Hi Shawn, The 'No applicable policies could be found.' message can be logged when a request is made against a resource which doesn't exist. https://github.com/apache/nifi-registry/blob/master/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/Authorizable.java#L236,L247
If a request for a valid resource, but the user doesn't have right permissions, then the log should look like this: 2019-04-04 14:34:58,492 INFO [NiFi Registry Web Server-71] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[CN=alice, OU=NIFI], groups[] does not have permission to access the requested resource. Unable to view Bucket with ID b5c0b8d3-44df-4afd-9e4b-114c0e299268. Returning Forbidden response. Enabling Jetty debug log may be helpful to get more information, but lots of noisy logs should be expected. E.g. add this entry to conf/logback.xml <logger name="org.eclipse.jetty.server.HttpConnection" level="DEBUG"/> Thanks, Koji On Sat, Mar 30, 2019 at 11:58 PM Shawn Weeks <[email protected]> wrote: > > I remember seeing something where we reduced the amount of auditing for > access denied errors the NiFi Ranger plugin was doing. On a new installation > with Registry 0.3.0 I’m not seeing any access denied errors at all despite > the app log showing them. It’s making it really hard to figure out what > exactly is failing. I know it’s related to the host access but the error log > doesn’t say what was being accessed. > > > > Basically I get log messages like these. > > > > 2019-03-30 09:56:54,817 INFO [NiFi Registry Web Server-20] > o.a.n.r.w.m.AccessDeniedExceptionMapper identity[hdp31-df3.dev.example.com], > groups[] does not have permission to access the requested resource. No > applicable policies could be found. Returning Forbidden response. > > > > I could just give blanket access to everything but I prefer to be more > precise. > > > > Thanks > > Shawn Weeks
