Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

API call to /nifi-api/resources results in "No applicable policies could be found. Contact the system administrator."

Labels:
avatar
author-rank JohnF
Explorer

Created ‎02-09-2023 10:38 AM

Other API calls work such as to /nifi-api/tenants/user-groups.

 

I do not see an entry for /resources in authorizations.xml nor does there seem to be an entry VIA the gui policy editing.

 

NIFI 19.1...

1,901 Views
0 Kudos
2 ACCEPTED SOLUTIONS

avatar
author-rank JohnF
Explorer

Created on ‎02-10-2023 12:17 PM - last edited on ‎02-13-2023 09:42 AM by Community Manager Community Manager

Well, it looks like nifi does not create a policy for this by default. 
I added a policy to authorizations.xml as follows and it works:


<policy identifier="0c6d205e-9153-4bcd-9534-aeb029c65e10" resource="/resources" action="R">
       <group identifier="2c7ce5db-0186-1000-ffff-ffffdbb1315d"/>
</policy>



 

View solution in original post

1,849 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-13-2023 06:39 AM

@JohnF 

The NiFi Resource Identifier "/resources" exists to authorize third party authorizers like Apache Ranger to retrieve a list of all current NiFi Resource Identifiers (That returned list will change anytime some new component is added in NIFi).   In a NiFi setup to use a local authorization provider (fie-access-policy-provider) this NiFi Resource Identify would not need to be used. As NiFi is already aware of all policies in its UI for setting up policies.  So no need for it to be exposed.

When using some external Authorizer, it would then be that Authorizer that is providing the authorizations needed to NiFi and within that external Authorizer it could authorize the "/resources" NiFi resource Identifier, if it wanted to get that listing to facilitate easier authorization policy implementation by being able to present that list of Identifiers to the end user.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

1,787 Views
0 Kudos
4 REPLIES 4

avatar
author-rank JohnF
Explorer

Created ‎02-09-2023 10:50 AM

https://nifi-c2-d01.xxx.xxx:9443/nifi-api/policies/read/resources

Unable to find access policy for read on /resources

1,898 Views
0 Kudos

avatar
author-rank JohnF
Explorer

Created on ‎02-10-2023 12:17 PM - last edited on ‎02-13-2023 09:42 AM by Community Manager Community Manager

Well, it looks like nifi does not create a policy for this by default. 
I added a policy to authorizations.xml as follows and it works:


<policy identifier="0c6d205e-9153-4bcd-9534-aeb029c65e10" resource="/resources" action="R">
       <group identifier="2c7ce5db-0186-1000-ffff-ffffdbb1315d"/>
</policy>



 
1,850 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-13-2023 06:39 AM

@JohnF 

The NiFi Resource Identifier "/resources" exists to authorize third party authorizers like Apache Ranger to retrieve a list of all current NiFi Resource Identifiers (That returned list will change anytime some new component is added in NIFi).   In a NiFi setup to use a local authorization provider (fie-access-policy-provider) this NiFi Resource Identify would not need to be used. As NiFi is already aware of all policies in its UI for setting up policies.  So no need for it to be exposed.

When using some external Authorizer, it would then be that Authorizer that is providing the authorizations needed to NiFi and within that external Authorizer it could authorize the "/resources" NiFi resource Identifier, if it wanted to get that listing to facilitate easier authorization policy implementation by being able to present that list of Identifiers to the end user.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

1,788 Views
0 Kudos

avatar
author-rank JohnF
Explorer

Created on ‎02-13-2023 09:51 AM - edited ‎02-13-2023 09:53 AM

It just seems odd that this policy isn't created by default as this is part of the REST api.  

 

Or better documented in the REST API docs...

1,764 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements