Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Use a Kerberos token for accessing NiFi REST API

Labels (1)
Labels:
avatar
author-rank ArtiW author-rank
Rising Star

Created on ‎06-30-2017 10:27 PM

Using NiFi REST API for unsecured cluster is straight-forward like below:

[root@<nifi-host> ~]# curl -v -X GET http://<nifi-host>:<port>/nifi-api/flow/current-user
* About to connect() to <nifi-host> port <port> (#0)
*   Trying <IP address>...
* Connected to <nifi-host> (<IP address>) port <port> (#0)
> GET /nifi-api/flow/current-user HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <nifi-host>:<port>
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< X-Frame-Options: SAMEORIGIN
< X-Frame-Options: SAMEORIGIN
< X-Frame-Options: SAMEORIGIN
< Cache-Control: private, no-cache, no-store, no-transform
< Server: Jetty(9.4.3.v20170317)
< Vary: Accept-Encoding, User-Agent
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< Content-Type: application/json
< Content-Length: 439
<
* Connection #0 to host <nifi-host> left intact
{"identity":"anonymous","anonymous":true,"provenancePermissions":{"canRead":true,"canWrite":true},"countersPermissions":{"canRead":true,"canWrite":true},"tenantsPermissions":{"canRead":true,"canWrite":true},"controllerPermissions":{"canRead":true,"canWrite":true},"policiesPermissions":{"canRead":true,"canWrite":true},"systemPermissions":{"canRead":true,"canWrite":true},"restrictedComponentsPermissions":{"canRead":true,"canWrite":true}}

However if this cluster is using Kerberos for authentication then the curl call will need a Kerberos authentication token as below:

  • First do a kinit (using appropriate keytab/principal) on the nifi node you are logged into.
  • Now get a token using below API call: 
token=`curl -k -X POST --negotiate -u : https://<nifi-node>:<port>/nifi-api/access/kerberos`
  • Second you need to pass above generated token to the actual API call: 
curl -k --header "Authorization: Bearer $token" https://<nifi-host>:<port>/nifi-api/flow/cluster/summary
6,146 Views
Comments

Re: Use a Kerberos token for accessing NiFi REST API

avatar
author-rank alvinuw
Expert Contributor

Created on ‎09-19-2017 06:34 PM

Hi @Arti Wadhwani,

Could we use username/password of the principle created in Kerberos to login?

Since I don't have kinit in nifi node.

Thanks.

Re: Use a Kerberos token for accessing NiFi REST API

avatar
author-rank harishvaibhav_k
Contributor

Created on ‎07-25-2018 08:54 PM

Hi,

I am trying to access nifi-api using kerberos token. I ran the command to obtain the token that is mentioned in the post but I get the following error: Kerberos ticket login not supported by this NiFi.

I have kerberos provider configured in login-identity-providers.xml and I am able to run kinit also.

Can you please help me how to resolve this issue?

Re: Use a Kerberos token for accessing NiFi REST API

avatar
author-rank kkhan author-rank
Expert Contributor

Created on ‎10-04-2019 04:19 PM - edited ‎10-04-2019 04:21 PM

In case, you get below error, make sure you use Nifi host FQDN in API call and NOT IP address. Also, make sure DNS is configured correctly.

 

<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /nifi-api/access/kerberos. Reason:
<pre>    Unauthorized</pre>

 

 

 

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎06-30-2017 10:27 PM
Updated by:
Rising Star Rising Star
Contributors