question Re: No applicable policy found error while login to nifi in Support Questions

No applicable policy found error while login to nifi

shamika — Wed, 12 Jul 2023 11:06:02 GMT

Logs from nifi-app.log file

ERROR [nifi.async.multi_dest.batch_nifi.async.multi_dest.batch.solr_destWriter] o.a.s.client.solrj.impl.CloudSolrClient Request to collection ranger_audits failed due to (401) org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://<hostname>:8886/solr/ranger_audits_shard1_replica_n1: Expected mime type application/octet-stream but got text/html. <html>

<head>

<title>Error 401 Authentication required</title>

</head>

<body><h2>HTTP ERROR 401</h2>

<p>Problem accessing /solr/ranger_audits_shard1_replica_n1/update. Reason:

<pre> Authentication required</pre></p>

</body>

</html>

, retry? 0

Pfa the error attachment

Re: No applicable policy found error while login to nifi

MattWho — Wed, 12 Jul 2023 13:44:32 GMT

@shamika
When you log in to NiFi, you'll want to inspect the nifi-user.log to see the exact exception and NiFi policy that the authenticated user is missing authorization for. The screenshot you shared above that appears right after successful authentication implies that your authenticated user's identity string (you see this in nifi-user.log) is not authorized on the "view the user interface" NiFi Policy (/flow NiFi resource Identifier in Ranger).

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

Re: No applicable policy found error while login to nifi

shamika — Wed, 12 Jul 2023 15:33:30 GMT

Can you please suggest what things i need chacke in ranger policy to resolve this no applicable policy issue

Re: No applicable policy found error while login to nifi

MattWho — Wed, 12 Jul 2023 18:44:34 GMT

@shamika
You need to check the nifi-user.log to see your exact user identity string which is being denied when trying to view the user interface. That exact user identity string (case sensitive) must then exist as a user in Ranger service and be authorized fro Read on the "/flow" NiFi Resource identifier under the NIFI service in service manager.

You can find a full list of NiFi Resource Identifier descriptions in the following Cloudera Community article and how they relate to the policies within the NiFi service:
https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/246586

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

Re: No applicable policy found error while login to nifi

shamika — Thu, 13 Jul 2023 08:23:13 GMT

I checked the ranger policy into that /flow having acess group nd user acess for username and group.

Which its menstion in nifi-user.log

-07-12 10:46:36,228 WARN [NiFi Web Server-262] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but was empty

2023-07-12 10:46:40,796 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://hostname:9091/nifi-api/flow/current-user (source ip:<xy87284hdsshdg)>

2023-07-12 10:46:40,798 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser

2023-07-12 10:46:40,800 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[bigG, bigdGer] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response

Re: No applicable policy found error while login to nifi

Ganesha — Thu, 13 Jul 2023 09:53:52 GMT

Have a same issue, when you'll know how to solve it, tag me please

Re: No applicable policy found error while login to nifi

shamika — Thu, 13 Jul 2023 13:27:12 GMT

Sure, if you got the fix. Let me know 🙂

Re: No applicable policy found error while login to nifi

gtorres — Fri, 14 Jul 2023 19:05:29 GMT

The nifi-user.log is showing the user "myuser", which belongs to the groups "bigG, bigdGer", does not have access to the /flow resource. You can check on the Ranger audit section, for the resource that is denied, then give access to the groups or the username to this resource.

Re: No applicable policy found error while login to nifi

MattWho — Fri, 14 Jul 2023 21:27:15 GMT

@shamika

NiFi based authorization is case sensitive.

the nifi-user.log is telling you that your successfully authenticated user "myuser" is known by NiFi to belong to groups "bigG" and "bigdGer". In Ranger you'll need to make sure that yoru user "myuser" or one of these groups "bigG" and/or "bigdGer" has been authorized for "READ" on the "/flow" NiFi resource Identifier. If Ranger has the group as "bigg" or "BIGG", "bigDGER", etc it will not work because NiFi is case sensitive.

You could also share your authorizers.xml if you'd like use to verify your configuration there.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt