Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Getting "No applicable policies could be found. Contact the system administrator." when running a curl command on a NiFi API Endpoint

Labels:
avatar
author-rank josh_nicholson
Expert Contributor

Created ‎01-19-2018 04:31 PM

First I ran the following command to get an authentication token and verified it this command worked by echoing $token.

token=$(curl -k -X POST --negotiate -u : https://<nifi-hostname>:9091/nifi-api/access/kerberos)

Then I tried to get one of the processor groups by running this command but got "No applicable policies could be found. Contact the system administrator."

curl -k -X GET "https://<nifi-hostname>:9091/nifi-api/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" -H "Authorization: Bearer $token"

I am able to access the NiFi UI and have my given myself access to * for the NiFi Resource Identifier in Ranger.

Additionally if I use Google Chrome I am am able to browse to this link and view the JSON, I'm just not able to execute the curl.

I executed all of the above commands on the NiFi node I am trying to curl to.

10,191 Views
0 Kudos
5 REPLIES 5

avatar
author-rank bbende author-rank
Master Guru

Created ‎01-19-2018 04:51 PM

Can you see what is in nifi-user.log when you make the curl request?

8,215 Views
0 Kudos

avatar
author-rank josh_nicholson
Expert Contributor

Created on ‎01-19-2018 06:29 PM - edited ‎08-17-2019 10:21 PM

Here's what I see there.

2018-01-19 11:30:24,421 INFO [NiFi Web Server-284700] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<myuser@realm><hostname><CN=hostname, OU=myorg, O=mycompany, L=mylocation, ST=mystate, C=US>) GET https:/<hostname>:9091/nifi-api/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a
2018-01-19 11:30:24,421 INFO [NiFi Web Server-284700] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for <myuser>@<realm>
2018-01-19 11:30:24,421 INFO [NiFi Web Server-284700] o.a.n.w.a.c.AccessDeniedExceptionMapper <myuser>@<realm> does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.

Edit: I actually was sort of able to resolve this. For some reason the curl command is sending myuser@realm instead of just myuser, which is what I gave access to in Ranger. When I granted myuser@realm access in Ranger, the curl command worked. So the question is why am I able to login to the UI by just granting myuser access but in order to curl I have to give myuser@realm access?

Edit 2: I'm thinking it's due to the way I have the pattern mapping configured.

57382-screen-shot-2018-01-19-at-20634-pm.png

I'm guessing when I log into the UI it's using kerberos, and then when I'm running a curl it's using the CN, which is myuser@realm instead of just myuser. Is it possible to configure so I can just use myuser?

8,215 Views
0 Kudos

avatar
author-rank bbende author-rank
Master Guru

Created ‎01-19-2018 07:09 PM

Ok, it is interesting is that you mentioned you can put the URL in Google Chrome and get the JSON back...

Do you have a client certificate in your browser for NiFi?

In your curl examples you are using Kerberos...

Normally the first time you hit the UI, it exchanges the Kerberos ticket for a JWT (just like you were doing to get the token) and then it puts the JWT in local storage of your browser. On every request after that the UI code will send the Authorization header with the JWT from local storage.

When you put the API URL directly into your browser, none of NiFi's UI code is running, so there isn't anything that would perform the ticket exchange, and nothing that would send the Authorization header. So I wouldn't expect that to work unless you had a client certificate in your browser.

You may want to compare the nifi-user.log above, to one when you access the URL from Chrome to see if the requests are being made as the same identities.

8,215 Views
0 Kudos

avatar
author-rank josh_nicholson
Expert Contributor

Created ‎01-19-2018 07:38 PM

You were correct, once I deleted the client certificate I started getting the same error in my title when browsing to it in Chrome. Also I noticed on the UI it now has myuser@realm instead of just myuser. Is there a way change this?

8,215 Views
0 Kudos

avatar
author-rank bbende author-rank
Master Guru

Created ‎01-19-2018 08:18 PM

Based on all this info, it sounds like you have an identity mapping setup that maps your certificate identity like "CN=myuser, OU=xyz" to just "myuser". You can setup another identity mapping to handle kerberos identities...

Something like this would map "myuser@myrealm" to "myuser"

# nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
# nifi.security.identity.mapping.value.kerb=$1

8,215 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner