Support Questions

Find answers, ask questions, and share your expertise

No applicable policy found error while login to nifi

avatar
Explorer
Logs from nifi-app.log file 
ERROR [nifi.async.multi_dest.batch_nifi.async.multi_dest.batch.solr_destWriter] o.a.s.client.solrj.impl.CloudSolrClient Request to collection ranger_audits failed due to (401) org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://<hostname>:8886/solr/ranger_audits_shard1_replica_n1: Expected mime type application/octet-stream but got text/html. <html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 Authentication required</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/ranger_audits_shard1_replica_n1/update. Reason:
<pre>    Authentication required</pre></p>
</body>
</html>
, retry? 0
 
Pfa the error attachment
IMG20230712163228.jpg
8 REPLIES 8

avatar
Master Mentor

@shamika 
When you log in to NiFi, you'll want to inspect the nifi-user.log to see the exact exception and NiFi policy that the authenticated user is missing authorization for.  The screenshot you shared above that appears right after successful authentication implies that your authenticated user's identity string (you see this in nifi-user.log) is not authorized on the "view the user interface" NiFi Policy (/flow NiFi resource Identifier in Ranger).

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

avatar
Explorer

Can you please suggest what things i need chacke in ranger policy to resolve this no applicable policy issue

avatar
Master Mentor

@shamika 
You need to check the nifi-user.log to see your exact user identity string which is being denied when trying to view the user interface.   That exact user identity string (case sensitive) must then exist as a user in Ranger service and be authorized fro Read on the "/flow" NiFi Resource identifier under the NIFI service in service manager.

You can find a full list of NiFi Resource Identifier descriptions in the following Cloudera Community article and how they relate to the policies within the NiFi service:
https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/2465...

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

 

 

avatar
Explorer

I checked the ranger policy into that /flow having acess group nd user acess for username and group.

 

Which its menstion in nifi-user.log

-07-12 10:46:36,228 WARN [NiFi Web Server-262] o.a.n.a.util.IdentityMappingUtil Identity Mapping property nifi.security.identity.mapping.pattern.dn was found, but was empty
2023-07-12 10:46:40,796 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://hostname:9091/nifi-api/flow/current-user (source ip:<xy87284hdsshdg)>
2023-07-12 10:46:40,798 INFO [NiFi Web Server-19] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser
2023-07-12 10:46:40,800 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[bigG, bigdGer] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response

 

avatar
Master Mentor

@shamika 

NiFi based authorization is case sensitive.

2023-07-12 10:46:40,800 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[bigG, bigdGer] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response

the nifi-user.log is telling you that your successfully authenticated user "myuser" is known by NiFi to belong to groups "bigG" and "bigdGer".  In Ranger you'll need to make sure that yoru user "myuser" or one of these groups "bigG" and/or "bigdGer" has been authorized for "READ" on the "/flow" NiFi resource Identifier.  If Ranger has the group as "bigg" or "BIGG", "bigDGER", etc it will not work because NiFi is case sensitive.

You could also share your authorizers.xml if you'd like use to verify your configuration there.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt



avatar
Explorer

Have a same issue, when you'll know how to solve it, tag me please

avatar
Explorer

Sure, if you got the fix. Let me know 🙂

avatar
Rising Star

The nifi-user.log is showing the user "myuser", which belongs to the groups "bigG, bigdGer", does not have access to the /flow resource. You can check on the Ranger audit section, for the resource that is denied, then give access to the groups or the username to this resource.