Github user bbende commented on the issue: https://github.com/apache/nifi/pull/574 @YolandaMDavis thanks for reviewing! Working on some changes based on your feedback. Regarding the need for RangerBasePluginWithPolicies... unfortunately the PolicyEngine is a private member variable of RangerBasePlugin and there is no getter for it, so no way to access it. I think most other plugins would never need to, but for NiFi we need to know if the reason for denying access was because no policy exists for the resource, or because a specific policy exists that doesn't match the incoming request. So the best I could come up with was to intercept when the policies are refreshed and store the resource ids so that when RangerAccessResult getIsAllowed() returns false we can then do a second check to see if there was even a policy for the given resource, and if not then return resource not found, rather than denied.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---