Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

What does the Nifi log entry "Skipping policy for viewing purposes" mean?

Labels:
avatar
author-rank alexwillmer
New Contributor

Created ‎03-15-2021 04:43 AM

We are using NiFi (deployed by Ambari), with users authenticated by LDAP (FreeIPA), and authorisations by Ranger policies. Some of our policies include resource wildcards (e.g. /process-groups/*). As a result NiFi logs include

Resources [...] include a wildcard value. Skipping policy for viewing purposes. Will still be used for access decisions.

What does "Skipping policy for viewing purposes" mean?

  1. Is it viewing of the policy itself, or viewing of resource(s)? We are able to view the policies in Ranger Admin.
  2. Where would the thing be viewed? We are able to view the resources in the NiFi canvas.
665 Views
0 Kudos
2 REPLIES 2

avatar
author-rank alexwillmer
New Contributor

Created ‎03-15-2021 05:27 AM

This string from the NiFi source code may be a clue

"Converting Ranger ServicePolicies model into NiFi policy model for viewing purposes in NiFi UI."

653 Views

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎03-15-2021 03:35 PM

@alexwillmer 

NiFi does not support using wildcards in all scenarios.

Access decisions would include authorization against specific endpoints. 
Not access decisions that may not work with wildcards may include some buttons remaining greyed out.

So if you encounter a NiFi Resource Identifier is not giving you the expected result with a wildcard, try setting the policy explicitly and see if desired outcome is observed.  The following article provides insight in to the expected access provided by each NiFi Resource Identifier:
https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/2465...

NiFi actually downloads the policy definitions from Ranger and all authorizations are done based on the last downloaded set of policies (NiFi runs a background thread to check for updated policy definitions from Ranger).  NiFi does not send a request to verify authorization to Ranger itself.

Hope this helps,

Matt

630 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements