It looks like it will do this if you don’t grant the host access to /buckets which is a valid resource.
Sent from my iPhone > On Apr 4, 2019, at 1:45 AM, Koji Kawamura <[email protected]> wrote: > > Hi Shawn, > > The 'No applicable policies could be found.' message can be logged > when a request is made against a resource which doesn't exist. > https://github.com/apache/nifi-registry/blob/master/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/Authorizable.java#L236,L247 > > If a request for a valid resource, but the user doesn't have right > permissions, then the log should look like this: > 2019-04-04 14:34:58,492 INFO [NiFi Registry Web Server-71] > o.a.n.r.w.m.AccessDeniedExceptionMapper identity[CN=alice, OU=NIFI], > groups[] does not have permission to access the requested resource. > Unable to view Bucket with ID b5c0b8d3-44df-4afd-9e4b-114c0e299268. > Returning Forbidden response. > > Enabling Jetty debug log may be helpful to get more information, but > lots of noisy logs should be expected. > E.g. add this entry to conf/logback.xml > <logger name="org.eclipse.jetty.server.HttpConnection" level="DEBUG"/> > > Thanks, > Koji > >> On Sat, Mar 30, 2019 at 11:58 PM Shawn Weeks <[email protected]> >> wrote: >> >> I remember seeing something where we reduced the amount of auditing for >> access denied errors the NiFi Ranger plugin was doing. On a new installation >> with Registry 0.3.0 I’m not seeing any access denied errors at all despite >> the app log showing them. It’s making it really hard to figure out what >> exactly is failing. I know it’s related to the host access but the error log >> doesn’t say what was being accessed. >> >> >> >> Basically I get log messages like these. >> >> >> >> 2019-03-30 09:56:54,817 INFO [NiFi Registry Web Server-20] >> o.a.n.r.w.m.AccessDeniedExceptionMapper identity[hdp31-df3.dev.example.com], >> groups[] does not have permission to access the requested resource. No >> applicable policies could be found. Returning Forbidden response. >> >> >> >> I could just give blanket access to everything but I prefer to be more >> precise. >> >> >> >> Thanks >> >> Shawn Weeks
