Re: NiFi Registry Not Auditing Denied Errors
It looks like it will do this if you don’t grant the host access to /buckets which is a valid resource. Sent from my iPhone > On Apr 4, 2019, at 1:45 AM, Koji Kawamura wrote: > > Hi Shawn, > > The 'No applicable policies could be found.' message can be logged > when a request is made against a resource which doesn't exist. > https://github.com/apache/nifi-registry/blob/master/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/Authorizable.java#L236,L247 > > If a request for a valid resource, but the user doesn't have right > permissions, then the log should look like this: > 2019-04-04 14:34:58,492 INFO [NiFi Registry Web Server-71] > o.a.n.r.w.m.AccessDeniedExceptionMapper identity[CN=alice, OU=NIFI], > groups[] does not have permission to access the requested resource. > Unable to view Bucket with ID b5c0b8d3-44df-4afd-9e4b-114c0e299268. > Returning Forbidden response. > > Enabling Jetty debug log may be helpful to get more information, but > lots of noisy logs should be expected. > E.g. add this entry to conf/logback.xml > > > Thanks, > Koji > >> On Sat, Mar 30, 2019 at 11:58 PM Shawn Weeks >> wrote: >> >> I remember seeing something where we reduced the amount of auditing for >> access denied errors the NiFi Ranger plugin was doing. On a new installation >> with Registry 0.3.0 I’m not seeing any access denied errors at all despite >> the app log showing them. It’s making it really hard to figure out what >> exactly is failing. I know it’s related to the host access but the error log >> doesn’t say what was being accessed. >> >> >> >> Basically I get log messages like these. >> >> >> >> 2019-03-30 09:56:54,817 INFO [NiFi Registry Web Server-20] >> o.a.n.r.w.m.AccessDeniedExceptionMapper identity[hdp31-df3.dev.example.com], >> groups[] does not have permission to access the requested resource. No >> applicable policies could be found. Returning Forbidden response. >> >> >> >> I could just give blanket access to everything but I prefer to be more >> precise. >> >> >> >> Thanks >> >> Shawn Weeks
Re: NiFi Registry Not Auditing Denied Errors
Hi Shawn, The 'No applicable policies could be found.' message can be logged when a request is made against a resource which doesn't exist. https://github.com/apache/nifi-registry/blob/master/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/Authorizable.java#L236,L247 If a request for a valid resource, but the user doesn't have right permissions, then the log should look like this: 2019-04-04 14:34:58,492 INFO [NiFi Registry Web Server-71] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[CN=alice, OU=NIFI], groups[] does not have permission to access the requested resource. Unable to view Bucket with ID b5c0b8d3-44df-4afd-9e4b-114c0e299268. Returning Forbidden response. Enabling Jetty debug log may be helpful to get more information, but lots of noisy logs should be expected. E.g. add this entry to conf/logback.xml Thanks, Koji On Sat, Mar 30, 2019 at 11:58 PM Shawn Weeks wrote: > > I remember seeing something where we reduced the amount of auditing for > access denied errors the NiFi Ranger plugin was doing. On a new installation > with Registry 0.3.0 I’m not seeing any access denied errors at all despite > the app log showing them. It’s making it really hard to figure out what > exactly is failing. I know it’s related to the host access but the error log > doesn’t say what was being accessed. > > > > Basically I get log messages like these. > > > > 2019-03-30 09:56:54,817 INFO [NiFi Registry Web Server-20] > o.a.n.r.w.m.AccessDeniedExceptionMapper identity[hdp31-df3.dev.example.com], > groups[] does not have permission to access the requested resource. No > applicable policies could be found. Returning Forbidden response. > > > > I could just give blanket access to everything but I prefer to be more > precise. > > > > Thanks > > Shawn Weeks
NiFi Registry Not Auditing Denied Errors
I remember seeing something where we reduced the amount of auditing for access denied errors the NiFi Ranger plugin was doing. On a new installation with Registry 0.3.0 I'm not seeing any access denied errors at all despite the app log showing them. It's making it really hard to figure out what exactly is failing. I know it's related to the host access but the error log doesn't say what was being accessed. Basically I get log messages like these. 2019-03-30 09:56:54,817 INFO [NiFi Registry Web Server-20] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[hdp31-df3.dev.example.com], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response. I could just give blanket access to everything but I prefer to be more precise. Thanks Shawn Weeks