Search code examples
apache-nifi

How to use restricted NiFi processors?

I want to use NiFi processors that are listed as restricted. Although I have searched for information, I can't quite understand how they work. I have found some information here: https://community.cloudera.com/t5/Community-Articles/NIFI-RESTRICTED-COMPONENTS-POLICY-DESCRIPTIONS/ta-p/249157

I understand that they are processors that could execute code and therefore be unsafe for the system. And that you need permission to use them. But I can't quite understand if they are insecure for my application and my data or NiFi. I don't really understand what they mean in the article by "Users can only be restricted from adding such components in NiFi if NiFi has been secured. Users of an unsecured NiFi will always have access to all components."

In the end, it does not clarify much for me. I want to know if I can use them without exposing the security of my application or if I need permission to use them. And if you need permits, how do you get them?

Excuse me, I am totally new to NiFi, I have literally put 5 simple processors in.

Solution

  • In a NIFI secured cluster there is many policies (access flow, read flow, write flow, ..) to implement for groups/users by the initial admin or admins of the cluster. One of these policies is restricted-components. As you mentioned in your post the role of restricted-components (getfile,putfile, ...) is to execute scripts in the host holding the NIFI node, fetch files from the host or putting files in the host, etc ,... To have the permission to use these processors you need to have "write" permission on the policy restricted-components. For that, you need to contact the cluster administrator/administrators to give you this authorization. It can be done from NIFI UI or NIFI API.

    "Users can only be restricted from adding such components in NiFi if NiFi has been secured. Users of an unsecured NiFi will always have access to all components."=> that means that if the cluster is secured there are necessarily authorizations set up automatically by Nifi (the initial admin with all the privileges) or by the administrators of the cluster by personalizing the authorizations. So that to have access to restricted-componants processors you need write permission on restricted-componants policy, in return, if the cluster is not secure then there is no authorization set up so all processors are accessible