Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

API call to /nifi-api/resources results in "No applicable policies could be found. Contact the system administrator."

Labels:
avatar
author-rank JohnF
Explorer

Created ‎02-09-2023 10:38 AM

Other API calls work such as to /nifi-api/tenants/user-groups.

 

I do not see an entry for /resources in authorizations.xml nor does there seem to be an entry VIA the gui policy editing.

 

NIFI 19.1...

2,291 Views
0 Kudos
0
2 ACCEPTED SOLUTIONS

avatar
author-rank JohnF
Explorer

Created on ‎02-10-2023 12:17 PM - last edited on ‎02-13-2023 09:42 AM by Community Manager Community Manager

Well, it looks like nifi does not create a policy for this by default. 
I added a policy to authorizations.xml as follows and it works:


<policy identifier="0c6d205e-9153-4bcd-9534-aeb029c65e10" resource="/resources" action="R">
       <group identifier="2c7ce5db-0186-1000-ffff-ffffdbb1315d"/>
</policy>



 

View solution in original post

2,239 Views
0 Kudos
0

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-13-2023 06:39 AM

@JohnF 

The NiFi Resource Identifier "/resources" exists to authorize third party authorizers like Apache Ranger to retrieve a list of all current NiFi Resource Identifiers (That returned list will change anytime some new component is added in NIFi).   In a NiFi setup to use a local authorization provider (fie-access-policy-provider) this NiFi Resource Identify would not need to be used. As NiFi is already aware of all policies in its UI for setting up policies.  So no need for it to be exposed.

When using some external Authorizer, it would then be that Authorizer that is providing the authorizations needed to NiFi and within that external Authorizer it could authorize the "/resources" NiFi resource Identifier, if it wanted to get that listing to facilitate easier authorization policy implementation by being able to present that list of Identifiers to the end user.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

2,177 Views
0 Kudos
0
4 REPLIES 4

avatar
author-rank JohnF
Explorer

Created ‎02-09-2023 10:50 AM

https://nifi-c2-d01.xxx.xxx:9443/nifi-api/policies/read/resources

Unable to find access policy for read on /resources

2,288 Views
0 Kudos

avatar
author-rank JohnF
Explorer

Created on ‎02-10-2023 12:17 PM - last edited on ‎02-13-2023 09:42 AM by Community Manager Community Manager

Well, it looks like nifi does not create a policy for this by default. 
I added a policy to authorizations.xml as follows and it works:


<policy identifier="0c6d205e-9153-4bcd-9534-aeb029c65e10" resource="/resources" action="R">
       <group identifier="2c7ce5db-0186-1000-ffff-ffffdbb1315d"/>
</policy>



 
2,240 Views
0 Kudos
0

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-13-2023 06:39 AM

@JohnF 

The NiFi Resource Identifier "/resources" exists to authorize third party authorizers like Apache Ranger to retrieve a list of all current NiFi Resource Identifiers (That returned list will change anytime some new component is added in NIFi).   In a NiFi setup to use a local authorization provider (fie-access-policy-provider) this NiFi Resource Identify would not need to be used. As NiFi is already aware of all policies in its UI for setting up policies.  So no need for it to be exposed.

When using some external Authorizer, it would then be that Authorizer that is providing the authorizations needed to NiFi and within that external Authorizer it could authorize the "/resources" NiFi resource Identifier, if it wanted to get that listing to facilitate easier authorization policy implementation by being able to present that list of Identifiers to the end user.

 

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

2,178 Views
0 Kudos
0

avatar
author-rank JohnF
Explorer

Created on ‎02-13-2023 09:51 AM - edited ‎02-13-2023 09:53 AM

It just seems odd that this policy isn't created by default as this is part of the REST api.  

 

Or better documented in the REST API docs...

2,154 Views
0 Kudos
Announcements
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements