You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by bb...@apache.org on 2018/04/09 13:53:44 UTC
nifi git commit: NIFI-5042 Added section Restricted Components in
Versioned Flows and edited related section in Adding Components to the Canvas
Repository: nifi
Updated Branches:
refs/heads/master ae1d3e394 -> 5f16f48a2
NIFI-5042 Added section Restricted Components in Versioned Flows and edited related section in Adding Components to the Canvas
This closes #2610.
Signed-off-by: Bryan Bende <bb...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/5f16f48a
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/5f16f48a
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/5f16f48a
Branch: refs/heads/master
Commit: 5f16f48a2728d6c279768e68e9833f0fa133a758
Parents: ae1d3e3
Author: Andrew Lim <an...@gmail.com>
Authored: Fri Apr 6 11:05:46 2018 -0400
Committer: Bryan Bende <bb...@apache.org>
Committed: Mon Apr 9 09:53:22 2018 -0400
----------------------------------------------------------------------
.../images/abc-restricted-component-flow.png | Bin 0 -> 179692 bytes
.../main/asciidoc/images/abc-versioned-flow.png | Bin 0 -> 179788 bytes
.../asciidoc/images/getfile-permissions.png | Bin 0 -> 266410 bytes
.../asciidoc/images/import-xyz-flow-fails.png | Bin 0 -> 111431 bytes
.../images/keytabCredentialsService-pg.png | Bin 0 -> 91943 bytes
.../images/keytabCredentialsService-rpg.png | Bin 0 -> 92517 bytes
.../keytabcredentialsservice-permissions.png | Bin 0 -> 257318 bytes
.../asciidoc/images/puthdfs-no-kerberosCS.png | Bin 0 -> 159180 bytes
.../asciidoc/images/puthdfs-permissions.png | Bin 0 -> 238283 bytes
.../main/asciidoc/images/puthdfs-properties.png | Bin 0 -> 164244 bytes
.../asciidoc/images/puthdfs-properties_2.png | Bin 0 -> 162869 bytes
.../src/main/asciidoc/images/revert-failure.png | Bin 0 -> 144751 bytes
.../src/main/asciidoc/images/revert-success.png | Bin 0 -> 135376 bytes
...admin-restricted-component-access-policy.png | Bin 0 -> 64926 bytes
.../images/test_user-import-abc-flow.png | Bin 0 -> 105856 bytes
.../images/test_user-import-success.png | Bin 0 -> 147491 bytes
.../images/test_user-import-xyz-flow.png | Bin 0 -> 105959 bytes
...ser-restricted-component-read-filesystem.png | Bin 0 -> 79875 bytes
...er-restricted-component-write-filesystem.png | Bin 0 -> 77687 bytes
.../images/test_user-revert-local-changes-2.png | Bin 0 -> 109502 bytes
.../images/test_user-revert-local-changes.png | Bin 0 -> 109825 bytes
nifi-docs/src/main/asciidoc/images/xyz-flow.png | Bin 0 -> 180851 bytes
.../main/asciidoc/images/xyz-process-group.png | Bin 0 -> 147684 bytes
nifi-docs/src/main/asciidoc/user-guide.adoc | 112 ++++++++++++++++++-
24 files changed, 106 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/abc-restricted-component-flow.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/abc-restricted-component-flow.png b/nifi-docs/src/main/asciidoc/images/abc-restricted-component-flow.png
new file mode 100644
index 0000000..bc0cea9
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/abc-restricted-component-flow.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/abc-versioned-flow.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/abc-versioned-flow.png b/nifi-docs/src/main/asciidoc/images/abc-versioned-flow.png
new file mode 100644
index 0000000..c70911f
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/abc-versioned-flow.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/getfile-permissions.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/getfile-permissions.png b/nifi-docs/src/main/asciidoc/images/getfile-permissions.png
new file mode 100644
index 0000000..6924d50
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/getfile-permissions.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/import-xyz-flow-fails.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/import-xyz-flow-fails.png b/nifi-docs/src/main/asciidoc/images/import-xyz-flow-fails.png
new file mode 100644
index 0000000..9f10bb4
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/import-xyz-flow-fails.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/keytabCredentialsService-pg.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/keytabCredentialsService-pg.png b/nifi-docs/src/main/asciidoc/images/keytabCredentialsService-pg.png
new file mode 100644
index 0000000..01b49ea
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/keytabCredentialsService-pg.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/keytabCredentialsService-rpg.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/keytabCredentialsService-rpg.png b/nifi-docs/src/main/asciidoc/images/keytabCredentialsService-rpg.png
new file mode 100644
index 0000000..186a1d3
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/keytabCredentialsService-rpg.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/keytabcredentialsservice-permissions.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/keytabcredentialsservice-permissions.png b/nifi-docs/src/main/asciidoc/images/keytabcredentialsservice-permissions.png
new file mode 100644
index 0000000..545b601
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/keytabcredentialsservice-permissions.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/puthdfs-no-kerberosCS.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/puthdfs-no-kerberosCS.png b/nifi-docs/src/main/asciidoc/images/puthdfs-no-kerberosCS.png
new file mode 100644
index 0000000..9f49c1a
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/puthdfs-no-kerberosCS.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/puthdfs-permissions.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/puthdfs-permissions.png b/nifi-docs/src/main/asciidoc/images/puthdfs-permissions.png
new file mode 100644
index 0000000..7bc1a29
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/puthdfs-permissions.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/puthdfs-properties.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/puthdfs-properties.png b/nifi-docs/src/main/asciidoc/images/puthdfs-properties.png
new file mode 100644
index 0000000..4679df9
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/puthdfs-properties.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/puthdfs-properties_2.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/puthdfs-properties_2.png b/nifi-docs/src/main/asciidoc/images/puthdfs-properties_2.png
new file mode 100644
index 0000000..7013789
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/puthdfs-properties_2.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/revert-failure.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/revert-failure.png b/nifi-docs/src/main/asciidoc/images/revert-failure.png
new file mode 100644
index 0000000..6c4480d
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/revert-failure.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/revert-success.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/revert-success.png b/nifi-docs/src/main/asciidoc/images/revert-success.png
new file mode 100644
index 0000000..fda13cd
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/revert-success.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/sys_admin-restricted-component-access-policy.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/sys_admin-restricted-component-access-policy.png b/nifi-docs/src/main/asciidoc/images/sys_admin-restricted-component-access-policy.png
new file mode 100644
index 0000000..5f7221c
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/sys_admin-restricted-component-access-policy.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/test_user-import-abc-flow.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/test_user-import-abc-flow.png b/nifi-docs/src/main/asciidoc/images/test_user-import-abc-flow.png
new file mode 100644
index 0000000..1e34171
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/test_user-import-abc-flow.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/test_user-import-success.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/test_user-import-success.png b/nifi-docs/src/main/asciidoc/images/test_user-import-success.png
new file mode 100644
index 0000000..a5b790b
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/test_user-import-success.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/test_user-import-xyz-flow.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/test_user-import-xyz-flow.png b/nifi-docs/src/main/asciidoc/images/test_user-import-xyz-flow.png
new file mode 100644
index 0000000..6d40513
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/test_user-import-xyz-flow.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/test_user-restricted-component-read-filesystem.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/test_user-restricted-component-read-filesystem.png b/nifi-docs/src/main/asciidoc/images/test_user-restricted-component-read-filesystem.png
new file mode 100644
index 0000000..27f5fba
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/test_user-restricted-component-read-filesystem.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/test_user-restricted-component-write-filesystem.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/test_user-restricted-component-write-filesystem.png b/nifi-docs/src/main/asciidoc/images/test_user-restricted-component-write-filesystem.png
new file mode 100644
index 0000000..d980c37
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/test_user-restricted-component-write-filesystem.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/test_user-revert-local-changes-2.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/test_user-revert-local-changes-2.png b/nifi-docs/src/main/asciidoc/images/test_user-revert-local-changes-2.png
new file mode 100644
index 0000000..d6cd02c
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/test_user-revert-local-changes-2.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/test_user-revert-local-changes.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/test_user-revert-local-changes.png b/nifi-docs/src/main/asciidoc/images/test_user-revert-local-changes.png
new file mode 100644
index 0000000..ee0f695
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/test_user-revert-local-changes.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/xyz-flow.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/xyz-flow.png b/nifi-docs/src/main/asciidoc/images/xyz-flow.png
new file mode 100644
index 0000000..ac25c5a
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/xyz-flow.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/images/xyz-process-group.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/xyz-process-group.png b/nifi-docs/src/main/asciidoc/images/xyz-process-group.png
new file mode 100644
index 0000000..eccab44
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/xyz-process-group.png differ
http://git-wip-us.apache.org/repos/asf/nifi/blob/5f16f48a/nifi-docs/src/main/asciidoc/user-guide.adoc
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/user-guide.adoc b/nifi-docs/src/main/asciidoc/user-guide.adoc
index a991163..afaf5fe 100644
--- a/nifi-docs/src/main/asciidoc/user-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/user-guide.adoc
@@ -269,19 +269,17 @@ image::add-processor-with-tag-cloud.png["Add Processor with Tag Cloud"]
Restricted components will be marked with a
image:restricted.png["Restricted"]
-icon next to their name. Hovering over the tooltip will display the specific restrictions this component requires. If the component
-does not list any specific restrictions it will require access to restricted components regardless of restrictions. These are components
+icon next to their name. These are components
that can be used to execute arbitrary unsanitized code provided by the operator through the NiFi REST API/UI or can be used to obtain
or alter data on the NiFi host system using the NiFi OS credentials. These components could be used by an otherwise authorized NiFi
user to go beyond the intended use of the application, escalate privilege, or could expose data about the internals of the NiFi process
or the host system. All of these capabilities should be considered privileged, and admins should be aware of these capabilities and
-explicitly enable them for a subset of trusted users.
-
-Before a user is allowed to create and modify restricted components they must be granted access to restricted components. This can be
+explicitly enable them for a subset of trusted users. Before a user is allowed to create and modify restricted components they must be granted access. Hovering over the image:restricted.png["Restricted"]
+icon will display the specific permissions a restricted component requires. Permissions can be
assigned regardless of restrictions. In this case, the user will have access to all restricted components. Alternatively, users can
be assigned access to specific restrictions. If the user has been granted access to all restrictions a component requires, they will
have access to that component assuming otherwise sufficient permissions. For more information refer to
-<<UI-with-multi-tenant-authorization>>.
+<<UI-with-multi-tenant-authorization>> and <<Restricted_Components_in_Versioned_Flows>>.
Clicking the `Add` button or double-clicking on a Processor Type will add the selected Processor to the canvas at the
location that it was dropped.
@@ -1936,6 +1934,108 @@ image::process-group-version-control-stopped.png["Version Control Stopped on Pro
=== Nested Versioned Flows
A versioned process group can contain other versioned process groups. However, local changes to a parent process group cannot be reverted or saved if it contains a child process group that also has local changes. The child process group must first be reverted or have its changes committed for those actions to be performed on the parent process group.
+[[Restricted_Components_in_Versioned_Flows]]
+=== Restricted Components in Versioned Flows
+To import a versioned flow or revert local changes in a versioned flow, a user must have access to all the components in the versioned flow. As such, it is recommended that restricted components are created at the root process group level if they are to be utilized in versioned flows. Let's walk through some examples to illustrate the benefits of this configuration. Assume the following:
+
+* There are two users, "sys_admin" and "test_user" who have access to both view and modify the root process group.
+
+* "sys_admin" has access to all restricted components.
++
+image::sys_admin-restricted-component-access-policy.png["Sys_admin Restricted Component Access Policy"]
+
+* "test_user" has access to restricted components requiring 'read filesystem' and 'write filesystem'.
++
+image::test_user-restricted-component-read-filesystem.png["Test_user Restricted Component Read Filesystem"]
++
+image::test_user-restricted-component-write-filesystem.png["Test_user Restricted Component Write Filesystem"]
+
+==== Restricted Controller Service Created in Root Process Group
+In this first example, sys_admin creates a KeytabCredentialsService controller service at the root process group level.
+
+image:keytabCredentialsService-rpg.png["KeytabCredentialsService Controller Service RPG Level"]
+
+KeytabCredentialService controller service is a restricted component that requires 'access keytab' permissions:
+
+image:keytabcredentialsservice-permissions.png["KeytabCredentialService Required Permissions"]
+
+Sys_admin creates a process group ABC containing a flow with GetFile and PutHDFS processors:
+
+image:abc-restricted-component-flow.png["Restricted Component Flow"]
+
+GetFile processor is a restricted component that requires 'write filesystem' and 'read filesystem' permissions:
+
+image:getfile-permissions.png["GetFile Required Permissions"]
+
+PutHDFS is a restricted component that requires 'write filesystem' permissions:
+
+image:puthdfs-permissions.png["PutHDFS Required Permissions"]
+
+The PutHDFS processor is configured to use the root process group level KeytabCredentialsService controller service:
+
+image:puthdfs-properties.png["PutHDFS Properties"]
+
+Sys_admin saves the process group as a versioned flow:
+
+image:abc-versioned-flow.png["ABC Versioned Flow"]
+
+Test_user changes the flow by removing the KeytabCredentialsService controller service:
+
+image:puthdfs-no-kerberosCS.png["PutHDFS No Kerberos CS"]
+
+If test_user chooses to revert this change:
+
+image:test_user-revert-local-changes.png["Test_user Revert Local Changes]
+
+the revert is successful:
+
+image:revert-success.png["Revert Local Changes Successful"]
+
+Additionally, if test_user chooses to import the ABC versioned flow:
+
+image:test_user-import-abc-flow.png["Test_user Import Flow"]
+
+The import is successful:
+
+image:test_user-import-success.png["Test_user Import Successful"]
+
+==== Restricted Controller Service Created in Process Group
+Now, consider a second scenario where the controller service is created on the process group level.
+
+Sys_admin creates a process group XYZ:
+
+image:xyz-process-group.png["XYZ Process Group"]
+
+Sys_admin creates a KeytabCredentialsService controller service at the process group level:
+
+image:keytabCredentialsService-pg.png["KeytabCredentialsService Controller Service PG Level"]
+
+The same GetFile and PutHDFS flow is created in the process group:
+
+image:xyz-flow.png["XYZ Versioned Flow"]
+
+However, PutHDFS now references the process group level controller service:
+
+image:puthdfs-properties_2.png["PutHDFS Properties"]
+
+Sys_admin saves the process group as a versioned flow.
+
+Test_user changes the flow by removing the KeytabCredentialsService controller service. However, with this configuration, if test_user attempts to revert this change:
+
+image:test_user-revert-local-changes-2.png["Test_user Revert Local Changes"]
+
+the revert is unsuccessful because test_user does not have the 'access keytab' permissions required by the KeytabCredentialService controller service:
+
+image:revert-failure.png["Revert Local Changes Fails"]
+
+Similarly, if test_user tries to import the XYZ versioned flow:
+
+image:test_user-import-xyz-flow.png["Test_user Import Flow"]
+
+The import fails:
+
+image:import-xyz-flow-fails.png["XYZ Import Fails"]
+
[[templates]]
== Templates