Implement Policies in NiFi

Find can apply policies to documents using Apache NiFi. This section describes how to set up a NiFi dataflow to process requests from Find.

To obtain a list of policies that can be applied, Find sends an action=ListActions request to NiFi. It also includes the Username and UserRoles parameter, with the current Find user and their Find-specific roles.

Find expects the response to contain a list of actions, where each action represents a policy. The following XML is an example response which indicates that the NiFi dataflow implements two policy actions, action=Policy1 and action=Policy2. The display names are the names that will be displayed in Find.

<actions>
    <action>
        <id>Policy1</id>
        <displayName>My first policy</displayName>
    </action>
    <action>
        <id>Policy2</id>
        <displayName>My second policy</displayName>
    </action>
</actions>

You must configure a dataflow that provides this response and implements the policies. The following image shows a simple example that you can use as a starting point.

The following image shows the configuration of the HandleAciRequest processor.

A dynamic property named listactions (with the value listactions) has been added, so that requests for action=ListActions are routed to an output relationship called listactions. This relationship is connected to a ReplaceText processor. The listactions action has also been configured as a synchronous action (see the Synchronous Actions property).

A second dynamic property named Policy1 (with the value Policy1) routes requests for action=Policy1 to an output relationship called Policy1. You can add additional output relationships for other policy actions that you implement.

The following image shows the configuration of the ReplaceText processor.

This processor provides the ListActions response. The action response is hard-coded using the Replacement Value property. FlowFiles successfully processed by the ReplaceText processor are routed to the HandleAciResponse processor.

When a Find user applies a policy, Find sends a request to the chosen ACI action. Your NiFi dataflow should process the request and provide a response through the HandleAciResponse processor. Each request that Find sends to NiFi includes the following parameters:

StateMatchId An IDOL stored state token that corresponds to the search that the user wants to apply the policy to.
SecurityInfo The security info string needed to view the user's documents.
Username The name of the Find user applying the policy.
UserRoles A comma-separated list of Find-specific roles that the user has from Community (this can include: FindUser, FindBI, and FindAdmin)
SearchName The name of the search, in Find, that the user applies the policy to (either a saved query, saved snapshot, or unsaved query).
Label An additional label that can be supplied by the user when applying a policy in Find.