question Monitoring NiFi and 401 error api check in Support Questions

Monitoring NiFi and 401 error api check

Olwe — Tue, 13 Sep 2022 09:58:43 GMT

Hi everyone,

I've trying to monitoring nifi api. In our nifi we have configure oidc login and it works fine.

As monitoring, we using zabbix.

The problem in zabbix is when try to check api page (https://nificluster.info/nifi-api/flow/cluster/summary) and I receive http 401 error.

In the web scenario monitoring, I have configured 2 steps:

connect to https://nificluster.info/nifi/ with login and password. This steps it's ok, the required string - "log out" - and required status code 200 works. In this step I've configured viariables username, password for logging and follow redirects flag enable.
connect to api https://nificluster.info/nifi-api/flow/cluster/summary without any parameters except requird string with number of cluster nodes and required status code 200

Who could help me resolve this 401 error on the api nifi?

Re: Monitoring NiFi and 401 error api check

MattWho — Tue, 13 Sep 2022 20:19:39 GMT

@Olwe
How is zabbix authenticating it self with your NiFi? When NiFi is secured, all clients must be authenticated and authorized. An HTTP 401 means the client was not authorized.

NiFi does not use sessions. So when a user logs in via a username and password, if the authentication was successful, a bearer token is issued for the user for that specific NiFi node. That bearer token will remain valid for the duration configured in your NiFi login provider or until the logout endpoint is invoked. The client is expected to include that bearer token in all subsequent requests. If you hit a NiFi rest-api endpoint like .../nifi-api/flow/cluster/summary without a bearer token or a client certificate, the client will be treated as "anonymous" and not authorized. You should see this unauthorized endpoint request logged in the nifi-user.log. When you access rest-api endpoints via the browser which you used to login, the browser takes care of including the bearer token. I am not familiar with Zabbix, but same requirements exist (get bearer token and include bearer token in future rest-api calls)

For example, obtaining a token using a login provider:

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/access/token' \ --data-raw 'username=<username>&password=<password>' \ --compressed \ --insecure

Above will return the <bearer token>.

Then you would use that bearer token in your future rest-api requests:

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/flow/cluster/summary' \ -H 'Authorization: Bearer <bearer token>' \ --compressed \ --insecure

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

Re: Monitoring NiFi and 401 error api check

Olwe — Mon, 03 Oct 2022 08:59:06 GMT

Hi and thanks for your reply.

Integration with OIDC and NiFi it's no easy. I've tried you suggestion but don't works, seems the header don't follow the flow.

But now, I've resolved using the certificate when I call the url. I've trusted zabbix certificate with nifi and use this curl:

curl https://nificluster.info/nifi-api/flow/cluster/summary --insecure -H "Host: nificluster.info" --cert /pathcertificate/certificate_zabbix.pem --key /pathcertificate/certificate_zabbix.key

Now I can check the cluster status "without" login.