nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: "Node Group" property of FileAccessPolicyProvider
Date Tue, 21 Aug 2018 18:04:47 GMT
This sounds like a good idea to me.

Just to clarify how this would work, in the file-based policy provider
we'd have something like:

<property name="Initial Admin Identity">admin</property>
<property name="Node Group">cluster-nodes</property>

During start up the "cluster-nodes" group gets granted permission to /proxy.

Then a separate piece of work would be to implement a
UserGroupProvider that knew about all the nodes in the cluster
(presumably from ZooKeeper?) and would internally create users for
those nodes and put them into the "cluster-nodes" group.

This way when nodes are added to the cluster they are automatically
picked up by the UserGroupProvider and automatically have the correct
permissions because of being in the Node Group.

If so, I think that sounds like nice way help with adding/removing nodes.


On Tue, Aug 21, 2018 at 10:18 AM, Andy Christianson
<aichrist@protonmail.com.invalid> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi All,
>
> Currently FileAccessPolicyProvider supports specification of a static set of
> node identities. This is limiting in environments where the set of node
> identities is changing over time, for example during scale-up/down operations
> when NiFi is deployed to a clustering environment (e.g. Kubernetes).
>
> I have authored ticket NIFI-5542 [1] proposing a new "Node Group" property. All
> users added to this group will be treated as nodes. The group will be populated
> by a UserGroupProvider which dynamically provides the set of node identities
> that exist in the cluster. The UserGroupProvider will depend on the cluster
> environment NiFi is currently deployed to. In the future we may want to
> consider offering UserGroupProviders for a set of standard cluster
> environments, but that is out of scope for this initial change.
>
> How does the community feel about this proposed change? Is this a good way to
> add initial support for authorizing a dynamic set of NiFi nodes in a dynamic
> cluster environment?
>
> Regards,
>
> Andy I.C.
>
> 1: https://issues.apache.org/jira/browse/NIFI-5542?filter=-2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJbfB6/AAoJEG1+mBKNMpID1kYH/2Fl6nTnunKkV1L0P1ls/gAZ
> Nu4KGS4RB0KZLl910IuYznIaRerQPIfw/bcJUJvcMJUGaSItxqRZkd7XuucjM2dj
> MoFIbvoiAGbTfKteF41yuj6iWmDuDGTMFRDf2ZDwuo4bbHdbXIt0IpEAzYW186e0
> D+Mzyz53/kkHxyKFFhuIII1hr93yG9leN+E7HTtEeZplpmuXQGXwf9s470TuD9mw
> 7YVeF9fLt8JB52hZ6E3s9q0wvf2ORkSNAL87YEN++ojPIcQOPyslIsyyu/zwycw5
> lWHeDZKh+SvS2IE2jwefSOPRYl6Z9wp0uggRMayiU4+7z5XtlVsdn7TtGYR7nFA=
> =NNPm
> -----END PGP SIGNATURE-----
>
> Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email.

Mime
View raw message