question Re: How to access NiFi API on a secure NiFi instance in Archives of Support Questions (Read Only)

How to access NiFi API on a secure NiFi instance

Raj_B — Thu, 06 Apr 2017 20:59:03 GMT

Hello,

In a secure NiFi instance (LDAP/SSL), our users are unable to access the NiFi API. When this URL - https://nifiserver:8077/nifi-api/system-diagnostics - is launched in a browser, this error shows up : "Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

In NiFi Admin guide's access policies (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#access-policies), I did not find anything related to granting permissions for NiFi API access.

So, how do you let users access NiFi API in a secure environment.

Thanks.

Re: How to access NiFi API on a secure NiFi instance

MattWho — Thu, 06 Apr 2017 21:40:19 GMT

@Raj B

There is no specific policy specific to complete nifi-api access. Different nifi-api end-points will require that the user making the call to that end-point has the equivalent access policy.

For example, in order for a user to view the "system diagnostics" via the NiFi UI, the user will need to have bee granted the global policy "view system diagnostics".

curl 'https://<hostname>:<port>/nifi-api/system-diagnostics' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuaWZpYWRtaW4iLCJpc3MiOiJMZGFwUHJvdmlkZXIiLCJhdWQiOiJMZGFwUHJvdmlkZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJuaWZpYWRtaW4iLCJraWQiOjEsImV4cCI6MTQ5MTUyNzg0OSwiaWF0IjoxNDkxNDg0NjQ5fQ.1xou9lsBLBMaNuUUGJjebuYE1E8dzGWA7IPzb6_vEv0' --compressed --insecure

The "Bearer" presented in the rest-api call will be checked against the access policies assigned to that user.

Just remember that everything you do via NiFi's UI, are nothing more then calls to nifi-api.

Thanks,

Matt

Re: How to access NiFi API on a secure NiFi instance

Raj_B — Thu, 06 Apr 2017 21:44:24 GMT

Thanks @Matt Clarke, your last sentence ("everything you do via NiFi's UI, are nothing more then calls to nifi-api") cleared it all up for me.

Re: How to access NiFi API on a secure NiFi instance

ilavarasu_p — Mon, 29 Apr 2019 20:14:05 GMT

Hi,

I am able to successfully access the /nifi-api/tenants/user-groups rest API using curl with --insecure option.

But I get 403 error for an equivalent code in Java.

Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: https://localhost:8080/nifi-api/tenants/user-groups

Could you please advice?

Java code:

url = new URL(endPoint);
conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
conn.setDoInput(true);
conn.setDoOutput(true);
conn.setRequestMethod("GET");
conn.setRequestProperty("Accept-Encoding", "gzip, deflate, br");
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
conn.setRequestProperty("Accept", "*/*");
conn.setRequestProperty("Authorization", "Bearer " + "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1uaWZpLWFkbWluLG91PXVzZXJzLGRjPWV4YW1wbGUsZGM9b3JnIiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibmlmaS1hZG1pbiIsImtpZCI6NSwiZXhwIjoxNTU2NTQ5NDkzLCJpYXQiOjE1NTY1MDYyOTN9.arWkNU_4K0VWc_v-FgERgjcNeU8-EjpyOP74-4pHkHs");

bufferedreader = new BufferedReader(new InputStreamReader(new GZIPInputStream(conn.getInputStream())));

String response;
while ((response = bufferedreader.readLine()) != null) {
    System.out.println("Response = " + response);
}