Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

How to access NiFi API on a secure NiFi instance

Labels:
avatar
author-rank Raj_B
Expert Contributor

Created ‎04-06-2017 01:59 PM

Hello,

In a secure NiFi instance (LDAP/SSL), our users are unable to access the NiFi API. When this URL - https://nifiserver:8077/nifi-api/system-diagnostics - is launched in a browser, this error shows up : "Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

In NiFi Admin guide's access policies (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#access-policies), I did not find anything related to granting permissions for NiFi API access.

So, how do you let users access NiFi API in a secure environment.

Thanks.

7,657 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎04-06-2017 02:40 PM

@Raj B

There is no specific policy specific to complete nifi-api access. Different nifi-api end-points will require that the user making the call to that end-point has the equivalent access policy.

For example, in order for a user to view the "system diagnostics" via the NiFi UI, the user will need to have bee granted the global policy "view system diagnostics". 

curl 'https://<hostname>:<port>/nifi-api/system-diagnostics' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuaWZpYWRtaW4iLCJpc3MiOiJMZGFwUHJvdmlkZXIiLCJhdWQiOiJMZGFwUHJvdmlkZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJuaWZpYWRtaW4iLCJraWQiOjEsImV4cCI6MTQ5MTUyNzg0OSwiaWF0IjoxNDkxNDg0NjQ5fQ.1xou9lsBLBMaNuUUGJjebuYE1E8dzGWA7IPzb6_vEv0' --compressed --insecure

The "Bearer" presented in the rest-api call will be checked against the access policies assigned to that user.

Just remember that everything you do via NiFi's UI, are nothing more then calls to nifi-api.

Thanks,

Matt

View solution in original post

6,718 Views
3 REPLIES 3

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎04-06-2017 02:40 PM

@Raj B

There is no specific policy specific to complete nifi-api access. Different nifi-api end-points will require that the user making the call to that end-point has the equivalent access policy.

For example, in order for a user to view the "system diagnostics" via the NiFi UI, the user will need to have bee granted the global policy "view system diagnostics". 

curl 'https://<hostname>:<port>/nifi-api/system-diagnostics' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuaWZpYWRtaW4iLCJpc3MiOiJMZGFwUHJvdmlkZXIiLCJhdWQiOiJMZGFwUHJvdmlkZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJuaWZpYWRtaW4iLCJraWQiOjEsImV4cCI6MTQ5MTUyNzg0OSwiaWF0IjoxNDkxNDg0NjQ5fQ.1xou9lsBLBMaNuUUGJjebuYE1E8dzGWA7IPzb6_vEv0' --compressed --insecure

The "Bearer" presented in the rest-api call will be checked against the access policies assigned to that user.

Just remember that everything you do via NiFi's UI, are nothing more then calls to nifi-api.

Thanks,

Matt

6,719 Views

avatar
author-rank Raj_B
Expert Contributor

Created ‎04-06-2017 02:44 PM

Thanks @Matt Clarke, your last sentence ("everything you do via NiFi's UI, are nothing more then calls to nifi-api") cleared it all up for me.

6,718 Views
0 Kudos

avatar
author-rank ilavarasu_p
New Member

Created ‎04-29-2019 01:14 PM

Hi,

I am able to successfully access the /nifi-api/tenants/user-groups rest API using curl with --insecure option.

But I get 403 error for an equivalent code in Java.

Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: https://localhost:8080/nifi-api/tenants/user-groups

Could you please advice?

Java code:

url = new URL(endPoint);
conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
conn.setDoInput(true);
conn.setDoOutput(true);
conn.setRequestMethod("GET");
conn.setRequestProperty("Accept-Encoding", "gzip, deflate, br");
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
conn.setRequestProperty("Accept", "*/*");
conn.setRequestProperty("Authorization", "Bearer " + "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1uaWZpLWFkbWluLG91PXVzZXJzLGRjPWV4YW1wbGUsZGM9b3JnIiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibmlmaS1hZG1pbiIsImtpZCI6NSwiZXhwIjoxNTU2NTQ5NDkzLCJpYXQiOjE1NTY1MDYyOTN9.arWkNU_4K0VWc_v-FgERgjcNeU8-EjpyOP74-4pHkHs");

bufferedreader = new BufferedReader(new InputStreamReader(new GZIPInputStream(conn.getInputStream())));

String response;
while ((response = bufferedreader.readLine()) != null) {
    System.out.println("Response = " + response);
}
6,718 Views
0 Kudos
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
What's New @ Cloudera
Announcing Cloudera Streaming Analytics Operator for Kuberne...
View More Announcements