Support Questions

Find answers, ask questions, and share your expertise

Basic Authenitication in Nifi

avatar
Explorer

Hi guys,

I am new in Nifi and I have some problem with authentication-I am using HandleHttpRequest to coolect some data from other system. I need to do some basic authorization. I know that it something like http.header.authentication but I have a few question about this:

1.How can get it to this authorization header? My first processor is HandleHTTPRequest so it is enough that my second processor will be  EvaluateJsonPath and I do something like this: $.http.headers.Authorization or I need do something else?

2. I heard that this authorization data are in Base64. How can I decode it and compere with my user and password when for example my user is user1 and password is password1

I will be grateful for tips because I don't know how to ho about it

 

3 REPLIES 3

avatar
Master Mentor

@Sofia71 

The HandleHTTPRequest processor listens for incoming connection being sent to it from an external source and then relies on the HandleHTTPResponse processor to sent back the response to that incoming request.  So first question is how are you collecting this data?  Are you trying to fetch it?  If so, you should be using the InvokeHTTP processor instead. If the source is sending the data to your NiFi then you are using the correct processor.

Doing any from of client based authentication would need to be need to be handled within your dataflow following the HandleHTTPRequest processor.  The processor itself will not do authorization and the only form of authentication it can do is mutualTLS based.  So for basic authorization you would need the user basic authentication presented in the request headers.  The HandleHTTPRequest processor will add those headers as attributes on the produced FlowFile.  You mention the authorization header username and password would be base64 encoded, so you could use NiFi Expression Language to via the UpdateAttribute processor and the base64decode function to decode them.  How you validate them is up to you after you have them. If they are LDAP based credentials, perhaps you could write a script you pass them to via one of the scripting processor to validate the username and password are correct?  If you want to keep it very basic, you could use an RouteOnAttribute processor that checks to see if username and password match what you say they should be and if they do, pass the FlowFile on downstream; otherwise, terminate the FlowFile there.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt



 

avatar
Explorer

Hi @MattWho ,

I think this options with RouteOnAttribute will be good. But I have some problem with this encode and decode options-I have my authorizationdata in parameter context and I ave no idea how can I encode it- i try something like that: ${authorizationFromRequest:equals(#{authorizationData}:base64Encode)} - but it didn't work 😕

Next problem-it's good use this $.http.headers.Authorization to get this authorization data?

avatar
Master Mentor

@Sofia71 

The HandleHTTPRequest processor establishes a generic endpoint, it has not idea what headers and in what format the content of those headers will be.  You client creates the request and decides what haaders and format of the header content.  

I would recommend in yoru testing that you start the HandleHTTPRequest processor a keep the downstream processor stopped so that the incoming request becomes queued in the connection between the HandleHTTPRequest and the next downstream processor. You can then right click on the connection and list the flowfiles in the connection.  From the list you can view the details of the queude FlowFile which will aloo you to see the generated "http.headers.<some client derived string>" added as attributes to the FlowFile along with the values for those headers.    Using that information you can construct your validations. in the RouteOnAttribute processor.

You'll need to verify the format of the authorization data pre encoding coming in the request header match exactly with the format of the authorization data you have put in the parameter context.

You could also decode the authorization header contents to make sure it matches with what you constructed in your authorization parameter.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt