Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Accessing NIFI Metrics endpoint for Prometheus without Authentication

Labels:
avatar
author-rank ravi_tadepally
Contributor

Created ‎01-06-2025 10:21 AM

Hi 

We are currently in the process of upgrading our NIFI version to 2.0.0. But as per the below NIFI jira task PrometheusReportingTask has been completely removed from version 2.0.0 and added as a NIFI rest api endpoint.

https://issues.apache.org/jira/browse/NIFI-13507

The issue we are currently facing is that with old version 2.0.0-M2 metrics was exposed through PrometheusReportingTask which can be accessed without the need for any authentication and we were able to scrape the metrics to Prometheus.

But with the latest versions from 2.0.0 we have to provide the Bearer Token(Using OIDC) to access the metrics as it is a Rest API endpoint which is causing difficulties to integrate with Prometheus as we need to add an extra layer to get the token.

So my question here is, If there is any way to access the nifi-api/flow/metrics/prometheus without the need to provide any authentication which will solve our issue.

Any Suggestions are appreciated.

 

101 Views
0 Kudos
1 REPLY 1

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎01-07-2025 05:57 AM

@ravi_tadepally 
A secured NiFi is always going to require successful authentication and authorization.

I assume you are fetching a token because you have configured your secured NiFi to use OIDC based user authentication.  But keep in mind that a secured NiFi will always support Mutual TLS based authentication no matter what additional authentication methods have been configured.   For Rest-api interactions it is often easier to generate a clientAuth certificate that is trusted by your NiFi's truststore and use that instead for authentication.  With mutual TLS based authentication there  is no need to fetch any token.  You simply include the clientAuth certificate in every rest-api call.  

You could even handle this task via a NiFi dataflow that utilizes the invokeHTTP processor (configured with a SSL Context Service.  Could even just use NiFi's keystore and truststore) to make the rest-api call to fetch Prometheus data and then through that dataflow send it to the desired endpoint.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

55 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements