Skip to content

feat(nifi): Patch root placeholder in static custom auth file #1358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
adwk67 wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat(nifi): Patch root placeholder in static custom auth file #1358

adwk67 wants to merge 9 commits into from
+386 −0

Conversation

@adwk67
Copy link
Member

@adwk67 adwk67 commented Dec 3, 2025
edited
Loading

Description

See the note here: stackabletech/nifi-operator#877

...
This example demonstrates how to provide a static set of RBAC permissions for users that are fetched from an EntraID backend.
The user- and group-identifiers are those used by EntraID, but other UUIDs - such as for the policy identifiers - are automatically generated when required by Nifi or are honoured if UUIDs (which are unique, after all) are provided.
It is often helpful if the initial (or "root") process group is readable by the initial admin, and the Nifi code has been patched to make this possible.

Patching the root process group

The last sentence of the above paragraph is enabled with this patch. It requires that a custom property is set:

nifi.process.group.root.placeholder: "root"

Any policies entered in a custom authorizations.xml that have this as a suffix will be updated to contain the actual root process group ID, thus enabling users to pre-define an initial, actual (i.e existing in the backend source such as EntraID) admin that has write access to this process group.

The initial flow requires that authorizations exist. Since the goal is to update the authorizations once the flow has an ID assigned, a callback mechanism is used that waits for the flow to be initialised so that the xml file can be updated with its UUID.

Testing can be done using the images built here (to save time):

oci.stackable.tech/sandbox/andrew/nifi:2.4.0-stackable0.0.0-dev
oci.stackable.tech/sandbox/andrew/nifi:2.6.0-stackable0.0.0-dev

Definition of Done Checklist

Note

Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant.

Please make sure all these things are done and tick the boxes

  • Changes are OpenShift compatible
  • All added packages (via microdnf or otherwise) have a comment on why they are added
  • Things not downloaded from Red Hat repositories should be mirrored in the Stackable repository and downloaded from there
  • All packages should have (if available) signatures/hashes verified
  • Add an entry to the CHANGELOG.md file
  • Integration tests ran successfully
TIP: Running integration tests with a new product image

The image can be built and uploaded to the kind cluster with the following commands:

boil build <IMAGE> --image-version <RELEASE_VERSION> --strip-architecture --load
kind load docker-image <MANIFEST_URI> --name=<name-of-your-test-cluster>

See the output of boil to retrieve the image manifest URI for <MANIFEST_URI>.

@adwk67 adwk67 linked an issue Dec 3, 2025 that may be closed by this pull request
Patch root process group in static authorization files stackabletech/nifi-operator#862
Open
@adwk67 adwk67 self-assigned this Dec 3, 2025
@adwk67 adwk67 mentioned this pull request Dec 5, 2025
Open
20 tasks
@adwk67 adwk67 marked this pull request as ready for review December 5, 2025 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@adwk67 adwk67

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Patch root process group in static authorization files

2 participants

@adwk67