question Re: Calling nifi Api using Postman in Support Questions

Calling nifi Api using Postman

SAMSAL — Wed, 18 May 2022 16:04:04 GMT

Hi,

I have a secured Nifi cluster. Im trying to call a nifi api to start\stop processor using postman. I followed the instruction for the api "PUT /processors/{id}/run-status". Provided the Bearer token and the Json Body. However I keep getting 403 Forbidden message. Does anybody know why? I'm able to run other APIs successfully such as getting processor info "GET /processors/{id}"! Im guessing its because Im using SSL secured nifi with jks keystore and truststore, but not sure how to provide this information to postman. Can anyone help please?

Re: Calling nifi Api using Postman

araujo — Wed, 18 May 2022 23:13:56 GMT

@SAMSAL ,

If your NiFi cluster was secured only with TLS (no Kerberos and/or LDAP external providers for authentication), you must have generate a client TLS certificate that you can use to authenticate with NiFi and register that certificate in your browser before you can make any calls to it.

If you have an external authentication provider configured, you can make a call to POST /nifi-api/access/token, passing username and password as form parameters to perform the authentication. If you're using Postman, this call will save the returned token in a cookie and you'll be able to perform the next calls as usual.

Otherwise, is you're using an external script, you can get the returned token and pass that as a bearer token for the subsequent calls. For example:

token=$(curl \ -X POST \ -H 'Content-Type: application/x-www-form-urlencoded') \ -d 'username=admin&password=supersecret1' \ "https://nifi.example.com:8443/nifi-api/access/token" curl \ -X GET \ -H "Authorization: Bearer $token" \ "https://nifi.example.com:8443/nifi-api/processors/d95f5430-0180-1000-ffff-ffff96c5d76f"

Cheers,

André

Re: Calling nifi Api using Postman

SAMSAL — Wed, 18 May 2022 23:31:39 GMT

Thanks Andre,

I did manage to get the token using access/token api. however when I provided the token in postman as Bearer authentication I still get the 403 Forbidden response. Here is my request and response info as captured by Fiddler, let me know if you see anything wrong:

PUT https://[server name]:9443/nifi-api/processors/385fcdc0-0180-1000-0000-000030a768e3/run-status HTTP/1.1
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Keep-Alive: timeout=100, max=50000
Authorization: Bearer [access token]
User-Agent: PostmanRuntime/7.29.0
Postman-Token: 5900c41a-f704-43f3-a2e4-a425eeb22569
Host: [host name]:9443
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 215

{
"revision": {
"clientId": "8F3BD748-DBCC-4703-8743-1D98A24B95C2",
"version": 1.16,
"lastModifier": "user.name"
},
"state": "RUNNING",
"disconnectedNodeAcknowledged": true
}

Response:

HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31540000
Content-Length: 0
Server: Jetty(9.4.45.v20220203)

Re: Calling nifi Api using Postman

araujo — Thu, 19 May 2022 01:06:04 GMT

@SAMSAL ,

Have you enabled Ranger for authorization or are you managing policies in the NiFi UI?

You are probably authenticated correctly, but your user may be lacking the necessary permissions to perform the API call.

André

Re: Calling nifi Api using Postman

SAMSAL — Thu, 19 May 2022 20:11:11 GMT

Hi Andre,

Not sure what do you mean by "enabled Ranger for authorization"? Can you please elaborate? Also the user Im getting the access token for is the same user that can log in to nifi and have all kind of permissions added to view\modify any workflow. Not sure what else I could be missing.

Thanks

Re: Calling nifi Api using Postman

araujo — Thu, 19 May 2022 21:48:10 GMT

Could you please share your authorizers.xml file?

Re: Calling nifi Api using Postman

SAMSAL — Thu, 19 May 2022 21:58:58 GMT

Hi Andre,

I sent you the authorizers content in private message. thanks for your help

Re: Calling nifi Api using Postman

araujo — Thu, 19 May 2022 23:26:32 GMT

Could you please also send me your authorizations.xml and users.xml files?

What's the user you're using for authentication in Postman?

Re: Calling nifi Api using Postman

SAMSAL — Fri, 20 May 2022 01:40:27 GMT

I sent you both the users and authorizations xml content in private message. Thanks!

Re: Calling nifi Api using Postman

araujo — Fri, 20 May 2022 03:15:03 GMT

@SAMSAL ,

Here's what I think is happening:

Your user, who has id "168b019c-0180-1000-ffff-fffffbf36c3a" (from users.xml) only has access to the processor group with id "155cec02-0180-1000-6d4b-ac96d2372f41". For authorizations.xml:

Your PUT command is referencing a processor with id "385fcdc0-0180-1000-0000-000030a768e3". I don't know how your canvas is organized, but my guess is that this processor does not belong inside the processor group "155cec02-0180-1000-6d4b-ac96d2372f41" and because of that the user is being denied access (403 Forbidden).

To solve that you can login to the UI using an admin user, right-click on the Process Group that contains the processor that you're trying to manipulate and click on "Manage access policies".

In the Access Policies page, add your user to the "view the component" and "modify the component" policies.

After that, try again.

Cheers,

André

Re: Calling nifi Api using Postman

SAMSAL — Fri, 20 May 2022 13:46:07 GMT

Hi Andre,

Thanks again for taking the time and look into my access policy files. If you have noticed in the users.xml I have created an admin group with id "1966f436-0180-1000-ffff-ffffd1d17786" that the user "168b019c-0180-1000-ffff-fffffbf36c3a" is part of, this user group should have access to everything on the nifi canvas so Im assuming my user id implicitly will have access to everything as well, is that correct? even with that I went and give access to my user id explicitly to the target processor group with permission to view, modify and operate component, but still getting the 403 error! Keep in mind when I call the same API using nifi InovkeHttp providing the same access token it only works when I provide SSL Context Service that points to the same truststore & keystore files used to secure the nifi instance, could that be the problem in postman since I did not provide the SSL context there even though Im using https in the url? Im not sure how this can be configured in postman. Thanks for your help.

Re: Calling nifi Api using Postman

MaarufB — Tue, 25 Oct 2022 10:28:24 GMT

Hello bro @SAMSAL , were you successfully control the nifi component using postman? If yes, would it be okay to share your countermeasure. Currently encountering the same issue that you had. Thanks in advance.

Re: Calling nifi Api using Postman

stainblue — Thu, 16 Jan 2025 13:31:33 GMT

Hi @SAMSAL @MaarufB,

I had the same problem but solved it. The root cause was the CSRF security filter, which resulted in a 403 error. You can resolve this by setting the Request-Token header with the cookie value obtained during the access token issuance.

For more details, please refer to the following link:
NiFi Administration Guide - CSRF Protection

Hope this helps!