Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Rising Star

Using NiFi REST API for unsecured cluster is straight-forward like below:

[root@<nifi-host> ~]# curl -v -X GET http://<nifi-host>:<port>/nifi-api/flow/current-user
* About to connect() to <nifi-host> port <port> (#0)
*   Trying <IP address>...
* Connected to <nifi-host> (<IP address>) port <port> (#0)
> GET /nifi-api/flow/current-user HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <nifi-host>:<port>
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< X-Frame-Options: SAMEORIGIN
< X-Frame-Options: SAMEORIGIN
< X-Frame-Options: SAMEORIGIN
< Cache-Control: private, no-cache, no-store, no-transform
< Server: Jetty(9.4.3.v20170317)
< Vary: Accept-Encoding, User-Agent
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< Content-Type: application/json
< Content-Length: 439
<
* Connection #0 to host <nifi-host> left intact
{"identity":"anonymous","anonymous":true,"provenancePermissions":{"canRead":true,"canWrite":true},"countersPermissions":{"canRead":true,"canWrite":true},"tenantsPermissions":{"canRead":true,"canWrite":true},"controllerPermissions":{"canRead":true,"canWrite":true},"policiesPermissions":{"canRead":true,"canWrite":true},"systemPermissions":{"canRead":true,"canWrite":true},"restrictedComponentsPermissions":{"canRead":true,"canWrite":true}} 

However if this cluster is using Kerberos for authentication then the curl call will need a Kerberos authentication token as below:

  • First do a kinit (using appropriate keytab/principal) on the nifi node you are logged into.
  • Now get a token using below API call:
token=`curl -k -X POST --negotiate -u : https://<nifi-node>:<port>/nifi-api/access/kerberos` 
  • Second you need to pass above generated token to the actual API call:
curl -k --header "Authorization: Bearer $token" https://<nifi-host>:<port>/nifi-api/flow/cluster/summary 
6,139 Views
Comments
avatar
Expert Contributor

Hi @Arti Wadhwani,

Could we use username/password of the principle created in Kerberos to login?

Since I don't have kinit in nifi node.

Thanks.

avatar
Contributor

Hi,

I am trying to access nifi-api using kerberos token. I ran the command to obtain the token that is mentioned in the post but I get the following error: Kerberos ticket login not supported by this NiFi.

I have kerberos provider configured in login-identity-providers.xml and I am able to run kinit also.

Can you please help me how to resolve this issue?

avatar
Expert Contributor

In case, you get below error, make sure you use Nifi host FQDN in API call and NOT IP address. Also, make sure DNS is configured correctly.

 

<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /nifi-api/access/kerberos. Reason:
<pre>    Unauthorized</pre>