Community Articles

Find and share helpful community-sourced technical articles.
avatar
Contributor

Objective:

Accessing REST API of Kerberized NiFI Cluster using Bearer Token

Prerequisites:

  1. CURL or Postman Installed on Your Laptop
  2. kinit - Successful for sales1 user
  3. Firefox browser with proper config (network.negotiate)
    1. Inside Firefox -> Open New Tab & Type -> about:config

      Filter by network

      network.negotiate-auth.trusted-uris -> .us-west-2.compute.internal

      network.negotiate-auth.delegation-uris ->.us-west2.compute.internal

  4. SPNEGO NiFi - Successful when you hit NiFi Home Page URL (sales1).

Next steps/Plan:

  1. On Nifi Home Page, Enable Developer Tools & Monitor Network Logs to get the Bearer Token (under current-user and Authorization part of Request Headers)
  2. Lets use the Bearer Token we got to populate the below commands.

CURL option:

curl ‘https://nifihost:9091/nifi-api/flow/status' -H ‘Authorization: Bearer <Token>’

For example,

curl 'https://ip-172-30-0-72.us-west-2.compute.internal:9091/nifi-api/flow/status' -H 'Authorization: Bearer eyJhb..’ --compressed --insecure

 

Postman option:

GET

https://ip-172-30-0-72.us-west-2.compute.internal:9091/nifi-api/flow/status

Authorization

No Auth

Headers

Key

Authorization

Value

Bearer eyJhb…

 

Note:

1. Another way to get the token, Do curl 'https://nifi-host:port/nifi-api/access/token' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' --data 'username=ldap-username&password=ldap-password' --compressed --insecure

to get the token

2.The "Bearer" presented in the rest-api call will be checked against the access policies assigned to that user.

Just remember that everything you do via NiFi's UI, are nothing more then calls to nifi-api.

3,180 Views
Comments

@sbabu Getting the token this way does not work for me as there is a '%' in the password I am using, which causes curl to throw an error. How can I get around this? The script I am developing is going to be used by different people so I cannot know ahead of time to escape any special characters.