Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Accessing NIFI Metrics endpoint for Prometheus without Authentication

Labels:
avatar
author-rank ravi_tadepally
Contributor

Created ‎01-06-2025 10:21 AM

Hi 

We are currently in the process of upgrading our NIFI version to 2.0.0. But as per the below NIFI jira task PrometheusReportingTask has been completely removed from version 2.0.0 and added as a NIFI rest api endpoint.

https://issues.apache.org/jira/browse/NIFI-13507

The issue we are currently facing is that with old version 2.0.0-M2 metrics was exposed through PrometheusReportingTask which can be accessed without the need for any authentication and we were able to scrape the metrics to Prometheus.

But with the latest versions from 2.0.0 we have to provide the Bearer Token(Using OIDC) to access the metrics as it is a Rest API endpoint which is causing difficulties to integrate with Prometheus as we need to add an extra layer to get the token.

So my question here is, If there is any way to access the nifi-api/flow/metrics/prometheus without the need to provide any authentication which will solve our issue.

Any Suggestions are appreciated.

 

1,082 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-07-2025 05:57 AM

@ravi_tadepally 
A secured NiFi is always going to require successful authentication and authorization.

I assume you are fetching a token because you have configured your secured NiFi to use OIDC based user authentication.  But keep in mind that a secured NiFi will always support Mutual TLS based authentication no matter what additional authentication methods have been configured.   For Rest-api interactions it is often easier to generate a clientAuth certificate that is trusted by your NiFi's truststore and use that instead for authentication.  With mutual TLS based authentication there  is no need to fetch any token.  You simply include the clientAuth certificate in every rest-api call.  

You could even handle this task via a NiFi dataflow that utilizes the invokeHTTP processor (configured with a SSL Context Service.  Could even just use NiFi's keystore and truststore) to make the rest-api call to fetch Prometheus data and then through that dataflow send it to the desired endpoint.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

1,036 Views
0
3 REPLIES 3

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-07-2025 05:57 AM

@ravi_tadepally 
A secured NiFi is always going to require successful authentication and authorization.

I assume you are fetching a token because you have configured your secured NiFi to use OIDC based user authentication.  But keep in mind that a secured NiFi will always support Mutual TLS based authentication no matter what additional authentication methods have been configured.   For Rest-api interactions it is often easier to generate a clientAuth certificate that is trusted by your NiFi's truststore and use that instead for authentication.  With mutual TLS based authentication there  is no need to fetch any token.  You simply include the clientAuth certificate in every rest-api call.  

You could even handle this task via a NiFi dataflow that utilizes the invokeHTTP processor (configured with a SSL Context Service.  Could even just use NiFi's keystore and truststore) to make the rest-api call to fetch Prometheus data and then through that dataflow send it to the desired endpoint.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

1,037 Views
0

avatar
author-rank sujith18
New Contributor

Created ‎02-21-2025 06:06 AM

Hi Matt,
Thank you this solution saved my day..
I am looking for Accept as Solution button but couldn't find that in this page.

515 Views
0 Kudos

avatar
author-rank cjervis author-rank
Community Manager

Created ‎02-21-2025 07:13 AM

The original poster of the thread has the ability to mark the solution  @sujith18.

@ravi_tadepally has @MattWho 's response helped you overcome your issue? If so, please mark his reply as the solution.


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
507 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements