Support Questions

Find answers, ask questions, and share your expertise

API call to /nifi-api/resources results in "No applicable policies could be found. Contact the system administrator."

avatar
Explorer

Other API calls work such as to /nifi-api/tenants/user-groups.

 

I do not see an entry for /resources in authorizations.xml nor does there seem to be an entry VIA the gui policy editing.

 

NIFI 19.1...

2 ACCEPTED SOLUTIONS

avatar
Explorer

Well, it looks like nifi does not create a policy for this by default. 
I added a policy to authorizations.xml as follows and it works:


<policy identifier="0c6d205e-9153-4bcd-9534-aeb029c65e10" resource="/resources" action="R">
<group identifier="2c7ce5db-0186-1000-ffff-ffffdbb1315d"/>
</policy>



 

View solution in original post

avatar
Master Mentor

@JohnF 

The NiFi Resource Identifier "/resources" exists to authorize third party authorizers like Apache Ranger to retrieve a list of all current NiFi Resource Identifiers (That returned list will change anytime some new component is added in NIFi).   In a NiFi setup to use a local authorization provider (fie-access-policy-provider) this NiFi Resource Identify would not need to be used. As NiFi is already aware of all policies in its UI for setting up policies.  So no need for it to be exposed.

When using some external Authorizer, it would then be that Authorizer that is providing the authorizations needed to NiFi and within that external Authorizer it could authorize the "/resources" NiFi resource Identifier, if it wanted to get that listing to facilitate easier authorization policy implementation by being able to present that list of Identifiers to the end user.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

4 REPLIES 4

avatar
Explorer

https://nifi-c2-d01.xxx.xxx:9443/nifi-api/policies/read/resources

Unable to find access policy for read on /resources

avatar
Explorer

Well, it looks like nifi does not create a policy for this by default. 
I added a policy to authorizations.xml as follows and it works:


<policy identifier="0c6d205e-9153-4bcd-9534-aeb029c65e10" resource="/resources" action="R">
<group identifier="2c7ce5db-0186-1000-ffff-ffffdbb1315d"/>
</policy>



 

avatar
Master Mentor

@JohnF 

The NiFi Resource Identifier "/resources" exists to authorize third party authorizers like Apache Ranger to retrieve a list of all current NiFi Resource Identifiers (That returned list will change anytime some new component is added in NIFi).   In a NiFi setup to use a local authorization provider (fie-access-policy-provider) this NiFi Resource Identify would not need to be used. As NiFi is already aware of all policies in its UI for setting up policies.  So no need for it to be exposed.

When using some external Authorizer, it would then be that Authorizer that is providing the authorizations needed to NiFi and within that external Authorizer it could authorize the "/resources" NiFi resource Identifier, if it wanted to get that listing to facilitate easier authorization policy implementation by being able to present that list of Identifiers to the end user.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

avatar
Explorer

It just seems odd that this policy isn't created by default as this is part of the REST api.  

 

Or better documented in the REST API docs...