You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by mc...@apache.org on 2016/11/15 21:11:26 UTC
nifi git commit: NIFI-2953 Update Multi-tenant authorization doc for changes to policy management UI. This closes #1225

Repository: nifi
Updated Branches:
  refs/heads/master 45bf8430f -> 76b859c4e


NIFI-2953 Update Multi-tenant authorization doc for changes to policy management UI. This closes #1225


Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/76b859c4
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/76b859c4
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/76b859c4

Branch: refs/heads/master
Commit: 76b859c4efbf621066be4e4e8bb14efd8be6b818
Parents: 45bf843
Author: Andrew Lim <an...@gmail.com>
Authored: Tue Nov 15 15:02:39 2016 -0500
Committer: Matt Gilman <ma...@gmail.com>
Committed: Tue Nov 15 16:10:46 2016 -0500

----------------------------------------------------------------------
 .../src/main/asciidoc/administration-guide.adoc |  29 ++++++++++++-------
 .../images/access-policy-config-start.png       | Bin 146821 -> 147911 bytes
 .../asciidoc/images/group-creation-dialog.png   | Bin 22155 -> 23956 bytes
 .../images/override_policy_copy_empty.png       | Bin 0 -> 85319 bytes
 .../process-group-modify-policy-add-user2.png   | Bin 59160 -> 60728 bytes
 .../images/process-group-modify-policy.png      | Bin 84716 -> 85122 bytes
 .../process-group-view-policy-add-user2.png     | Bin 59064 -> 60488 bytes
 .../images/process-group-view-policy.png        | Bin 84686 -> 85737 bytes
 .../processor-inherited-modify-policy.png       | Bin 74404 -> 71252 bytes
 .../asciidoc/images/processor-modify-policy.png | Bin 103896 -> 99723 bytes
 .../processor-replacement-modify-policy.png     | Bin 61262 -> 62718 bytes
 .../processor-replacement-view-policy.png       | Bin 60817 -> 62564 bytes
 .../asciidoc/images/processor-view-policy.png   | Bin 104448 -> 100181 bytes
 .../images/replacetext-processor-added.png      | Bin 179579 -> 182331 bytes
 .../asciidoc/images/user1-create-connection.png | Bin 160503 -> 162464 bytes
 .../asciidoc/images/user1-edit-connection.png   | Bin 185060 -> 187482 bytes
 .../main/asciidoc/images/user1-full-access.png  | Bin 183790 -> 195397 bytes
 .../main/asciidoc/images/user2-can-connect.png  | Bin 179306 -> 176660 bytes
 .../images/user2-connected-processors.png       | Bin 185050 -> 181803 bytes
 .../asciidoc/images/user2-edit-connection.png   | Bin 183074 -> 190377 bytes
 .../asciidoc/images/user2-edit-processor.png    | Bin 188768 -> 193925 bytes
 .../asciidoc/images/user2-moved-processor.png   | Bin 189742 -> 192262 bytes
 .../asciidoc/images/user2-no-connection.png     | Bin 174751 -> 171092 bytes
 .../images/user2-no-edit-connection.png         | Bin 271325 -> 206133 bytes
 .../asciidoc/images/user2-restricted-access.png | Bin 187504 -> 196958 bytes
 25 files changed, 18 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/administration-guide.adoc
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index be2e684..cd063ba 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -415,7 +415,7 @@ Here is an example LDAP entry using the name John Smith:
 </authorizers>
 ----
 
-Here is a example Kerberos entry using the name John Smith and realm `NIFI.APACHE.ORG`:
+Here is an example Kerberos entry using the name John Smith and realm `NIFI.APACHE.ORG`:
 
 ----
 <authorizer>
@@ -433,7 +433,7 @@ Here is a example Kerberos entry using the name John Smith and realm `NIFI.APACH
 </authorizers>
 ----
 
-After you have edited and saved the 'authorizers.xml' file, restart NiFi.  The \u201cInitial Admin Identity\u201d user and administrative policies are added to the 'authorizations.xml' file during restart. Once NiFi starts, the \u201cInitial Admin Identity\u201d user is able to access the UI and begin managing users, groups, and policies.
+After you have edited and saved the 'authorizers.xml' file, restart NiFi.  The \u201cInitial Admin Identity\u201d user and administrative policies are added to the 'users.xml' and 'authorizations.xml' files during restart. Once NiFi starts, the \u201cInitial Admin Identity\u201d user is able to access the UI and begin managing users, groups, and policies.
 
 NOTE: For a brand new secure flow, providing the "Initial Admin Identity" gives that user access to get into the UI and to manage users, groups and policies.  But if that user wants to start modifying the flow, they need to grant themselves policies for the root process group. The system is unable to do this automatically because in a new flow the UUID of the root process group is not permanent until the flow.xml.gz is generated.  If the NiFi instance is an upgrade from an existing flow.xml.gz or a 1.x instance going from unsecure to secure, then the "Initial Admin Identity" user is automatically given the privileges to modify the flow.
 
@@ -458,7 +458,7 @@ Here is an example entry:
 </authorizers>
 ----
 
-After you have edited and saved the 'authorizers.xml' file, restart NiFi. Users and roles from the 'authorized-users.xml' file are converted and added as identities and policies in the 'authorizations.xml' file.  Once the application starts, users who previously had a legacy Administrator role can access the UI and begin managing users, groups, and policies.
+After you have edited and saved the 'authorizers.xml' file, restart NiFi. Users and roles from the 'authorized-users.xml' file are converted and added as identities and policies in the 'users.xml' and 'authorizations.xml' files.  Once the application starts, users who previously had a legacy Administrator role can access the UI and begin managing users, groups, and policies.
 
 Here is a summary of policies assigned to each legacy role if the NiFi instance has an existing flow.xml.gz:
 
@@ -648,6 +648,8 @@ You can override an inherited policy (as described in the <<moving-a-processor>>
 
 NOTE: \u201cView the policies\u201d and \u201cmodify the policies\u201d component-level access policies are an exception to this inherited behavior.\u2002When a user is added to either policy, they are added to the current list of administrators.\u2002They do not override higher level administrators.\u2002For this reason, only component specific administrators are displayed for the \u201cview the policies\u201d and \u201cmodify the policies" access policies.
 
+NOTE:  You cannot modify the users/groups on an inherited policy.  Users and groups can only be added or removed from a parent policy or an override policy.
+
 [[access-policy-config-examples]]
 Access Policy Configuration Examples
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -679,8 +681,13 @@ To allow User2 to move the GenerateFlowFile processor in the dataflow and only t
   image:processor-modify-policy.png["Processor Modify Policy"]
   The \u201cmodify the component\u201d policy that currently exists on the processor (child) is the \u201cmodify the component\u201d policy inherited from the root process group (parent) on which User1 has privileges.
 [start=4]
-4. Select the Override link in the policy inheritance message to create a replacement policy.
-5. On the replacement policy that is created, select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User1 in the User Identity field and select OK.  Select the Add User icon again, find or enter User2 and select OK.
+4. Select the Override link in the policy inheritance message.  When creating the replacement policy, you are given a choice to override with a copy of the inherited policy or an empty policy.
+
+image:override_policy_copy_empty.png["Create Override Policy"]
+
+Select the Override button to create a copy.
+[start=5]
+5. On the replacement policy that is created, select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User2 in the User Identity field and select OK.
 
 image:processor-replacement-modify-policy.png["Processor Replacement Modify Policy"]
 
@@ -699,8 +706,8 @@ In the \u201cMoving a Processor\u201d example above, User2 was added to the \u201cmodify
   image:processor-view-policy.png["Processor View Policy"]
   The view the component\u201d policy that currently exists on the processor (child) is the "view the component\u201d policy inherited from the root process group (parent) on which User1 has privileges.
 [start=4]
-4. Select the Override link in the policy inheritance message to create a replacement policy.
-5. On the replacement policy that is created, select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User1 in the User Identity field and select OK.  Select the Add User icon again, find or enter User2 and select OK.
+4. Select the Override link in the policy inheritance message, keep the default of Copy policy and select the Override button.
+5. On the override policy that is created, select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User2 in the User Identity field and select OK.
 
 image:processor-replacement-view-policy.png["Processor Replacement View Policy"]
 
@@ -721,8 +728,8 @@ image:user2-no-connection.png["User2 No Connection"]
 
 This is because:
 
-* User2 does not have modify access on the process group and is therefore not able to create a connection.
-* Even though User2 has view and modify access to the source component (GenerateFlowFile), User2 does not have any access policy on the destination component (LogAttribute).
+* User2 does not have modify access on the process group.
+* Even though User2 has view and modify access to the source component (GenerateFlowFile), User2 does not have an access policy on the destination component (LogAttribute).
 
 To allow User2 to connect GenerateFlowFile to LogAttribute, as User1:
 
@@ -730,7 +737,7 @@ To allow User2 to connect GenerateFlowFile to LogAttribute, as User1:
 2. Select the Access Policies icon (image:iconAccessPolicies.png["Access Policies Icon"]) from the Operate palette and the Access Policies dialog opens.
 3. Select "modify the component\u201d from the policy drop-down.
   image:process-group-modify-policy.png["Process Group Modify Policy"]
-  [start=4]
+[start=4]
 4. Select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User2 and select OK.
 
 image:process-group-modify-policy-add-user2.png["Process Group Modify Policy Add User2"]
@@ -766,7 +773,7 @@ To allow User2 to connect GenerateFlowFile to ReplaceText, as User1:
 2. Select the Access Policies icon (image:iconAccessPolicies.png["Access Policies Icon"]).
 3. Select "view the component\u201d from the policy drop-down.
   image:process-group-view-policy.png["Process Group View Policy"]
-  [start=4]
+[start=4]
 4. Select the Add User icon (image:iconAddUser.png["Add User Icon"]). Find or enter User2 and select OK.
 
 image:process-group-view-policy-add-user2.png["Process Group View Policy Add User2"]

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png b/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png
index da3d54b..8d89171 100644
Binary files a/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png and b/nifi-docs/src/main/asciidoc/images/access-policy-config-start.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png b/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png
index 5a23b88..9b7ed2d 100644
Binary files a/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png and b/nifi-docs/src/main/asciidoc/images/group-creation-dialog.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/override_policy_copy_empty.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/override_policy_copy_empty.png b/nifi-docs/src/main/asciidoc/images/override_policy_copy_empty.png
new file mode 100644
index 0000000..5aaa665
Binary files /dev/null and b/nifi-docs/src/main/asciidoc/images/override_policy_copy_empty.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png b/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png
index aa4225b..1119f8a 100644
Binary files a/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png and b/nifi-docs/src/main/asciidoc/images/process-group-modify-policy-add-user2.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png b/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png
index db1395b..f1af9e0 100644
Binary files a/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png and b/nifi-docs/src/main/asciidoc/images/process-group-modify-policy.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png b/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png
index 0e1cf6a..4079c1c 100644
Binary files a/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png and b/nifi-docs/src/main/asciidoc/images/process-group-view-policy-add-user2.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png b/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png
index 79bda56..40d9ee4 100644
Binary files a/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png and b/nifi-docs/src/main/asciidoc/images/process-group-view-policy.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png b/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png
index b503e25..faa3eb1 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-inherited-modify-policy.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png b/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png
index 2efb4fb..ec11a22 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-modify-policy.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png b/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png
index 398da25..4af2876 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-replacement-modify-policy.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png b/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png
index 5fb9968..fa701c6 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-replacement-view-policy.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/processor-view-policy.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/processor-view-policy.png b/nifi-docs/src/main/asciidoc/images/processor-view-policy.png
index 14f3c7c..8bebd11 100644
Binary files a/nifi-docs/src/main/asciidoc/images/processor-view-policy.png and b/nifi-docs/src/main/asciidoc/images/processor-view-policy.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png b/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png
index a0ea098..7b4fcde 100644
Binary files a/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png and b/nifi-docs/src/main/asciidoc/images/replacetext-processor-added.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user1-create-connection.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user1-create-connection.png b/nifi-docs/src/main/asciidoc/images/user1-create-connection.png
index d12d8cd..6e062c6 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user1-create-connection.png and b/nifi-docs/src/main/asciidoc/images/user1-create-connection.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png b/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png
index 842a8b1..dc3db6c 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png and b/nifi-docs/src/main/asciidoc/images/user1-edit-connection.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user1-full-access.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user1-full-access.png b/nifi-docs/src/main/asciidoc/images/user1-full-access.png
index a977d9a..d364a8c 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user1-full-access.png and b/nifi-docs/src/main/asciidoc/images/user1-full-access.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user2-can-connect.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user2-can-connect.png b/nifi-docs/src/main/asciidoc/images/user2-can-connect.png
index c2a58b7..37ec232 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-can-connect.png and b/nifi-docs/src/main/asciidoc/images/user2-can-connect.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png b/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png
index ff207f2..d8c7bb5 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png and b/nifi-docs/src/main/asciidoc/images/user2-connected-processors.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png b/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png
index 23584bb..a367aea 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png and b/nifi-docs/src/main/asciidoc/images/user2-edit-connection.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png b/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png
index 430a2fe..11e88cb 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png and b/nifi-docs/src/main/asciidoc/images/user2-edit-processor.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png b/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png
index 1dac9f4..a5998d2 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png and b/nifi-docs/src/main/asciidoc/images/user2-moved-processor.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user2-no-connection.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user2-no-connection.png b/nifi-docs/src/main/asciidoc/images/user2-no-connection.png
index 3717f04..500f86a 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-no-connection.png and b/nifi-docs/src/main/asciidoc/images/user2-no-connection.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png b/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png
index d28127a..6412fd9 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png and b/nifi-docs/src/main/asciidoc/images/user2-no-edit-connection.png differ

http://git-wip-us.apache.org/repos/asf/nifi/blob/76b859c4/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png
----------------------------------------------------------------------
diff --git a/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png b/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png
index c2455ca..9e170c1 100644
Binary files a/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png and b/nifi-docs/src/main/asciidoc/images/user2-restricted-access.png differ