apache-nifiapache-nifi-registry

restrict modify-access to this process group


Created a process group that contains a custom processor and a few default processors & added it to a bucket.

I want to restrict modify-access to this process group.

User sys_admin can add group to canvas and modify it and it's processors.

User test_user should only be able to add it to canvas and not modify it (or it's processors).

But this is not working.

User test_user has read permission only on bucket.

But user test_user can add the processor group and go in and modify it.

Is there any way of restricting access at bucket level ?

So user can only add something from a bucket but never modify it ?

Or can I set a global restriction on the processor group ?

I basically want this processor group to only be modified by the sys_admin user.

Any help is appreciated !


Solution

  • There are two different security models here, the one on NiFi Registry side, and the one on NiFi side.

    On NiFi Registry side, the bucket permissions control who can read and write to a bucket. This is only related to retrieving a flow from the bucket or saving a new flow version to the bucket.

    On the NiFi side, the process group permissions control who can create and modify components.

    Since test_user has read access to the bucket in registry, they can import this flow into any process group in NiFi where they have write access. Once they import it, they can do whatever they want to it in NiFi since these are all local changes on NiFi side, but they won't be able to save a new version back to registry since they don't have write permissions on the bucket.

    Currently I'm not sure there is a way to achieve what you are asking for. It would likely require separating some of the permissions. Currently the ability import a flow is based on having write permissions to the process group where you want to import it to, but write permissions also means you can modify anything in that group.