Support Questions

Find answers, ask questions, and share your expertise

Api Rest JWT return 401 with multiple nodes

avatar
Explorer

Hello,

We have set up Apache nifi 2.1.0 with 2 nodes with cluster mode, secure mode and single user access enabled. When we access by the application web behind a load balancer and sticky session active all it's ok. When we use API Rest by programmatic mode we ask NiFi "/access/token" and we get a valid token immediately we send a request with authorization bearer token and JWT when the request is attended by the same node which service the JWT all right but when the request is attended by the other node, in the same cluster, response with 401 error.  ¿How can we make NiFi to accept the JWT in all nodes?

1 ACCEPTED SOLUTION

avatar
Master Mentor

@alan18080 

The Single-User-Provider for authentication was not intended for production use. It is a very basic username and password based authenticator that support only a single user identity.  When you access the UI of a NiFi node, you are authenticating with only that node.  The provider generates a client token which your browser holds and a corresponding server side token/key held only by the node you authenticated with.    This is why you need to use sticky sessions (Session Affinity) in your load-balancer so that all subsequent request go to same NiFi server.  There is no option in NiFi that would allow that client JWT token to be accepted by all nodes in a NiFi cluster because of the uniqueness of the JWT generated token to a specific node.

Related: NIFI-7246

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

1 REPLY 1

avatar
Master Mentor

@alan18080 

The Single-User-Provider for authentication was not intended for production use. It is a very basic username and password based authenticator that support only a single user identity.  When you access the UI of a NiFi node, you are authenticating with only that node.  The provider generates a client token which your browser holds and a corresponding server side token/key held only by the node you authenticated with.    This is why you need to use sticky sessions (Session Affinity) in your load-balancer so that all subsequent request go to same NiFi server.  There is no option in NiFi that would allow that client JWT token to be accepted by all nodes in a NiFi cluster because of the uniqueness of the JWT generated token to a specific node.

Related: NIFI-7246

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt