First I ran the following command to get an authentication token and verified it this command worked by echoing $token.
token=$(curl -k -X POST --negotiate -u : https://<nifi-hostname>:9091/nifi-api/access/kerberos)
Then I tried to get one of the processor groups by running this command but got "No applicable policies could be found. Contact the system administrator."
curl -k -X GET "https://<nifi-hostname>:9091/nifi-api/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a" -H "Authorization: Bearer $token"
I am able to access the NiFi UI and have my given myself access to * for the NiFi Resource Identifier in Ranger.
Additionally if I use Google Chrome I am am able to browse to this link and view the JSON, I'm just not able to execute the curl.
I executed all of the above commands on the NiFi node I am trying to curl to.
Can you see what is in nifi-user.log when you make the curl request?
Here's what I see there.
2018-01-19 11:30:24,421 INFO [NiFi Web Server-284700] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<myuser@realm><hostname><CN=hostname, OU=myorg, O=mycompany, L=mylocation, ST=mystate, C=US>) GET https:/<hostname>:9091/nifi-api/process-groups/7c84501d-d10c-407c-b9f3-1d80e38fe36a 2018-01-19 11:30:24,421 INFO [NiFi Web Server-284700] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for <myuser>@<realm> 2018-01-19 11:30:24,421 INFO [NiFi Web Server-284700] o.a.n.w.a.c.AccessDeniedExceptionMapper <myuser>@<realm> does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.
Edit: I actually was sort of able to resolve this. For some reason the curl command is sending myuser@realm instead of just myuser, which is what I gave access to in Ranger. When I granted myuser@realm access in Ranger, the curl command worked. So the question is why am I able to login to the UI by just granting myuser access but in order to curl I have to give myuser@realm access?
Edit 2: I'm thinking it's due to the way I have the pattern mapping configured.
I'm guessing when I log into the UI it's using kerberos, and then when I'm running a curl it's using the CN, which is myuser@realm instead of just myuser. Is it possible to configure so I can just use myuser?
Ok, it is interesting is that you mentioned you can put the URL in Google Chrome and get the JSON back...
Do you have a client certificate in your browser for NiFi?
In your curl examples you are using Kerberos...
Normally the first time you hit the UI, it exchanges the Kerberos ticket for a JWT (just like you were doing to get the token) and then it puts the JWT in local storage of your browser. On every request after that the UI code will send the Authorization header with the JWT from local storage.
When you put the API URL directly into your browser, none of NiFi's UI code is running, so there isn't anything that would perform the ticket exchange, and nothing that would send the Authorization header. So I wouldn't expect that to work unless you had a client certificate in your browser.
You may want to compare the nifi-user.log above, to one when you access the URL from Chrome to see if the requests are being made as the same identities.
You were correct, once I deleted the client certificate I started getting the same error in my title when browsing to it in Chrome. Also I noticed on the UI it now has myuser@realm instead of just myuser. Is there a way change this?
Based on all this info, it sounds like you have an identity mapping setup that maps your certificate identity like "CN=myuser, OU=xyz" to just "myuser". You can setup another identity mapping to handle kerberos identities...
Something like this would map "myuser@myrealm" to "myuser"