Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to access NiFi Rest API through SSO enabled Knox Proxy / Knox Gateway

Labels (2)
avatar
author-rank anatva author-rank
Contributor

Created on ‎06-29-2020 01:45 PM - edited on ‎06-30-2020 12:40 AM by Community Manager Community Manager

Introduction

This article assumes that KnoxSSO for NiFi UI is enabled and is working as expected.

 

To configure Knox topology in order to access NiFi Rest API using Knox based NiFi URL, do the following:  

 

  1. Access NiFi UI through Knox SSO based URL such as the following:
    https://<knox.fqdn>:8443/gateway/<nifi-topology>/nifi-app/nifi/​
    This helps the users to expose only the Knox host and port (not the NiFi hosts) and also authenticate users via SSO before they successfully log in to NiFi UI.
  2. Once the SSO is enabled on NiFi UI, NiFi URL for the UI or the Rest API will automatically redirect to the SSO page.

Usually, the NiFi Rest API access involves obtaining Bearer token and using it in subsequent API calls. With Knox proxy-based NiFi endpoint, this Bearer token would not work as Knox does not recognize this token. On top of that, the URL always redirects to the SSO URL. 

 

To establish access to Knox based NiFi URLs, both Knox and NiFi need to be configured to generate the Knox JWT token and honor the JWT token while accessing NiFi Rest API.

Configuration

The following is the process to enable NiFi API access to NiFi instances that are protected by KnoxSSO:

Knox

  1. Create a KNOXTOKEN service in one of the Knox topologies to allow users to extract the Knox token. Any existing topology can be used for this purpose. In this example, knoxsso.xml is used to add KNOXTOKEN service.
  2. Add the following content at the end of the Advanced KnoxSSO topology in Ambari UI and restart Knox service:
    <service>
<role>KNOXTOKEN</role>
<param>
 <name>knox.token.ttl</name>
 <value>18000000</value>
</param>
<param>
 <name>knox.token.audiences</name>
 <value>hdftopology</value>
</param>
<param>
  <name>knox.token.target.url</name>
  <value>https://knox.fqdn:8443/gateway/hdftopology</value>
</param>
</service>
​
  3. Create a new Knox topology XML file for NiFi API access via Knox token. This topology should use the JWTProvider for authentication which honors the Knox token.
  4. Place this file in the /etc/knox/conf/topologies/ folder and ensure it is owned by the "Knox" user.
    <topology>
   <gateway>
        <provider>
            <role>federation</role>
            <name>JWTProvider</name>
            <enabled>true</enabled>
            <param>
                <name>knox.token.audiences</name>
                <value>hdftopology</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>
        <provider>
            <role>authorization</role>
            <name>XASecurePDPKnox</name>
            <enabled>true</enabled>
        </provider>
    </gateway>
<service>
    <role>NIFI</role>
    <url>https://nifi-1.domain:9091</url>
    <url>https://nifi-2.domain:9091</url>
    <url>https://nifi-3.domain:9091</url>
<param>
  <name>useTwoWaySsl</name>
  <value>true</value>
</param>
</service>
<service>
    <role>NIFI-API</role>
    <url>https://nifi-1.domain:9091</url>
    <url>https://nifi-2.domain:9091</url>
    <url>https://nifi-3.domain:9091</url>
<param>
  <name>useTwoWaySsl</name>
  <value>true</value>
</param>
</service>
</topology>​
  5. Run the following command on Knox server:
    $ chown knox:knox /etc/knox/conf/topologies/hdftopology.xml​
  6. The moment the topology file is added, browse the Knox logs to ensure that the topology is activated successfully.

NiFi

  1. In Nifi configuration, add a new entry for nifi.web.proxy.context.path for NiFi to allow this URL path:
    “gateway/hdftopology/nifi-app”.  ​
  2. This path uses the new JWTProvider topology that we created for NiFi API access.
  3. After making the changes, restart NiFi.

Validation

  1. Generate Knox token by using the following CURL command:
    $curl -ivku <username>:<password> https://knox.fqdn:8443/gateway/knoxsso/knoxtoken/api/v1/token​​
  2. Extract the “access token” so that it can be used in subsequent NiFi API calls. This access token is nothing but the Knox JWT token.

This token should be used as the Bearer token in NiFi API calls. An example NiFi API call looks like the following:

[root@knox.fqdn topologies]# curl -ivk -H "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" https://knox.fqdn:8443/gateway/hdftopology/nifi-app/nifi-api/flow/cluster/summary
* About to connect() to knox.fqdn port 8443 (#0)
*   Trying 10.xx.xxx.xx...
* Connected to knox.fqdn (10.xx.xxx.xx) port 8443 (#0)
...
...
* Connection #0 to host knox.fqdn left intact
{"clusterSummary":{"connectedNodes":"3 / 3","connectedNodeCount":3,"totalNodeCount":3,"connectedToCluster":true,"clustered":true}

 

2,865 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎06-30-2020 12:40 AM
Updated by:
Community Manager Community Manager
Contributors