stackabletech · maltesander · Jan 14, 2026 · Jan 5, 2026 · Jan 5, 2026 · Jan 5, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,13 +4,19 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- BREAKING: Reworked authorization config to closer match the Apache NiFi internal autorizer interfaces ([#884]).
+
 ### Fixed
 
 - Also listen on the loopback interface so that k8s port-forwards work ([#870]).
-- The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` property instead of hard-coding the package name to `nifi`  ([#881]).
+- The operator now utilizes the `.spec.clusterConfig.authorization.opa.package` property instead of hard-coding the package name to `nifi` ([#881]).
+- An `initialAdminUser` can now be provided for file-based authorization (e.g. LDAP) ([#884]).
 
 [#870]: https://github.com/stackabletech/nifi-operator/pull/870
 [#881]: https://github.com/stackabletech/nifi-operator/pull/881
+[#884]: https://github.com/stackabletech/nifi-operator/pull/884
 
 ## [25.11.0] - 2025-11-07
 

diff --git a/deploy/helm/nifi-operator/crds/crds.yaml b/deploy/helm/nifi-operator/crds/crds.yaml
@@ -69,18 +69,25 @@ spec:
                         type: object
                       type: array
                     authorization:
+                      default:
+                        singleUser: {}
                       description: |-
                         Authorization options.
                         Learn more in the [NiFi authorization usage guide](https://docs.stackable.tech/home/nightly/nifi/usage-guide/security#authorization).
-                      nullable: true
+                      oneOf:
+                        - required:
+                            - opa
+                        - required:
+                            - singleUser
+                        - required:
+                            - standard
                       properties:
                         opa:
                           description: |-
                             Configure the OPA stacklet [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery)
                             and the name of the Rego package containing your authorization rules.
                             Consult the [OPA authorization documentation](https://docs.stackable.tech/home/nightly/concepts/opa)
                             to learn how to deploy Rego authorization rules with OPA.
-                          nullable: true
                           properties:
                             cache:
                               default:
@@ -113,6 +120,26 @@ spec:
                           required:
                             - configMapName
                           type: object
+                        singleUser:
+                          type: object
+                        standard:
+                          properties:
+                            accessPolicyProvider:
+                              oneOf:
+                                - required:
+                                    - fileBased
+                              properties:
+                                fileBased:
+                                  properties:
+                                    initialAdminUser:
+                                      type: string
+                                  required:
+                                    - initialAdminUser
+                                  type: object
+                              type: object
+                          required:
+                            - accessPolicyProvider
+                          type: object
                       type: object
                     createReportingTaskJob:
                       default:

diff --git a/docs/modules/nifi/pages/usage_guide/security.adoc b/docs/modules/nifi/pages/usage_guide/security.adoc
@@ -15,7 +15,7 @@
 NiFi sets up TLS encryption for the http endpoints that serve the UI.
 By default, this interface is secured using certificates generated to work with the default SecretClass `tls`.
 
-Nifi can be configured to use a different SecretClass as shown below:
+NiFi can be configured to use a different SecretClass as shown below:
 
 [source, yaml]
 ----
@@ -39,7 +39,7 @@ All authentication related parameters are configured under `spec.clusterConfig.a
 === Single user
 
 The `Single user` allows the creation of one admin user for NiFi.
-This is a rudimentary authentication method to quickly test and log in to the canvas.
+This is a rudimentary authentication method to quickly test and log into the canvas.
 However, due to it being a single user with all rights, this is not recommended in production.
 
 [source, yaml]
@@ -171,27 +171,47 @@ stringData:
 [#authorization]
 == Authorization
 
-The Stackable Operator for Apache NiFi supports {nifi-docs-authorization}[multiple authorization methods], the available authorization methods depend on the chosen authentication method. Using Open Policy Agent for authorization is independent of the authentication method.
+The Stackable Operator for Apache NiFi supports {nifi-docs-authorization}[multiple authorization methods].
 
 [#authorization-single-user]
 === Single user
 
 With this authorization method, a single user has administrator capabilities.
 
-[#authorization-ldap]
-=== LDAP
+[source,yaml]
+----
+apiVersion: nifi.stackable.tech/v1alpha1
+kind: NifiCluster
+metadata:
+  name: test-nifi
+spec:
+  clusterConfig:
+    authorization:
+      singleUser: {}
+----
 
-The operator uses the {nifi-docs-fileusergroupprovider}[`FileUserGroupProvider`] and {nifi-docs-fileaccesspolicyprovider}[FileAccessPolicyProvider] to bind the LDAP user to the NiFi administrator group.
-This user is then able to create and modify groups and policies in the web interface.
-These changes local to the Pod running NiFi and are *not* persistent.
+[#authorization-standard]
+=== Standard
 
-[#authorization-oidc]
-=== OIDC
+This refers to NiFis `StandardManagedAuthorizer`, using the `UserGroupProvider` and `AccessPolicyProvider` for authorization.
+The Stackable operator for Apache NiFi only supports the file-based `FileUserGroupProvider` and `FileAccessPolicyProvider` implementations.
 
-With this authorization method, all authenticated users have administrator capabilities.
+[source,yaml]
+----
+apiVersion: nifi.stackable.tech/v1alpha1
+kind: NifiCluster
+metadata:
+  name: test-nifi
+spec:
+  clusterConfig:
+    authorization:
+      standard:
+        accessPolicyProvider:
+          fileBased:
+            initialAdminUser: "cn=admin,ou=users,dc=example,dc=org"
+----
 
-An admin user with an auto-generated password is created that can access the NiFi API.
-The password for this user is stored in a Kubernetes Secret called `<nifi-name>-oidc-admin-password`.
+This configuration provides an additional PVC to NiFi pods in order to read and persist the `users.xml` and `authorizations.xml`.
 
 [#authorization-opa]
 === Open Policy Agent (OPA)

diff --git a/rust/operator-binary/src/config/jvm.rs b/rust/operator-binary/src/config/jvm.rs
@@ -9,7 +9,7 @@ use crate::{
     crd::{NifiConfig, NifiConfigFragment, NifiNodeRoleConfig},
     security::{
         authentication::{STACKABLE_SERVER_TLS_DIR, STACKABLE_TLS_STORE_PASSWORD},
-        authorization::NifiAuthorizationConfig,
+        authorization::ResolvedNifiAuthorizationConfig,
     },
 };
 
@@ -35,7 +35,7 @@ pub fn build_merged_jvm_config(
     merged_config: &NifiConfig,
     role: &Role<NifiConfigFragment, NifiNodeRoleConfig, JavaCommonConfig>,
     role_group: &str,
-    authorization_config: Option<&NifiAuthorizationConfig>,
+    authorization_config: Option<&ResolvedNifiAuthorizationConfig>,
 ) -> Result<JvmArgumentOverrides, Error> {
     let heap_size = MemoryQuantity::try_from(
         merged_config

diff --git a/rust/operator-binary/src/config/mod.rs b/rust/operator-binary/src/config/mod.rs
@@ -37,6 +37,7 @@ pub mod jvm;
 
 pub const NIFI_CONFIG_DIRECTORY: &str = "/stackable/nifi/conf";
 pub const NIFI_PYTHON_WORKING_DIRECTORY: &str = "/nifi-python-working-directory";
+pub const NIFI_PVC_STORAGE_DIRECTORY: &str = "/stackable/data";
 
 pub const NIFI_BOOTSTRAP_CONF: &str = "bootstrap.conf";
 pub const NIFI_PROPERTIES: &str = "nifi.properties";
@@ -69,7 +70,7 @@ impl NifiRepository {
     }
 
     pub fn mount_path(&self) -> String {
-        format!("/stackable/data/{}", self)
+        format!("{NIFI_PVC_STORAGE_DIRECTORY}/{}", self)
     }
 }
 
@@ -115,7 +116,7 @@ pub fn build_bootstrap_conf(
     overrides: BTreeMap<String, String>,
     role: &Role<NifiConfigFragment, NifiNodeRoleConfig, JavaCommonConfig>,
     role_group: &str,
-    authorization_config: Option<&crate::security::authorization::NifiAuthorizationConfig>,
+    authorization_config: Option<&crate::security::authorization::ResolvedNifiAuthorizationConfig>,
 ) -> Result<String, Error> {
     let mut bootstrap = BTreeMap::new();
     // Java command to use when running NiFi