Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

What does the Nifi log entry "Skipping policy for viewing purposes" mean?

Labels:
avatar
author-rank alexwillmer
New Contributor

Created ‎03-15-2021 04:43 AM

We are using NiFi (deployed by Ambari), with users authenticated by LDAP (FreeIPA), and authorisations by Ranger policies. Some of our policies include resource wildcards (e.g. /process-groups/*). As a result NiFi logs include

Resources [...] include a wildcard value. Skipping policy for viewing purposes. Will still be used for access decisions.

What does "Skipping policy for viewing purposes" mean?

  1. Is it viewing of the policy itself, or viewing of resource(s)? We are able to view the policies in Ranger Admin.
  2. Where would the thing be viewed? We are able to view the resources in the NiFi canvas.
958 Views
0 Kudos
2 REPLIES 2

avatar
author-rank alexwillmer
New Contributor

Created ‎03-15-2021 05:27 AM

This string from the NiFi source code may be a clue

"Converting Ranger ServicePolicies model into NiFi policy model for viewing purposes in NiFi UI."

946 Views

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-15-2021 03:35 PM

@alexwillmer 

NiFi does not support using wildcards in all scenarios.

Access decisions would include authorization against specific endpoints. 
Not access decisions that may not work with wildcards may include some buttons remaining greyed out.

So if you encounter a NiFi Resource Identifier is not giving you the expected result with a wildcard, try setting the policy explicitly and see if desired outcome is observed.  The following article provides insight in to the expected access provided by each NiFi Resource Identifier:
https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/2465...

NiFi actually downloads the policy definitions from Ranger and all authorizations are done based on the last downloaded set of policies (NiFi runs a background thread to check for updated policy definitions from Ranger).  NiFi does not send a request to verify authorization to Ranger itself.

Hope this helps,

Matt

923 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Operational Database supports assigning ODAdmin rol...
What's New @ Cloudera
Security-Enhanced Linux (SELinux) support in Cloudera Operat...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
View More Announcements