Community Articles

Find and share helpful community-sourced technical articles.
Labels (2)
avatar
Contributor

Introduction

This article assumes that KnoxSSO for NiFi UI is enabled and is working as expected.

 

To configure Knox topology in order to access NiFi Rest API using Knox based NiFi URL, do the following:  

 

  1. Access NiFi UI through Knox SSO based URL such as the following:
    https://<knox.fqdn>:8443/gateway/<nifi-topology>/nifi-app/nifi/​
    This helps the users to expose only the Knox host and port (not the NiFi hosts) and also authenticate users via SSO before they successfully log in to NiFi UI.
  2. Once the SSO is enabled on NiFi UI, NiFi URL for the UI or the Rest API will automatically redirect to the SSO page.

Usually, the NiFi Rest API access involves obtaining Bearer token and using it in subsequent API calls. With Knox proxy-based NiFi endpoint, this Bearer token would not work as Knox does not recognize this token. On top of that, the URL always redirects to the SSO URL. 

 

To establish access to Knox based NiFi URLs, both Knox and NiFi need to be configured to generate the Knox JWT token and honor the JWT token while accessing NiFi Rest API.

Configuration

The following is the process to enable NiFi API access to NiFi instances that are protected by KnoxSSO:

Knox

  1. Create a KNOXTOKEN service in one of the Knox topologies to allow users to extract the Knox token. Any existing topology can be used for this purpose. In this example, knoxsso.xml is used to add KNOXTOKEN service.
  2. Add the following content at the end of the Advanced KnoxSSO topology in Ambari UI and restart Knox service:
    <service>
    <role>KNOXTOKEN</role>
    <param>
     <name>knox.token.ttl</name>
     <value>18000000</value>
    </param>
    <param>
     <name>knox.token.audiences</name>
     <value>hdftopology</value>
    </param>
    <param>
      <name>knox.token.target.url</name>
      <value>https://knox.fqdn:8443/gateway/hdftopology</value>
    </param>
    </service>
    ​
  3. Create a new Knox topology XML file for NiFi API access via Knox token. This topology should use the JWTProvider for authentication which honors the Knox token.
  4. Place this file in the /etc/knox/conf/topologies/ folder and ensure it is owned by the "Knox" user.
    <topology>
       <gateway>
            <provider>
                <role>federation</role>
                <name>JWTProvider</name>
                <enabled>true</enabled>
                <param>
                    <name>knox.token.audiences</name>
                    <value>hdftopology</value>
                </param>
            </provider>
            <provider>
                <role>identity-assertion</role>
                <name>Default</name>
                <enabled>true</enabled>
            </provider>
            <provider>
                <role>authorization</role>
                <name>XASecurePDPKnox</name>
                <enabled>true</enabled>
            </provider>
        </gateway>
    <service>
        <role>NIFI</role>
        <url>https://nifi-1.domain:9091</url>
        <url>https://nifi-2.domain:9091</url>
        <url>https://nifi-3.domain:9091</url>
    <param>
      <name>useTwoWaySsl</name>
      <value>true</value>
    </param>
    </service>
    <service>
        <role>NIFI-API</role>
        <url>https://nifi-1.domain:9091</url>
        <url>https://nifi-2.domain:9091</url>
        <url>https://nifi-3.domain:9091</url>
    <param>
      <name>useTwoWaySsl</name>
      <value>true</value>
    </param>
    </service>
    </topology>​
  5. Run the following command on Knox server:
    $ chown knox:knox /etc/knox/conf/topologies/hdftopology.xml​
  6. The moment the topology file is added, browse the Knox logs to ensure that the topology is activated successfully.

NiFi

  1. In Nifi configuration, add a new entry for nifi.web.proxy.context.path for NiFi to allow this URL path:
    “gateway/hdftopology/nifi-app”.  ​
  2. This path uses the new JWTProvider topology that we created for NiFi API access.
  3. After making the changes, restart NiFi.

Validation

  1. Generate Knox token by using the following CURL command:
    $curl -ivku <username>:<password> https://knox.fqdn:8443/gateway/knoxsso/knoxtoken/api/v1/token​​
  2. Extract the “access token” so that it can be used in subsequent NiFi API calls. This access token is nothing but the Knox JWT token.

This token should be used as the Bearer token in NiFi API calls. An example NiFi API call looks like the following:

[root@knox.fqdn topologies]# curl -ivk -H "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" https://knox.fqdn:8443/gateway/hdftopology/nifi-app/nifi-api/flow/cluster/summary
* About to connect() to knox.fqdn port 8443 (#0)
*   Trying 10.xx.xxx.xx...
* Connected to knox.fqdn (10.xx.xxx.xx) port 8443 (#0)
...
...
* Connection #0 to host knox.fqdn left intact
{"clusterSummary":{"connectedNodes":"3 / 3","connectedNodeCount":3,"totalNodeCount":3,"connectedToCluster":true,"clustered":true}

 

2,970 Views