Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Api Rest JWT return 401 with multiple nodes

Labels:
avatar
author-rank alan18080
Explorer

Created ‎05-07-2025 09:00 AM

Hello,

We have set up Apache nifi 2.1.0 with 2 nodes with cluster mode, secure mode and single user access enabled. When we access by the application web behind a load balancer and sticky session active all it's ok. When we use API Rest by programmatic mode we ask NiFi "/access/token" and we get a valid token immediately we send a request with authorization bearer token and JWT when the request is attended by the same node which service the JWT all right but when the request is attended by the other node, in the same cluster, response with 401 error.  ¿How can we make NiFi to accept the JWT in all nodes?

779 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎05-14-2025 11:54 AM - edited ‎05-14-2025 12:00 PM

@alan18080 

The Single-User-Provider for authentication was not intended for production use. It is a very basic username and password based authenticator that support only a single user identity.  When you access the UI of a NiFi node, you are authenticating with only that node.  The provider generates a client token which your browser holds and a corresponding server side token/key held only by the node you authenticated with.    This is why you need to use sticky sessions (Session Affinity) in your load-balancer so that all subsequent request go to same NiFi server.  There is no option in NiFi that would allow that client JWT token to be accepted by all nodes in a NiFi cluster because of the uniqueness of the JWT generated token to a specific node.

Related: NIFI-7246

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

722 Views
0 Kudos
1 REPLY 1

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎05-14-2025 11:54 AM - edited ‎05-14-2025 12:00 PM

@alan18080 

The Single-User-Provider for authentication was not intended for production use. It is a very basic username and password based authenticator that support only a single user identity.  When you access the UI of a NiFi node, you are authenticating with only that node.  The provider generates a client token which your browser holds and a corresponding server side token/key held only by the node you authenticated with.    This is why you need to use sticky sessions (Session Affinity) in your load-balancer so that all subsequent request go to same NiFi server.  There is no option in NiFi that would allow that client JWT token to be accepted by all nodes in a NiFi cluster because of the uniqueness of the JWT generated token to a specific node.

Related: NIFI-7246

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

723 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements