Provisioning NiFi Users and Groups
User management
The NifiUser
resource was already introduced for the SSL credentials concerns.
What we are covering here is the NiFi user management part introduced in this resource.
When you create a NifiUser
resource the operator will :
- Try to check if a user already exists with the same name on the NiFi cluster, if it does, the operator will set NifiUser.Status.Id to bind it with the kubernetes resource.
- If no user is found, the operator will create and manage it (i.e it will ensure the synchronisation with the NiFi Cluster).
By default the user name that will be used is the name of the resource.
But as there are some constraints on this name (e.g RFC 1123) that doesn't match with those applied on NiFi, you can override it with the NifiUser.Spec.Identity
field which is more permissive.
In the example above the kubernetes resource name will be aguitton
but the NiFi use created on the cluster will be alexandre.guitton@orange.com
.
In the case the user will not authenticate himself using TLS authentication, the operator doesn't have to create a certificate, so just set NifiUser.Spec.CreateCert
to false.
For each user, you have the ability to define a list of AccessPolicies to give a list of access to your user.
In the example above we are giving to user alexandre.guitton@orange.com
the right to view metadata et content for the root process group in flowfile queues in outbound connections and through provenance events.
UserGroup management
To simplify the access management Apache NiFi allows to define groups containing a list of users, on which we apply a list of access policies.
This part is supported by the operator using the NifiUserGroup
resource :
When you create a NifiUserGroup
resource, the operator will create and manage a group named ${resource namespace}-${resource name}
in Nifi.
To declare the users that are part of this group, you just have to declare them in the NifiUserGroup.UsersRef field.
important
The NifiUserGroup.UsersRef requires to declare the name and namespace of a NifiUser
resource, so it is previously required to declare the resource.
It's required to create the resource even if the user is already declared in NiFi Cluster (In that case the operator will just sync the kubernetes resource).
Like for NifiUser
you can declare a list of AccessPolicies to give a list of access to your user.
In the example above we are giving to users nc-0-node.nc-headless.nifikop.svc.cluster.local
and nc-controller.nifikop.mgt.cluster.local
the right to view the counters informations.
Managed groups for simple setup
In some case these two features could be heavy to define, for example when you have 10 dataflows with one cluster for each of them, it will lead in a lot of .yaml
files ...
To simplify this, we implement in the operator 2 managed groups
:
- Admins : a group giving access to everything on the NiFi Cluster,
- Readers : a group giving access as viewer on the NiFi Cluster.
You can directly define the list of users who belong to each of them in the NifiCluster.Spec
field :
In this example the operator will create and manage 3 NifiUsers
:
- aguitton, with the identity :
alexandre.guitton@orange.com
- nifiuser, with the identity :
nifiuser@orange.com
- toto, with the identity :
toto@orange.com
And create and manage two groups :
- managed-admins : that will contain 3 users (aguitton, nifiuser, nc-controller.nifikop.mgt.cluster.local which is the controller user).
- managed-readers : that will contain 1 user (toto)
And the rest of the stuff will be reconciled and managed as described for NifiUsers
and NifiUserGroups
.
note
There is one more group that is created and managed by the operator, this is the managed-nodes group, for each node a NifiUser
is created, and we automatically add them to this group to give them the right list of accesses.
To get the list of managed groups just check the list of NifiUserGroup
: