Security
Also available as:
PDF
loading table of contents...

Legacy Authorized Users (NiFi Instance Upgrade)

If you are upgrading from a 0.x NiFi instance, you can convert your previously configured users and roles to the multi-tenant authorization model. In the authorizers.xml file, specify the location of your existing authorized-users.xml file in the "Legacy Authorized Users File" property.

Here is an example entry:

<authorizers>
    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity"></property>
        <property name="Legacy Authorized Users File">/Users/johnsmith/config_files/authorized-users.xml</property>
    </authorizer>
</authorizers>

After you have edited and saved the authorizers.xml file, restart NiFi. Users and roles from the authorized-users.xml file are converted and added as identities and policies in the users.xml and authorizations.xml files. Once the application starts, users who previously had a legacy Administrator role can access the UI and begin managing users, groups, and policies.

Here is a summary of policies assigned to each legacy role if the NiFi instance has an existing flow.xml.gz:

Admin

DFM

Monitor

Provenance

NiFi

Proxy

view the UI

*

*

*

view the controller

*

*

*

*

modify the controller

*

view system diagnostics

*

*

view the dataflow

*

*

*

modify the dataflow

*

view the users/groups

*

modify the users/groups

*

view policies

*

modify policies

*

query provenance

*

access restricted components

*

view the data

*

*

*

modify the data

*

*

retrieve site-to-site details

*

send proxy user requests

*

For details on the policies in the table, see Access Policies.

NiFi fails to restart if values exist for both the "Initial Admin Identity" and "Legacy Authorized Users File" properties. You can specify only one of these values to initialize authorizations.

Do not manually edit the authorizations.xml file. Create authorizations only during initial setup and afterwards using the NiFi UI.