NIFI: Grant All Access to Initial Admin User

dasmilan

NIFI: Grant All Access to Initial Admin User

Following document shows how to use NIFI API to grant super Admin (ALL) access to initial admin user

As we need to process lot json input/output through bash we are going to use jq tool.

Use the following to install jq https://stedolan.github.io/jq/

Steps needed

  • Generate NIFI token and save
export NIFI_API_URL=https://$(hostname -f):9443/nifi-api
export NIFI_ADMIN_USER=<YOUR_NIFI_ADMIN_ID>
export NIFI_ADMIN_PASSWORD=<YOUR_NIFI_ADMIN_PASSWORD>
export NIFI_ADMIN_TOKEN=$(curl -k ${NIFI_API_URL}/access/token -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \  
 --data "username=${NIFI_ADMIN_USER}&password=${NIFI_ADMIN_PASSWORD})"
  • Get NiFI root process ID
url=${NIFI_API_URL}/flow/process-groups/root
export ROOT_PROCESS_ID=$(curl -k -H "Authorization: Bearer ${NIFI_ADMIN_TOKEN}" $url |jq -r '.processGroupFlow.id')
  • Create initial user List Json
export url=${NIFI_API_URL}/tenants/users
curl -k -H "Authorization: Bearer ${NIFI_ADMIN_TOKEN}" $url |jq -r '.users[].id' > /tmp/initial-user-list.txt  
${jq} -R '.' /tmp/initial-user-list.txt|${jq} -s '{"revision": {"version": 0},"component":{"identity": "superadmin",users:map({id:.})}}' >> /tmp/initial-user-groups-list.json
  • Create Group
export groupId=$(curl -k -H "Authorization: Bearer ${NIFI_ADMIN_TOKEN}" -X POST  -H "content-type:application/json"   ${NIFI_API_URL}/tenants/user-groups \  
-d "@/tmp/initial-user-groups-list.json"|jq -r '.id')
  • Add a function to create Root policy
create_root_policy(){  
  
  local url=${NIFI_API_URL}/policies  
  
  
    local groupId=${1}  
    local action=${2} #example : action="read" OR action="write"  
  local resource=${3} #example : resource="/provenance-data"  
  kurl -k -H "Authorization: Bearer ${NIFI_ADMIN_TOKEN}" -X POST  -H "content-type:application/json" $url -d \  
        '{  
 "revision": { "version": 0 }, "component": { "action": "'${action}'",  
 "resource": "'${resource}'/process-groups/'${ROOT_PROCESS_ID}'",  
 "users": [], "userGroups": [ { "id": "'${groupId}'",  
 "permissions": { "canRead": true, "canWrite": true } } ] } }'  
}
  • Create all policies
create_root_policy ${superAdmingroupId} "read"  
create_root_policy ${superAdmingroupId} "write"  
create_root_policy ${superAdmingroupId} "read" "/provenance-data"  
create_root_policy ${superAdmingroupId} "write" "/provenance-data"  
create_root_policy ${superAdmingroupId} "read" "/data"  
create_root_policy ${superAdmingroupId} "write" "/data"  
create_root_policy ${superAdmingroupId} "read" "/policies"  
create_root_policy ${superAdmingroupId} "write" "/policies"

At this point if you login to NIFI web ui, with Initial admin id, you should have all access.

Leave a comment