will need to add each of the cluster nodes to the 'modify the data'
> >> policy
> >>> as well. This is required because the request to empty a queue is
> proxied
> >>> from the node being used to access the UI out to the remaining nodes.
> >>>
> >>> -Mark
> >>>
> >>>
> >>> On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:
> >>>
> >>>> Hi Andy,
> >>>>
> >>>> Thanks for your reply. I don’t recall seeing the modify data policy in
> >>> the
> >>>> user interface. Is it possible this is something I would have to
> change
> >>> at
> >>>> the back end?
> >>>>
> >>>> I don’t have the system in front of me now, will have to confirm
> >>> tomorrow.
> >>>>
> >>>> Regards,
> >>>> Phil
> >>>>
> >>>> On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org>
> >> wrote:
> >>>>
> >>>>> Hi Phil,
> >>>>>
> >>>>> You might have uncovered a gap in the permission policy. Have you
> >> tried
> >>>>> using the “modify the data” permission [1]? If a user does not have
> >>> write
> >>>>> permission to the queue, I think they can empty it but not
> >>> modify/delete
> >>>>> the queue itself.
> >>>>>
> >>>>> I am speculating here because I haven’t had a chance to verify, but I
> >>>>> suspect that the same write permission which allows a user to clear
> >> the
> >>>>> queue would allow them to delete it as well. This may be something we
> >>>> could
> >>>>> mitigate by using the “operate” permission, but I would have to
> >>> validate
> >>>>> this behavior first.
> >>>>>
> >>>>> Hope this helps for now.
> >>>>>
> >>>>> [1]
> >>>>>
> >>>>
> >>>
> >>
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> >>>>>
> >>>>> Andy LoPresto
> >>>>> alopresto@apache.org
> >>>>> alopresto.apache@gmail.com
> >>>>> He/Him
> >>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >>>>>
> >>>>>> On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> >>>>>>
> >>>>>> Hi there,
> >>>>>>
> >>>>>> I am trying to stratify my userbase. I need to allow certain
> >>>> users/groups
> >>>>>> the ability to clear queues, but cannot find the right policy to
> >>> allow
> >>>>> that
> >>>>>> without also allowing them to delete queues, which I absolutely
> >> don’t
> >>>>> want
> >>>>>> to do.
> >>>>>>
> >>>>>> Am currently using 1.9.2 (putting off the upgrade process!)
> >>>>>>
> >>>>>> Regards,
> >>>>>> Phil
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
>
>

Re: Policy to clear queues

[Andy LoPresto <al...@apache.org>]

Are you seeing this behavior exhibited as the action is not even available to those users, or when they try to execute it, it returns an error? Can you examine the logs/nifi-user.log file to see if the authorization is occurring successfully? 

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Jun 4, 2020, at 4:22 PM, Phil H <gi...@gmail.com> wrote:
> 
> Hi guys,
> 
> So I checked this morning, and the users are members of a group that has
> “modify the data” permission at the root level (and is inherited within the
> process group). They can start/stop processors, but cannot empty (or even
> list) the queues in said process group.
> 
> I also set up a queue at the root level and confirmed the same behaviour
> there.
> 
> Thanks
> 
> On Thu, 4 Jun 2020 at 23:22, Bryan Bende <bb...@gmail.com> wrote:
> 
>> Would also add that if you don't have specific component policies on
>> processors, it should inherit from the process group. So at the process
>> group level you can give some users write to the actual process group which
>> should control creating/deleting connections, and give some users only
>> modify the data on the process group which would control clearing queues.
>> 
>> On Thu, Jun 4, 2020 at 8:55 AM Mark Bean <ma...@gmail.com> wrote:
>> 
>>> Phil,
>>> 
>>> There is a 'modify the data' Component Access Policy. Use the key icon in
>>> the Operate palette (or right-click on the component) to access the
>>> Component Access Policies as opposed to using the Global Menu in the
>> upper
>>> right to access Global Access Policies.
>>> 
>>> The user will be able to empty a queue if they are in the 'modify the
>> data'
>>> policy for the upstream component (processor) which generated the data.
>>> This policy does not allow the user to delete the connection between
>>> processors. To do so requires the 'modify the component' policy.
>>> 
>>> One additional nuance to consider: if you are operating a NiFi Cluster,
>> you
>>> will need to add each of the cluster nodes to the 'modify the data'
>> policy
>>> as well. This is required because the request to empty a queue is proxied
>>> from the node being used to access the UI out to the remaining nodes.
>>> 
>>> -Mark
>>> 
>>> 
>>> On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:
>>> 
>>>> Hi Andy,
>>>> 
>>>> Thanks for your reply. I don’t recall seeing the modify data policy in
>>> the
>>>> user interface. Is it possible this is something I would have to change
>>> at
>>>> the back end?
>>>> 
>>>> I don’t have the system in front of me now, will have to confirm
>>> tomorrow.
>>>> 
>>>> Regards,
>>>> Phil
>>>> 
>>>> On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org>
>> wrote:
>>>> 
>>>>> Hi Phil,
>>>>> 
>>>>> You might have uncovered a gap in the permission policy. Have you
>> tried
>>>>> using the “modify the data” permission [1]? If a user does not have
>>> write
>>>>> permission to the queue, I think they can empty it but not
>>> modify/delete
>>>>> the queue itself.
>>>>> 
>>>>> I am speculating here because I haven’t had a chance to verify, but I
>>>>> suspect that the same write permission which allows a user to clear
>> the
>>>>> queue would allow them to delete it as well. This may be something we
>>>> could
>>>>> mitigate by using the “operate” permission, but I would have to
>>> validate
>>>>> this behavior first.
>>>>> 
>>>>> Hope this helps for now.
>>>>> 
>>>>> [1]
>>>>> 
>>>> 
>>> 
>> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
>>>>> 
>>>>> Andy LoPresto
>>>>> alopresto@apache.org
>>>>> alopresto.apache@gmail.com
>>>>> He/Him
>>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>>>>> 
>>>>>> On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
>>>>>> 
>>>>>> Hi there,
>>>>>> 
>>>>>> I am trying to stratify my userbase. I need to allow certain
>>>> users/groups
>>>>>> the ability to clear queues, but cannot find the right policy to
>>> allow
>>>>> that
>>>>>> without also allowing them to delete queues, which I absolutely
>> don’t
>>>>> want
>>>>>> to do.
>>>>>> 
>>>>>> Am currently using 1.9.2 (putting off the upgrade process!)
>>>>>> 
>>>>>> Regards,
>>>>>> Phil
>>>>> 
>>>>> 
>>>> 
>>> 
>> 

Re: Policy to clear queues

[Phil H <gi...@gmail.com>]

Hi guys,

So I checked this morning, and the users are members of a group that has
“modify the data” permission at the root level (and is inherited within the
process group). They can start/stop processors, but cannot empty (or even
list) the queues in said process group.

I also set up a queue at the root level and confirmed the same behaviour
there.

Thanks

On Thu, 4 Jun 2020 at 23:22, Bryan Bende <bb...@gmail.com> wrote:

> Would also add that if you don't have specific component policies on
> processors, it should inherit from the process group. So at the process
> group level you can give some users write to the actual process group which
> should control creating/deleting connections, and give some users only
> modify the data on the process group which would control clearing queues.
>
> On Thu, Jun 4, 2020 at 8:55 AM Mark Bean <ma...@gmail.com> wrote:
>
> > Phil,
> >
> > There is a 'modify the data' Component Access Policy. Use the key icon in
> > the Operate palette (or right-click on the component) to access the
> > Component Access Policies as opposed to using the Global Menu in the
> upper
> > right to access Global Access Policies.
> >
> > The user will be able to empty a queue if they are in the 'modify the
> data'
> > policy for the upstream component (processor) which generated the data.
> > This policy does not allow the user to delete the connection between
> > processors. To do so requires the 'modify the component' policy.
> >
> > One additional nuance to consider: if you are operating a NiFi Cluster,
> you
> > will need to add each of the cluster nodes to the 'modify the data'
> policy
> > as well. This is required because the request to empty a queue is proxied
> > from the node being used to access the UI out to the remaining nodes.
> >
> > -Mark
> >
> >
> > On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:
> >
> > > Hi Andy,
> > >
> > > Thanks for your reply. I don’t recall seeing the modify data policy in
> > the
> > > user interface. Is it possible this is something I would have to change
> > at
> > > the back end?
> > >
> > > I don’t have the system in front of me now, will have to confirm
> > tomorrow.
> > >
> > > Regards,
> > > Phil
> > >
> > > On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org>
> wrote:
> > >
> > > > Hi Phil,
> > > >
> > > > You might have uncovered a gap in the permission policy. Have you
> tried
> > > > using the “modify the data” permission [1]? If a user does not have
> > write
> > > > permission to the queue, I think they can empty it but not
> > modify/delete
> > > > the queue itself.
> > > >
> > > > I am speculating here because I haven’t had a chance to verify, but I
> > > > suspect that the same write permission which allows a user to clear
> the
> > > > queue would allow them to delete it as well. This may be something we
> > > could
> > > > mitigate by using the “operate” permission, but I would have to
> > validate
> > > > this behavior first.
> > > >
> > > > Hope this helps for now.
> > > >
> > > > [1]
> > > >
> > >
> >
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> > > >
> > > > Andy LoPresto
> > > > alopresto@apache.org
> > > > alopresto.apache@gmail.com
> > > > He/Him
> > > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> > > >
> > > > > On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> > > > >
> > > > > Hi there,
> > > > >
> > > > > I am trying to stratify my userbase. I need to allow certain
> > > users/groups
> > > > > the ability to clear queues, but cannot find the right policy to
> > allow
> > > > that
> > > > > without also allowing them to delete queues, which I absolutely
> don’t
> > > > want
> > > > > to do.
> > > > >
> > > > > Am currently using 1.9.2 (putting off the upgrade process!)
> > > > >
> > > > > Regards,
> > > > > Phil
> > > >
> > > >
> > >
> >
>

Re: Policy to clear queues

[Bryan Bende <bb...@gmail.com>]

Would also add that if you don't have specific component policies on
processors, it should inherit from the process group. So at the process
group level you can give some users write to the actual process group which
should control creating/deleting connections, and give some users only
modify the data on the process group which would control clearing queues.

On Thu, Jun 4, 2020 at 8:55 AM Mark Bean <ma...@gmail.com> wrote:

> Phil,
>
> There is a 'modify the data' Component Access Policy. Use the key icon in
> the Operate palette (or right-click on the component) to access the
> Component Access Policies as opposed to using the Global Menu in the upper
> right to access Global Access Policies.
>
> The user will be able to empty a queue if they are in the 'modify the data'
> policy for the upstream component (processor) which generated the data.
> This policy does not allow the user to delete the connection between
> processors. To do so requires the 'modify the component' policy.
>
> One additional nuance to consider: if you are operating a NiFi Cluster, you
> will need to add each of the cluster nodes to the 'modify the data' policy
> as well. This is required because the request to empty a queue is proxied
> from the node being used to access the UI out to the remaining nodes.
>
> -Mark
>
>
> On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:
>
> > Hi Andy,
> >
> > Thanks for your reply. I don’t recall seeing the modify data policy in
> the
> > user interface. Is it possible this is something I would have to change
> at
> > the back end?
> >
> > I don’t have the system in front of me now, will have to confirm
> tomorrow.
> >
> > Regards,
> > Phil
> >
> > On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org> wrote:
> >
> > > Hi Phil,
> > >
> > > You might have uncovered a gap in the permission policy. Have you tried
> > > using the “modify the data” permission [1]? If a user does not have
> write
> > > permission to the queue, I think they can empty it but not
> modify/delete
> > > the queue itself.
> > >
> > > I am speculating here because I haven’t had a chance to verify, but I
> > > suspect that the same write permission which allows a user to clear the
> > > queue would allow them to delete it as well. This may be something we
> > could
> > > mitigate by using the “operate” permission, but I would have to
> validate
> > > this behavior first.
> > >
> > > Hope this helps for now.
> > >
> > > [1]
> > >
> >
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> > >
> > > Andy LoPresto
> > > alopresto@apache.org
> > > alopresto.apache@gmail.com
> > > He/Him
> > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> > >
> > > > On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> > > >
> > > > Hi there,
> > > >
> > > > I am trying to stratify my userbase. I need to allow certain
> > users/groups
> > > > the ability to clear queues, but cannot find the right policy to
> allow
> > > that
> > > > without also allowing them to delete queues, which I absolutely don’t
> > > want
> > > > to do.
> > > >
> > > > Am currently using 1.9.2 (putting off the upgrade process!)
> > > >
> > > > Regards,
> > > > Phil
> > >
> > >
> >
>

Re: Policy to clear queues

[Mark Bean <ma...@gmail.com>]

Phil,

There is a 'modify the data' Component Access Policy. Use the key icon in
the Operate palette (or right-click on the component) to access the
Component Access Policies as opposed to using the Global Menu in the upper
right to access Global Access Policies.

The user will be able to empty a queue if they are in the 'modify the data'
policy for the upstream component (processor) which generated the data.
This policy does not allow the user to delete the connection between
processors. To do so requires the 'modify the component' policy.

One additional nuance to consider: if you are operating a NiFi Cluster, you
will need to add each of the cluster nodes to the 'modify the data' policy
as well. This is required because the request to empty a queue is proxied
from the node being used to access the UI out to the remaining nodes.

-Mark


On Thu, Jun 4, 2020 at 6:52 AM Phil H <gi...@gmail.com> wrote:

> Hi Andy,
>
> Thanks for your reply. I don’t recall seeing the modify data policy in the
> user interface. Is it possible this is something I would have to change at
> the back end?
>
> I don’t have the system in front of me now, will have to confirm tomorrow.
>
> Regards,
> Phil
>
> On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org> wrote:
>
> > Hi Phil,
> >
> > You might have uncovered a gap in the permission policy. Have you tried
> > using the “modify the data” permission [1]? If a user does not have write
> > permission to the queue, I think they can empty it but not modify/delete
> > the queue itself.
> >
> > I am speculating here because I haven’t had a chance to verify, but I
> > suspect that the same write permission which allows a user to clear the
> > queue would allow them to delete it as well. This may be something we
> could
> > mitigate by using the “operate” permission, but I would have to validate
> > this behavior first.
> >
> > Hope this helps for now.
> >
> > [1]
> >
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
> >
> > Andy LoPresto
> > alopresto@apache.org
> > alopresto.apache@gmail.com
> > He/Him
> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >
> > > On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> > >
> > > Hi there,
> > >
> > > I am trying to stratify my userbase. I need to allow certain
> users/groups
> > > the ability to clear queues, but cannot find the right policy to allow
> > that
> > > without also allowing them to delete queues, which I absolutely don’t
> > want
> > > to do.
> > >
> > > Am currently using 1.9.2 (putting off the upgrade process!)
> > >
> > > Regards,
> > > Phil
> >
> >
>

Re: Policy to clear queues

[Phil H <gi...@gmail.com>]

Hi Andy,

Thanks for your reply. I don’t recall seeing the modify data policy in the
user interface. Is it possible this is something I would have to change at
the back end?

I don’t have the system in front of me now, will have to confirm tomorrow.

Regards,
Phil

On Thu, 4 Jun 2020 at 11:18, Andy LoPresto <al...@apache.org> wrote:

> Hi Phil,
>
> You might have uncovered a gap in the permission policy. Have you tried
> using the “modify the data” permission [1]? If a user does not have write
> permission to the queue, I think they can empty it but not modify/delete
> the queue itself.
>
> I am speculating here because I haven’t had a chance to verify, but I
> suspect that the same write permission which allows a user to clear the
> queue would allow them to delete it as well. This may be something we could
> mitigate by using the “operate” permission, but I would have to validate
> this behavior first.
>
> Hope this helps for now.
>
> [1]
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies
>
> Andy LoPresto
> alopresto@apache.org
> alopresto.apache@gmail.com
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> > On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> >
> > Hi there,
> >
> > I am trying to stratify my userbase. I need to allow certain users/groups
> > the ability to clear queues, but cannot find the right policy to allow
> that
> > without also allowing them to delete queues, which I absolutely don’t
> want
> > to do.
> >
> > Am currently using 1.9.2 (putting off the upgrade process!)
> >
> > Regards,
> > Phil
>
>

Re: Policy to clear queues

[Andy LoPresto <al...@apache.org>]

Hi Phil,

You might have uncovered a gap in the permission policy. Have you tried using the “modify the data” permission [1]? If a user does not have write permission to the queue, I think they can empty it but not modify/delete the queue itself. 

I am speculating here because I haven’t had a chance to verify, but I suspect that the same write permission which allows a user to clear the queue would allow them to delete it as well. This may be something we could mitigate by using the “operate” permission, but I would have to validate this behavior first. 

Hope this helps for now. 

[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#component-level-access-policies

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Jun 3, 2020, at 4:08 PM, Phil H <gi...@gmail.com> wrote:
> 
> Hi there,
> 
> I am trying to stratify my userbase. I need to allow certain users/groups
> the ability to clear queues, but cannot find the right policy to allow that
> without also allowing them to delete queues, which I absolutely don’t want
> to do.
> 
> Am currently using 1.9.2 (putting off the upgrade process!)
> 
> Regards,
> Phil