You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Koji Kawamura <ij...@gmail.com> on 2019/04/04 06:44:52 UTC
Re: NiFi Registry Not Auditing Denied Errors
Hi Shawn,
The 'No applicable policies could be found.' message can be logged
when a request is made against a resource which doesn't exist.
https://github.com/apache/nifi-registry/blob/master/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/Authorizable.java#L236,L247
If a request for a valid resource, but the user doesn't have right
permissions, then the log should look like this:
2019-04-04 14:34:58,492 INFO [NiFi Registry Web Server-71]
o.a.n.r.w.m.AccessDeniedExceptionMapper identity[CN=alice, OU=NIFI],
groups[] does not have permission to access the requested resource.
Unable to view Bucket with ID b5c0b8d3-44df-4afd-9e4b-114c0e299268.
Returning Forbidden response.
Enabling Jetty debug log may be helpful to get more information, but
lots of noisy logs should be expected.
E.g. add this entry to conf/logback.xml
<logger name="org.eclipse.jetty.server.HttpConnection" level="DEBUG"/>
Thanks,
Koji
On Sat, Mar 30, 2019 at 11:58 PM Shawn Weeks <sw...@weeksconsulting.us> wrote:
>
> I remember seeing something where we reduced the amount of auditing for access denied errors the NiFi Ranger plugin was doing. On a new installation with Registry 0.3.0 I’m not seeing any access denied errors at all despite the app log showing them. It’s making it really hard to figure out what exactly is failing. I know it’s related to the host access but the error log doesn’t say what was being accessed.
>
>
>
> Basically I get log messages like these.
>
>
>
> 2019-03-30 09:56:54,817 INFO [NiFi Registry Web Server-20] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[hdp31-df3.dev.example.com], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.
>
>
>
> I could just give blanket access to everything but I prefer to be more precise.
>
>
>
> Thanks
>
> Shawn Weeks
Re: NiFi Registry Not Auditing Denied Errors
Posted by Shawn Weeks <sw...@weeksconsulting.us>.
It looks like it will do this if you don’t grant the host access to /buckets which is a valid resource.
Sent from my iPhone
> On Apr 4, 2019, at 1:45 AM, Koji Kawamura <ij...@gmail.com> wrote:
>
> Hi Shawn,
>
> The 'No applicable policies could be found.' message can be logged
> when a request is made against a resource which doesn't exist.
> https://github.com/apache/nifi-registry/blob/master/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/resource/Authorizable.java#L236,L247
>
> If a request for a valid resource, but the user doesn't have right
> permissions, then the log should look like this:
> 2019-04-04 14:34:58,492 INFO [NiFi Registry Web Server-71]
> o.a.n.r.w.m.AccessDeniedExceptionMapper identity[CN=alice, OU=NIFI],
> groups[] does not have permission to access the requested resource.
> Unable to view Bucket with ID b5c0b8d3-44df-4afd-9e4b-114c0e299268.
> Returning Forbidden response.
>
> Enabling Jetty debug log may be helpful to get more information, but
> lots of noisy logs should be expected.
> E.g. add this entry to conf/logback.xml
> <logger name="org.eclipse.jetty.server.HttpConnection" level="DEBUG"/>
>
> Thanks,
> Koji
>
>> On Sat, Mar 30, 2019 at 11:58 PM Shawn Weeks <sw...@weeksconsulting.us> wrote:
>>
>> I remember seeing something where we reduced the amount of auditing for access denied errors the NiFi Ranger plugin was doing. On a new installation with Registry 0.3.0 I’m not seeing any access denied errors at all despite the app log showing them. It’s making it really hard to figure out what exactly is failing. I know it’s related to the host access but the error log doesn’t say what was being accessed.
>>
>>
>>
>> Basically I get log messages like these.
>>
>>
>>
>> 2019-03-30 09:56:54,817 INFO [NiFi Registry Web Server-20] o.a.n.r.w.m.AccessDeniedExceptionMapper identity[hdp31-df3.dev.example.com], groups[] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response.
>>
>>
>>
>> I could just give blanket access to everything but I prefer to be more precise.
>>
>>
>>
>> Thanks
>>
>> Shawn Weeks