nipyapi icon indicating copy to clipboard operation
nipyapi copied to clipboard

Published 20 hours ago verified publisher icon Chaffelson

Create Policy for viewing data and modifying it

Open hamzabekkouri opened this issue 5 years ago • 1 comments

  • Nipyapi version: latest
  • NiFi version: 1.92
  • NiFi-Registry version:
  • Python version:3.7
  • Operating System: ubuntu

Description

Please a urgent help, when I add user group to a specific policy specially in view and update data inside process group, my problem here is when I create policy inside a specific PG for data policy, it create also inside root PG data policy, but me I want just inside my chosen PG.

What I Did

Get policy

policy_view_data = security.get_access_policy_for_resource(resource="/data/process-groups/"+random_pg.id,action="read",r_id=random_pg.id,service="nifi",auto_create=True)
policy_modify_data = security.get_access_policy_for_resource(resource="/data/process-groups/"+random_pg.id,action="write",r_id=random_pg.id,service="nifi",auto_create=True)

Add user Group to policy


#security.add_user_group_to_access_policy(project_group,policy_view_data,service='nifi', refresh=True)
#security.add_user_group_to_access_policy(project_group,policy_modify_data,service='nifi', refresh=True)

Urgency

Please give a brief description of how critical this issue is to you.
For example, if it's blocking your Production environment, or perhaps you are just notifying us of something you found but isn't blocking your workflow.

Please Help ASAP !! @Chaffelson

hamzabekkouri avatar Jan 29 '20 14:01 hamzabekkouri

Your not doing anything wrong per say, so much as you are not targeting the policy you think you are.

First, since its not shown how the project_group variable is acquired its important to understand that the add_user_group_to_access_policy requires a UserGroupEntity object, which can be obtained from using the get_service_user_group function. There are two main points regarding the get_service_user_group function:

  • Returns three different responses
    • None: if the group can't be found
    • UserGroupEntity: object representation of the group
    • List: contains multiple UserGroupEntitys'
  • The search is greedy and will return anything that matches the input string (identifier)

The following example is based on what was provided above:

    root_pg_id = nipyapi.canvas.get_root_pg_id()
    print("ROOT Canvas ID: " + root_pg_id)
    project_group = nipyapi.security.get_service_user_group('nifiadmins')
    print("Group Object Type", type(project_group))
    policy_view_data = nipyapi.security.get_access_policy_for_resource(resource="/data/process-groups/"+root_pg_id,action="read",r_id=root_pg_id,service="nifi",auto_create=True)
    print("View Policy: ", policy_view_data.component.resource)
    policy_modify_data = nipyapi.security.get_access_policy_for_resource(resource="/data/process-groups/"+root_pg_id,action="write",r_id=root_pg_id,service="nifi",auto_create=True)
    print("Modify Policy: ", policy_modify_data.component.resource)

Something that you will notice is that we can reference parts of objects afterwards. So when the policy object is returned, created or not, we can see the actual full policy name used/found.
Result:

ROOT Canvas ID: ad0fdd20-0170-1000-8c26-5909c0215f50
<class 'nipyapi.nifi.models.user_group_entity.UserGroupEntity'>
View Policy:  /data/process-groups/ad0fdd20-0170-1000-8c26-5909c0215f50/ad0fdd20-0170-1000-8c26-5909c0215f50
Modify Policy:  /data/process-groups/ad0fdd20-0170-1000-8c26-5909c0215f50/ad0fdd20-0170-1000-8c26-5909c0215f50

In this case the target policy is /data/process-groups/ad0fdd20-0170-1000-8c26-5909c0215f50/ad0fdd20-0170-1000-8c26-5909c0215f50. Notice how the uuid ad0fdd20-0170-1000-8c26-5909c0215f50 shows up twice. This is because the variable root_pg_id is referenced twice in the get_access_policy_for_resource function; once as part of the resource argument and once for the r_id(resource ID) argument .

Since polices are not directly tied to resources the resource does not actually have to exist for the policy to be created, so we succeed but because the resource data/process-groups/ad0fdd20-0170-1000-8c26-5909c0215f50/ad0fdd20-0170-1000-8c26-5909c0215f50 does not exist you will notice no change in the UI, at least not until a resources with that ID is created.

To fix the issue remove one of UUID references from the get_access_policy_for_resource function. If only the resource argument is used then the full path must be set, if using in conjunction with the r_id argument note that the it will append the trailing / to the resource.
Modified Example:

    root_pg_id = nipyapi.canvas.get_root_pg_id()
    print("ROOT Canvas ID: " + root_pg_id)
    project_group = nipyapi.security.get_service_user_group('nifiadmins')
    print("Group Object Type", type(project_group))
    policy_view_data = nipyapi.security.get_access_policy_for_resource(resource="/data/process-groups",action="read",r_id=root_pg_id,service="nifi",auto_create=True)
    print("View Policy: ", policy_view_data.component.resource)
    policy_modify_data = nipyapi.security.get_access_policy_for_resource(resource="/data/process-groups",action="write",r_id=root_pg_id,service="nifi",auto_create=True)
    print("Modify Policy: ", policy_modify_data.component.resource) 
    nipyapi.security.add_user_group_to_access_policy(project_group,policy_view_data,service='nifi', refresh=True)
    nipyapi.security.add_user_group_to_access_policy(project_group,policy_modify_data,service='nifi', refresh=True)

Now we can add in the add_user_group_to_access_policy function to have the group assigned to the policy. Note that this function will error if the resource identified by the policy does not exist or if the group is already applied to said policy.

The above was executed using the following versions:

  • NiFi 1.10.0
  • nipyapi 0.14.0
  • Python 3.6.8

Note: much of the above regarding the group functions will also apply to the user variants.

Amorik avatar Mar 11 '20 18:03 Amorik