Apache NiFi: Bootstrap UserGroups and Policies with a file based provider

Question

Is it possible to bootstrap UserGroups and Policies with a file based provider?
Currently we use org.apache.nifi.authorization.FileUserGroupProvider to bootstrap an Initial User Identity and org.apache.nifi.authorization.FileAccessPolicyProvider to bootstrap the Initial Admin Identity when setting up a NiFi instance.
I inspected the code of the FileUserGroupProvider as well as the Authorizers.xml Setup in the Administration Guide and I couldn't find anything about bootstrapping UserGroups. I guess the same goes with bootstrapping AccessPolicies using the FileAccessPolicyProvider. I know that it is possible using LDAP, but we don't use that right now.
I already found a similar question her on StackOverflow but the solution is not satisfactory, as we don't want to use the nifi-api for that task, if not absolutely necessary. So what I would do is writing a new file based UserGroupProvider and AccessPolicyProvider to fulfill that task.
Is that the only possibility?
Would I use the CompositeUserGroupProvider or the CompositeConfigurableUserGroupProvider for that, so instead of re-implementing the functionality of the FileUserGroupProvider and adding my custom implementation could I use this to combine the functionality?
Meaning something like this:

<userGroupProvider>
  <identifier>composite-user-group-provider</identifier>
  <class>org.apache.nifi.authorization.CompositeUserGroupProvider</class>
  <property name="User Group Provider 1">org.apache.nifi.authorization.FileUserGroupProvider</property>
  <property name="User Group Provider 2">MyFileUserGroupProvider</property>
</userGroupProvider>

How would the configuration look like in the authorizers.xml file?

If my assumption about how to use a CompositeProvider is correct, is there something similar for bootstrapping Policies?

Answer 1

If I understand correctly, you want to automate setting users, groups, and policies to fixed, predefined values.

I would recommend using the FileUserGroupProvider and the FileAccessPolicyProvider, as those both give you the ability to configure users, groups, and policies directly in NiFi itself. You should not have to create custom implementations of a UserGroupProvider or AccessPolicyProvider unless you need to customize the functionality beyond what the included filed-based providers can supply.

You said you did not want to use the nifi-api, by which I assume you mean the HTTP REST API. (I am not trying to be pedantic, there is actually a library called nifi-api that is a collection of Java interfaces for nifi developers to use in writing extensions.) The REST APi is a good option I would normally recommend, as there are guarantees on backwards compatibility on for NiFI 1.x going forward, but it is not the only way to achieve what you want to do.

You can create users.xml and authorizations.xml files manually (or scripted), outside of NiFi, and you just have to configure the FileUserGroupProvider and AccessUserGroupProvider to use those files (or copy them to the default location for those files in the conf directory). On startup, NiFi reads the contents of these files into memory to create users, groups, and access policies. The Initial User and Initial Admin properties are only used to automate populating these files when they are absent or empty, so if you provide your own copies of these files, they will be used.

The structure of these XML files is fairly simple to create. You can use a NiFi instance to create users, groups, and policies through the UI, and see what is written to these files. You can then create them however you like: the NiFi UI, by hand, or scripted from another source file. Once you have the files created, you can do the "bootstrapping" part by placing them in the NiFi conf dir and (re)starting it. NiFi does not regenerate or modify these files unless users, groups, and policies are modified in the UI.

The only downside with these approach is that these files are not guaranteed to have a stable schema going forward. So new fields could be added or changed over time. That said, they have been stable for the last several versions of NiFi.