You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Daniel Hernandez <da...@civitaslearning.com> on 2018/02/26 16:35:58 UTC
Policies for root Process Group.
Hi,
I am currently working on calling the Nifi REST API to get the 'root'
process group and setting it as parent for a new process-group.
However I am getting the next messages:
Attempting GET request to: JerseyWebTarget {
https://127.0.0.1:8443/nifi-api/process-groups/root }
2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
c.c.p.n.c.i.b.BootApiClient :
2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET
to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root }
com.civitaslearning.platform.nifi.client.invoker.boot.exception.NifiForbiddenException:
No applicable policies could be found. Contact the system administrator.
This is the content of my authorizations.xml file:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
<policies>
<policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
resource="/flow" action="R">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
resource="/restricted-components" action="W">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
resource="/tenants" action="R">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
resource="/tenants" action="W">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
resource="/policies" action="R">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
resource="/policies" action="W">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
resource="/controller" action="R">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
resource="/controller" action="W">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
resource="/process-groups/root" action="R">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
<policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
resource="/process-groups/root" action="W">
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
</policy>
</policies>
</authorizations>
And this is the content of authorizations.xml
<authorizers>
<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group
Provider">file-user-group-provider</property>
<property name="Authorizations
File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=civitas,
OU=ApacheNifi</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1"></property>
</accessPolicyProvider>
<authorizer>
<identifier>managed-authorizer</identifier>
<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
<property name="Access Policy
Provider">file-access-policy-provider</property>
</authorizer>
</authorizers>
And users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
<groups/>
<users>
<user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
identity="CN=civitas, OU=ApacheNifi"/>
</users>
</tenants>
I already create a policy using the same user cert so I guess the DN is
valid.
Am I defining the policy or making the call in a wrong way?
Thanks in advance,
Daniel Hernandez
Re: Policies for root Process Group.
Posted by Daniel Chaffelson <ch...@gmail.com>.
Daniel,
What is your timeframe for needing this working?
I ask because the contributors to NiPyApi are very close to a release which
will provide by secured environment support, and wrappers to set this kind
of policy via a Python Client SDK for NiFi.
https://github.com/Chaffelson/nipyapi/tree/pr/43 is the branch this code
is currently sitting on, I would draw your attention to the
nipyapi.demo.secured_connection.py script which creates a secured Docker
instance, and then we are putting access/policy tools into
nipyapi.security.py, but you can also use the API commands directly via
nipyapi.nifi.*, such as nipyapi.nifi.PolicyApi().
You can also get the root flow with:
nipyapi.nifi.FlowApi().get_flow('root') as another example.
If you have specific requirements in this area please feel free to raise an
issue on the repo and we'll see if we can assist you.
Thanks,
Dan.
On Tue, Feb 27, 2018 at 2:46 PM Bryan Bende <bb...@gmail.com> wrote:
> Making a call to "/process-groups/root" should retrieve the root
> process group which should then have an id element.
>
>
> On Mon, Feb 26, 2018 at 5:20 PM, Daniel Hernandez
> <da...@civitaslearning.com> wrote:
> > Thanks Matt,
> >
> > I get now what is the problem, in order to exhaust all my possibilities I
> > may ask, is there a way using the API to get the root UUID from the
> > flow.xml.gz file? Because I see the file there after running the tests.
> >
> > Thanks,
> >
> >
> > On Mon, Feb 26, 2018 at 3:26 PM, Daniel Hernandez <
> > daniel.hernandez@civitaslearning.com> wrote:
> >
> >> Hi Matt,
> >>
> >> Thanks for your answer.
> >>
> >> Do you know if there is a way to preconfigure this value when running
> >> Nifi's Docker image? I am making the calls from an integration test that
> >> runs a docker container with the Nifi server. I already check and the
> value
> >> under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy
> >> the container, I guess it is created at startup. Is it possible that I
> can
> >> change my docker image to get a fix root group value?
> >>
> >> Thanks,
> >>
> >> Daniel
> >>
> >> On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <daniel.hernandez@
> >> civitaslearning.com> wrote:
> >>
> >>> Hi,
> >>>
> >>> I am currently working on calling the Nifi REST API to get the 'root'
> >>> process group and setting it as parent for a new process-group.
> >>>
> >>> However I am getting the next messages:
> >>>
> >>> Attempting GET request to: JerseyWebTarget {
> >>> https://127.0.0.1:8443/nifi-api/process-groups/root }
> >>> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
> >>> c.c.p.n.c.i.b.BootApiClient :
> >>> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
> >>> c.c.p.n.c.i.b.BootApiClient : Received 403 response from
> GET
> >>> to JerseyWebTarget {
> https://127.0.0.1:8443/nifi-api/process-groups/root
> >>> }
> >>>
> >>>
> com.civitaslearning.platform.nifi.client.invoker.boot.exception.NifiForbiddenException:
> >>> No applicable policies could be found. Contact the system
> administrator.
> >>>
> >>> This is the content of my authorizations.xml file:
> >>>
> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> >>>
> >>> <authorizations>
> >>>
> >>> <policies>
> >>>
> >>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> >>> resource="/flow" action="R">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> >>> resource="/restricted-components" action="W">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> >>> resource="/tenants" action="R">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> >>> resource="/tenants" action="W">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> >>> resource="/policies" action="R">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> >>> resource="/policies" action="W">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> >>> resource="/controller" action="R">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> >>> resource="/controller" action="W">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
> >>> resource="/process-groups/root" action="R">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
> >>> resource="/process-groups/root" action="W">
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >>>
> >>> </policy>
> >>>
> >>> </policies>
> >>>
> >>> </authorizations>
> >>>
> >>> And this is the content of authorizations.xml
> >>>
> >>> <authorizers>
> >>>
> >>> <accessPolicyProvider>
> >>>
> >>> <identifier>file-access-policy-provider</identifier>
> >>>
> >>> <class>org.apache.nifi.authorization.FileAccessPolicyProvide
> >>> r</class>
> >>>
> >>> <property name="User Group Provider">file-user-group-prov
> >>> ider</property>
> >>>
> >>> <property name="Authorizations File">./conf/authorizations.xm
> >>> l</property>
> >>>
> >>> <property name="Initial Admin Identity">CN=civitas,
> >>> OU=ApacheNifi</property>
> >>>
> >>> <property name="Legacy Authorized Users File"></property>
> >>>
> >>>
> >>> <property name="Node Identity 1"></property>
> >>>
> >>> </accessPolicyProvider>
> >>>
> >>> <authorizer>
> >>>
> >>> <identifier>managed-authorizer</identifier>
> >>>
> >>> <class>org.apache.nifi.authorization.StandardManagedAuthoriz
> >>> er</class>
> >>>
> >>> <property name="Access Policy Provider">file-access-policy-p
> >>> rovider</property>
> >>>
> >>> </authorizer>
> >>>
> >>> </authorizers>
> >>>
> >>>
> >>> And users.xml
> >>>
> >>>
> >>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> >>>
> >>> <tenants>
> >>>
> >>> <groups/>
> >>>
> >>> <users>
> >>>
> >>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
> >>> identity="CN=civitas, OU=ApacheNifi"/>
> >>>
> >>> </users>
> >>>
> >>> </tenants>
> >>>
> >>> I already create a policy using the same user cert so I guess the DN is
> >>> valid.
> >>> Am I defining the policy or making the call in a wrong way?
> >>>
> >>> Thanks in advance,
> >>>
> >>> Daniel Hernandez
> >>>
> >>>
> >>>
> >>
>
Re: Policies for root Process Group.
Posted by Bryan Bende <bb...@gmail.com>.
Making a call to "/process-groups/root" should retrieve the root
process group which should then have an id element.
On Mon, Feb 26, 2018 at 5:20 PM, Daniel Hernandez
<da...@civitaslearning.com> wrote:
> Thanks Matt,
>
> I get now what is the problem, in order to exhaust all my possibilities I
> may ask, is there a way using the API to get the root UUID from the
> flow.xml.gz file? Because I see the file there after running the tests.
>
> Thanks,
>
>
> On Mon, Feb 26, 2018 at 3:26 PM, Daniel Hernandez <
> daniel.hernandez@civitaslearning.com> wrote:
>
>> Hi Matt,
>>
>> Thanks for your answer.
>>
>> Do you know if there is a way to preconfigure this value when running
>> Nifi's Docker image? I am making the calls from an integration test that
>> runs a docker container with the Nifi server. I already check and the value
>> under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy
>> the container, I guess it is created at startup. Is it possible that I can
>> change my docker image to get a fix root group value?
>>
>> Thanks,
>>
>> Daniel
>>
>> On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <daniel.hernandez@
>> civitaslearning.com> wrote:
>>
>>> Hi,
>>>
>>> I am currently working on calling the Nifi REST API to get the 'root'
>>> process group and setting it as parent for a new process-group.
>>>
>>> However I am getting the next messages:
>>>
>>> Attempting GET request to: JerseyWebTarget {
>>> https://127.0.0.1:8443/nifi-api/process-groups/root }
>>> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
>>> c.c.p.n.c.i.b.BootApiClient :
>>> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
>>> c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET
>>> to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root
>>> }
>>>
>>> com.civitaslearning.platform.nifi.client.invoker.boot.exception.NifiForbiddenException:
>>> No applicable policies could be found. Contact the system administrator.
>>>
>>> This is the content of my authorizations.xml file:
>>>
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>
>>> <authorizations>
>>>
>>> <policies>
>>>
>>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>>> resource="/flow" action="R">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>>> resource="/restricted-components" action="W">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>>> resource="/tenants" action="R">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>>> resource="/tenants" action="W">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>>> resource="/policies" action="R">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>>> resource="/policies" action="W">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>>> resource="/controller" action="R">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>>> resource="/controller" action="W">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
>>> resource="/process-groups/root" action="R">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
>>> resource="/process-groups/root" action="W">
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>>
>>> </policy>
>>>
>>> </policies>
>>>
>>> </authorizations>
>>>
>>> And this is the content of authorizations.xml
>>>
>>> <authorizers>
>>>
>>> <accessPolicyProvider>
>>>
>>> <identifier>file-access-policy-provider</identifier>
>>>
>>> <class>org.apache.nifi.authorization.FileAccessPolicyProvide
>>> r</class>
>>>
>>> <property name="User Group Provider">file-user-group-prov
>>> ider</property>
>>>
>>> <property name="Authorizations File">./conf/authorizations.xm
>>> l</property>
>>>
>>> <property name="Initial Admin Identity">CN=civitas,
>>> OU=ApacheNifi</property>
>>>
>>> <property name="Legacy Authorized Users File"></property>
>>>
>>>
>>> <property name="Node Identity 1"></property>
>>>
>>> </accessPolicyProvider>
>>>
>>> <authorizer>
>>>
>>> <identifier>managed-authorizer</identifier>
>>>
>>> <class>org.apache.nifi.authorization.StandardManagedAuthoriz
>>> er</class>
>>>
>>> <property name="Access Policy Provider">file-access-policy-p
>>> rovider</property>
>>>
>>> </authorizer>
>>>
>>> </authorizers>
>>>
>>>
>>> And users.xml
>>>
>>>
>>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>>
>>> <tenants>
>>>
>>> <groups/>
>>>
>>> <users>
>>>
>>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
>>> identity="CN=civitas, OU=ApacheNifi"/>
>>>
>>> </users>
>>>
>>> </tenants>
>>>
>>> I already create a policy using the same user cert so I guess the DN is
>>> valid.
>>> Am I defining the policy or making the call in a wrong way?
>>>
>>> Thanks in advance,
>>>
>>> Daniel Hernandez
>>>
>>>
>>>
>>
Re: Policies for root Process Group.
Posted by Daniel Hernandez <da...@civitaslearning.com>.
Thanks Matt,
I get now what is the problem, in order to exhaust all my possibilities I
may ask, is there a way using the API to get the root UUID from the
flow.xml.gz file? Because I see the file there after running the tests.
Thanks,
On Mon, Feb 26, 2018 at 3:26 PM, Daniel Hernandez <
daniel.hernandez@civitaslearning.com> wrote:
> Hi Matt,
>
> Thanks for your answer.
>
> Do you know if there is a way to preconfigure this value when running
> Nifi's Docker image? I am making the calls from an integration test that
> runs a docker container with the Nifi server. I already check and the value
> under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy
> the container, I guess it is created at startup. Is it possible that I can
> change my docker image to get a fix root group value?
>
> Thanks,
>
> Daniel
>
> On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <daniel.hernandez@
> civitaslearning.com> wrote:
>
>> Hi,
>>
>> I am currently working on calling the Nifi REST API to get the 'root'
>> process group and setting it as parent for a new process-group.
>>
>> However I am getting the next messages:
>>
>> Attempting GET request to: JerseyWebTarget {
>> https://127.0.0.1:8443/nifi-api/process-groups/root }
>> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
>> c.c.p.n.c.i.b.BootApiClient :
>> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
>> c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET
>> to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root
>> }
>>
>> com.civitaslearning.platform.nifi.client.invoker.boot.exception.NifiForbiddenException:
>> No applicable policies could be found. Contact the system administrator.
>>
>> This is the content of my authorizations.xml file:
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>
>> <authorizations>
>>
>> <policies>
>>
>> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>> resource="/flow" action="R">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>> resource="/restricted-components" action="W">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>> resource="/tenants" action="R">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>> resource="/tenants" action="W">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>> resource="/policies" action="R">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>> resource="/policies" action="W">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>> resource="/controller" action="R">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>> resource="/controller" action="W">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
>> resource="/process-groups/root" action="R">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
>> resource="/process-groups/root" action="W">
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>>
>> </policy>
>>
>> </policies>
>>
>> </authorizations>
>>
>> And this is the content of authorizations.xml
>>
>> <authorizers>
>>
>> <accessPolicyProvider>
>>
>> <identifier>file-access-policy-provider</identifier>
>>
>> <class>org.apache.nifi.authorization.FileAccessPolicyProvide
>> r</class>
>>
>> <property name="User Group Provider">file-user-group-prov
>> ider</property>
>>
>> <property name="Authorizations File">./conf/authorizations.xm
>> l</property>
>>
>> <property name="Initial Admin Identity">CN=civitas,
>> OU=ApacheNifi</property>
>>
>> <property name="Legacy Authorized Users File"></property>
>>
>>
>> <property name="Node Identity 1"></property>
>>
>> </accessPolicyProvider>
>>
>> <authorizer>
>>
>> <identifier>managed-authorizer</identifier>
>>
>> <class>org.apache.nifi.authorization.StandardManagedAuthoriz
>> er</class>
>>
>> <property name="Access Policy Provider">file-access-policy-p
>> rovider</property>
>>
>> </authorizer>
>>
>> </authorizers>
>>
>>
>> And users.xml
>>
>>
>> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>>
>> <tenants>
>>
>> <groups/>
>>
>> <users>
>>
>> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
>> identity="CN=civitas, OU=ApacheNifi"/>
>>
>> </users>
>>
>> </tenants>
>>
>> I already create a policy using the same user cert so I guess the DN is
>> valid.
>> Am I defining the policy or making the call in a wrong way?
>>
>> Thanks in advance,
>>
>> Daniel Hernandez
>>
>>
>>
>
Re: Policies for root Process Group.
Posted by Bryan Bende <bb...@gmail.com>.
You should be able to include a canned flow.xml.gz in your in your
container, just have nothing under the root group.
On Mon, Feb 26, 2018 at 3:50 PM, Matt Gilman <ma...@gmail.com> wrote:
> Daniel,
>
> Unfortunately, there is no way to set this currently. This is ultimately a
> lifecycle issue. The UUID of the root group may be inherited from a cluster
> or randomly generated if a node is standalone. From the admin guide:
>
> "For a brand new secure flow, providing the "Initial Admin Identity" gives
> that user access to get into the UI and to manage users, groups and
> policies. But if that user wants to start modifying the flow, they need to
> grant themselves policies for the root process group. The system is unable
> to do this automatically because in a new flow the UUID of the root process
> group is not permanent until the flow.xml.gz is generated. If the NiFi
> instance is an upgrade from an existing flow.xml.gz or a 1.x instance going
> from unsecure to secure, then the "Initial Admin Identity" user is
> automatically given the privileges to modify the flow."
>
> Because of this, when there is no existing flow, granting permissions to
> the root group would need to happen after this initial startup.
>
> Matt
>
>
> On Mon, Feb 26, 2018 at 3:26 PM, Daniel Hernandez <
> daniel.hernandez@civitaslearning.com> wrote:
>
>> Hi Matt,
>>
>> Thanks for your answer.
>>
>> Do you know if there is a way to preconfigure this value when running
>> Nifi's Docker image? I am making the calls from an integration test that
>> runs a docker container with the Nifi server. I already check and the value
>> under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy
>> the container, I guess it is created at startup. Is it possible that I can
>> change my docker image to get a fix root group value?
>>
>> Thanks,
>>
>> Daniel
>>
>> On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <
>> daniel.hernandez@civitaslearning.com> wrote:
>>
>> > Hi,
>> >
>> > I am currently working on calling the Nifi REST API to get the 'root'
>> > process group and setting it as parent for a new process-group.
>> >
>> > However I am getting the next messages:
>> >
>> > Attempting GET request to: JerseyWebTarget {
>> https://127.0.0.1:8443/nifi-
>> > api/process-groups/root }
>> > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
>> > c.c.p.n.c.i.b.BootApiClient :
>> > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
>> > c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET
>> > to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root
>> }
>> >
>> > com.civitaslearning.platform.nifi.client.invoker.boot.exception.
>> NifiForbiddenException:
>> > No applicable policies could be found. Contact the system administrator.
>> >
>> > This is the content of my authorizations.xml file:
>> >
>> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> >
>> > <authorizations>
>> >
>> > <policies>
>> >
>> > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
>> > resource="/flow" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
>> > resource="/restricted-components" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
>> > resource="/tenants" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
>> > resource="/tenants" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
>> > resource="/policies" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
>> > resource="/policies" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
>> > resource="/controller" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
>> > resource="/controller" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
>> > resource="/process-groups/root" action="R">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
>> > resource="/process-groups/root" action="W">
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>> >
>> > </policy>
>> >
>> > </policies>
>> >
>> > </authorizations>
>> >
>> > And this is the content of authorizations.xml
>> >
>> > <authorizers>
>> >
>> > <accessPolicyProvider>
>> >
>> > <identifier>file-access-policy-provider</identifier>
>> >
>> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</
>> > class>
>> >
>> > <property name="User Group Provider">file-user-group-
>> > provider</property>
>> >
>> > <property name="Authorizations File">./conf/authorizations.
>> > xml</property>
>> >
>> > <property name="Initial Admin Identity">CN=civitas,
>> > OU=ApacheNifi</property>
>> >
>> > <property name="Legacy Authorized Users File"></property>
>> >
>> >
>> > <property name="Node Identity 1"></property>
>> >
>> > </accessPolicyProvider>
>> >
>> > <authorizer>
>> >
>> > <identifier>managed-authorizer</identifier>
>> >
>> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</
>> > class>
>> >
>> > <property name="Access Policy Provider">file-access-policy-
>> > provider</property>
>> >
>> > </authorizer>
>> >
>> > </authorizers>
>> >
>> >
>> > And users.xml
>> >
>> >
>> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>> >
>> > <tenants>
>> >
>> > <groups/>
>> >
>> > <users>
>> >
>> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
>> > identity="CN=civitas, OU=ApacheNifi"/>
>> >
>> > </users>
>> >
>> > </tenants>
>> >
>> > I already create a policy using the same user cert so I guess the DN is
>> > valid.
>> > Am I defining the policy or making the call in a wrong way?
>> >
>> > Thanks in advance,
>> >
>> > Daniel Hernandez
>> >
>> >
>> >
>>
Re: Policies for root Process Group.
Posted by Matt Gilman <ma...@gmail.com>.
Daniel,
Unfortunately, there is no way to set this currently. This is ultimately a
lifecycle issue. The UUID of the root group may be inherited from a cluster
or randomly generated if a node is standalone. From the admin guide:
"For a brand new secure flow, providing the "Initial Admin Identity" gives
that user access to get into the UI and to manage users, groups and
policies. But if that user wants to start modifying the flow, they need to
grant themselves policies for the root process group. The system is unable
to do this automatically because in a new flow the UUID of the root process
group is not permanent until the flow.xml.gz is generated. If the NiFi
instance is an upgrade from an existing flow.xml.gz or a 1.x instance going
from unsecure to secure, then the "Initial Admin Identity" user is
automatically given the privileges to modify the flow."
Because of this, when there is no existing flow, granting permissions to
the root group would need to happen after this initial startup.
Matt
On Mon, Feb 26, 2018 at 3:26 PM, Daniel Hernandez <
daniel.hernandez@civitaslearning.com> wrote:
> Hi Matt,
>
> Thanks for your answer.
>
> Do you know if there is a way to preconfigure this value when running
> Nifi's Docker image? I am making the calls from an integration test that
> runs a docker container with the Nifi server. I already check and the value
> under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy
> the container, I guess it is created at startup. Is it possible that I can
> change my docker image to get a fix root group value?
>
> Thanks,
>
> Daniel
>
> On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <
> daniel.hernandez@civitaslearning.com> wrote:
>
> > Hi,
> >
> > I am currently working on calling the Nifi REST API to get the 'root'
> > process group and setting it as parent for a new process-group.
> >
> > However I am getting the next messages:
> >
> > Attempting GET request to: JerseyWebTarget {
> https://127.0.0.1:8443/nifi-
> > api/process-groups/root }
> > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
> > c.c.p.n.c.i.b.BootApiClient :
> > 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
> > c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET
> > to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root
> }
> >
> > com.civitaslearning.platform.nifi.client.invoker.boot.exception.
> NifiForbiddenException:
> > No applicable policies could be found. Contact the system administrator.
> >
> > This is the content of my authorizations.xml file:
> >
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> >
> > <authorizations>
> >
> > <policies>
> >
> > <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> > resource="/flow" action="R">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> > resource="/restricted-components" action="W">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> > resource="/tenants" action="R">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> > resource="/tenants" action="W">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> > resource="/policies" action="R">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> > resource="/policies" action="W">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> > resource="/controller" action="R">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> > resource="/controller" action="W">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
> > resource="/process-groups/root" action="R">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
> > resource="/process-groups/root" action="W">
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
> >
> > </policy>
> >
> > </policies>
> >
> > </authorizations>
> >
> > And this is the content of authorizations.xml
> >
> > <authorizers>
> >
> > <accessPolicyProvider>
> >
> > <identifier>file-access-policy-provider</identifier>
> >
> > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</
> > class>
> >
> > <property name="User Group Provider">file-user-group-
> > provider</property>
> >
> > <property name="Authorizations File">./conf/authorizations.
> > xml</property>
> >
> > <property name="Initial Admin Identity">CN=civitas,
> > OU=ApacheNifi</property>
> >
> > <property name="Legacy Authorized Users File"></property>
> >
> >
> > <property name="Node Identity 1"></property>
> >
> > </accessPolicyProvider>
> >
> > <authorizer>
> >
> > <identifier>managed-authorizer</identifier>
> >
> > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</
> > class>
> >
> > <property name="Access Policy Provider">file-access-policy-
> > provider</property>
> >
> > </authorizer>
> >
> > </authorizers>
> >
> >
> > And users.xml
> >
> >
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> >
> > <tenants>
> >
> > <groups/>
> >
> > <users>
> >
> > <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
> > identity="CN=civitas, OU=ApacheNifi"/>
> >
> > </users>
> >
> > </tenants>
> >
> > I already create a policy using the same user cert so I guess the DN is
> > valid.
> > Am I defining the policy or making the call in a wrong way?
> >
> > Thanks in advance,
> >
> > Daniel Hernandez
> >
> >
> >
>
Re: Policies for root Process Group.
Posted by Daniel Hernandez <da...@civitaslearning.com>.
Hi Matt,
Thanks for your answer.
Do you know if there is a way to preconfigure this value when running
Nifi's Docker image? I am making the calls from an integration test that
runs a docker container with the Nifi server. I already check and the value
under <rootGroup><id> in the flow.xml.gz file changes everytime I deploy
the container, I guess it is created at startup. Is it possible that I can
change my docker image to get a fix root group value?
Thanks,
Daniel
On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <
daniel.hernandez@civitaslearning.com> wrote:
> Hi,
>
> I am currently working on calling the Nifi REST API to get the 'root'
> process group and setting it as parent for a new process-group.
>
> However I am getting the next messages:
>
> Attempting GET request to: JerseyWebTarget { https://127.0.0.1:8443/nifi-
> api/process-groups/root }
> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
> c.c.p.n.c.i.b.BootApiClient :
> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
> c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET
> to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root }
>
> com.civitaslearning.platform.nifi.client.invoker.boot.exception.NifiForbiddenException:
> No applicable policies could be found. Contact the system administrator.
>
> This is the content of my authorizations.xml file:
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <authorizations>
>
> <policies>
>
> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
> resource="/process-groups/root" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
> resource="/process-groups/root" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> </policies>
>
> </authorizations>
>
> And this is the content of authorizations.xml
>
> <authorizers>
>
> <accessPolicyProvider>
>
> <identifier>file-access-policy-provider</identifier>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</
> class>
>
> <property name="User Group Provider">file-user-group-
> provider</property>
>
> <property name="Authorizations File">./conf/authorizations.
> xml</property>
>
> <property name="Initial Admin Identity">CN=civitas,
> OU=ApacheNifi</property>
>
> <property name="Legacy Authorized Users File"></property>
>
>
> <property name="Node Identity 1"></property>
>
> </accessPolicyProvider>
>
> <authorizer>
>
> <identifier>managed-authorizer</identifier>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</
> class>
>
> <property name="Access Policy Provider">file-access-policy-
> provider</property>
>
> </authorizer>
>
> </authorizers>
>
>
> And users.xml
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <tenants>
>
> <groups/>
>
> <users>
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
> identity="CN=civitas, OU=ApacheNifi"/>
>
> </users>
>
> </tenants>
>
> I already create a policy using the same user cert so I guess the DN is
> valid.
> Am I defining the policy or making the call in a wrong way?
>
> Thanks in advance,
>
> Daniel Hernandez
>
>
>
Re: Policies for root Process Group.
Posted by Matt Gilman <ma...@gmail.com>.
Daniel,
The policy should use the UUID of the root Process Group.
If your seeding the authorizations.xml as part of your initial start-up,
these policies will be automatically applied to your initial admin if there
is an existing flow.xml.gz. If there is no flow.xml.gz, you'll need to
define these policies manually after starting up. You can see these
endpoints in action if you open your browser's Developer Tools and you
perform these actions in the UI. You should be able to update your client
following these examples.
Matt
On Mon, Feb 26, 2018 at 11:35 AM, Daniel Hernandez <
daniel.hernandez@civitaslearning.com> wrote:
> Hi,
>
> I am currently working on calling the Nifi REST API to get the 'root'
> process group and setting it as parent for a new process-group.
>
> However I am getting the next messages:
>
> Attempting GET request to: JerseyWebTarget {
> https://127.0.0.1:8443/nifi-api/process-groups/root }
> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
> c.c.p.n.c.i.b.BootApiClient :
> 2018-02-26 11:06:55.341 DEBUG ???? --- [ main]
> c.c.p.n.c.i.b.BootApiClient : Received 403 response from GET
> to JerseyWebTarget { https://127.0.0.1:8443/nifi-api/process-groups/root }
>
> com.civitaslearning.platform.nifi.client.invoker.boot.exception.
> NifiForbiddenException:
> No applicable policies could be found. Contact the system administrator.
>
> This is the content of my authorizations.xml file:
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <authorizations>
>
> <policies>
>
> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f"
> resource="/flow" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515"
> resource="/restricted-components" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7"
> resource="/tenants" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5"
> resource="/tenants" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212"
> resource="/policies" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d"
> resource="/policies" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03"
> resource="/controller" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf"
> resource="/controller" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="d2f2019f-0161-1000-201a-94a51ee94006"
> resource="/process-groups/root" action="R">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> <policy identifier="d2f20292-0161-1000-e8d2-a8f874682f68"
> resource="/process-groups/root" action="W">
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"/>
>
> </policy>
>
> </policies>
>
> </authorizations>
>
> And this is the content of authorizations.xml
>
> <authorizers>
>
> <accessPolicyProvider>
>
> <identifier>file-access-policy-provider</identifier>
>
>
> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
>
> <property name="User Group
> Provider">file-user-group-provider</property>
>
> <property name="Authorizations
> File">./conf/authorizations.xml</property>
>
> <property name="Initial Admin Identity">CN=civitas,
> OU=ApacheNifi</property>
>
> <property name="Legacy Authorized Users File"></property>
>
>
> <property name="Node Identity 1"></property>
>
> </accessPolicyProvider>
>
> <authorizer>
>
> <identifier>managed-authorizer</identifier>
>
>
> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
>
> <property name="Access Policy
> Provider">file-access-policy-provider</property>
>
> </authorizer>
>
> </authorizers>
>
>
> And users.xml
>
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <tenants>
>
> <groups/>
>
> <users>
>
> <user identifier="2ca01c6c-41bf-31b9-8101-5021367b7c51"
> identity="CN=civitas, OU=ApacheNifi"/>
>
> </users>
>
> </tenants>
>
> I already create a policy using the same user cert so I guess the DN is
> valid.
> Am I defining the policy or making the call in a wrong way?
>
> Thanks in advance,
>
> Daniel Hernandez
>