Support Questions
Find answers, ask questions, and share your expertise

What does the Nifi log entry "Skipping policy for viewing purposes" mean?

Highlighted

What does the Nifi log entry "Skipping policy for viewing purposes" mean?

New Contributor

We are using NiFi (deployed by Ambari), with users authenticated by LDAP (FreeIPA), and authorisations by Ranger policies. Some of our policies include resource wildcards (e.g. /process-groups/*). As a result NiFi logs include

Resources [...] include a wildcard value. Skipping policy for viewing purposes. Will still be used for access decisions.

What does "Skipping policy for viewing purposes" mean?

  1. Is it viewing of the policy itself, or viewing of resource(s)? We are able to view the policies in Ranger Admin.
  2. Where would the thing be viewed? We are able to view the resources in the NiFi canvas.
2 REPLIES 2
Highlighted

Re: What does the Nifi log entry "Skipping policy for viewing purposes" mean?

New Contributor

This string from the NiFi source code may be a clue

"Converting Ranger ServicePolicies model into NiFi policy model for viewing purposes in NiFi UI."

Re: What does the Nifi log entry "Skipping policy for viewing purposes" mean?

Master Guru

@alexwillmer 

NiFi does not support using wildcards in all scenarios.

Access decisions would include authorization against specific endpoints. 
Not access decisions that may not work with wildcards may include some buttons remaining greyed out.

So if you encounter a NiFi Resource Identifier is not giving you the expected result with a wildcard, try setting the policy explicitly and see if desired outcome is observed.  The following article provides insight in to the expected access provided by each NiFi Resource Identifier:
https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/2465...

NiFi actually downloads the policy definitions from Ranger and all authorizations are done based on the last downloaded set of policies (NiFi runs a background thread to check for updated policy definitions from Ranger).  NiFi does not send a request to verify authorization to Ranger itself.

Hope this helps,

Matt