We are using NiFi (deployed by Ambari), with users authenticated by LDAP (FreeIPA), and authorisations by Ranger policies. Some of our policies include resource wildcards (e.g. /process-groups/*). As a result NiFi logs include
Resources [...] include a wildcard value. Skipping policy for viewing purposes. Will still be used for access decisions.
What does "Skipping policy for viewing purposes" mean?
This string from the NiFi source code may be a clue
"Converting Ranger ServicePolicies model into NiFi policy model for viewing purposes in NiFi UI."
NiFi does not support using wildcards in all scenarios.
Access decisions would include authorization against specific endpoints.
Not access decisions that may not work with wildcards may include some buttons remaining greyed out.
So if you encounter a NiFi Resource Identifier is not giving you the expected result with a wildcard, try setting the policy explicitly and see if desired outcome is observed. The following article provides insight in to the expected access provided by each NiFi Resource Identifier:
NiFi actually downloads the policy definitions from Ranger and all authorizations are done based on the last downloaded set of policies (NiFi runs a background thread to check for updated policy definitions from Ranger). NiFi does not send a request to verify authorization to Ranger itself.
Hope this helps,