Support Questions
Find answers, ask questions, and share your expertise

Call REST API to access a secured NiFi cluster

New Contributor

Hi guys,

I build a secured NiFi cluster authenticated by LDAP server.

I am able to use NiFi Rest Api to access the secured cluster via Bearer Token.
I have build a Nifi flow that need to call */nifi-api/* every 20 seconds and I have a problem is the Token is expire after 8 hours (based on my config) and i have to update Bearer Token manually after 8 hours :((

I was wondering whether some way that I can get a permanet Bearer Token to Call REST API to access a secured NiFi cluster?

Thanks.

1 ACCEPTED SOLUTION

Master Guru

@ThongPham 
There is no such thing as a permanent Bearer token.  How long a Bearer token stays valid is set in the provider that issuing that bearer token.  In you case the ldap-provider.  Also keep in mind that a bearer token is issued by a specific node in the NiFi cluster and can not be used to authenticate with every node in the NiFi cluster.

Since a secured NiFi will always attempt mutual TLS authentication first. I suggest you instead you generate and use a client certificate to interact with the NiFi API.  Mutual TLS based authentication does not use bearer tokens and the authentication will be successful until that client certificate expires which is configurable when generating the certificate.  But generally speaking certificates are often valid for 12 or months.  Since there is no bearer token, a client certificate can be used with any node in the cluster.

Your other option is to build a flow within your NiFi to get a new bearer token automatically and store that token in maybe a distributedMapCache.  Then in your other flow you fetch that bearer token before calling the rest-api endpoint.  A failure should loop back to the FetchDistrubutedMapCache just in case you have a scenario where the bearer token expires between fetch and call.

Out of curiosity, what rest-api endpoint are you calling every 20 seconds and why? 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

View solution in original post

3 REPLIES 3

Master Guru

@ThongPham 
There is no such thing as a permanent Bearer token.  How long a Bearer token stays valid is set in the provider that issuing that bearer token.  In you case the ldap-provider.  Also keep in mind that a bearer token is issued by a specific node in the NiFi cluster and can not be used to authenticate with every node in the NiFi cluster.

Since a secured NiFi will always attempt mutual TLS authentication first. I suggest you instead you generate and use a client certificate to interact with the NiFi API.  Mutual TLS based authentication does not use bearer tokens and the authentication will be successful until that client certificate expires which is configurable when generating the certificate.  But generally speaking certificates are often valid for 12 or months.  Since there is no bearer token, a client certificate can be used with any node in the cluster.

Your other option is to build a flow within your NiFi to get a new bearer token automatically and store that token in maybe a distributedMapCache.  Then in your other flow you fetch that bearer token before calling the rest-api endpoint.  A failure should loop back to the FetchDistrubutedMapCache just in case you have a scenario where the bearer token expires between fetch and call.

Out of curiosity, what rest-api endpoint are you calling every 20 seconds and why? 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

New Contributor

Hi @MattWho , i have build almost 20 Processor Groups, and i want to know which one has ERROR processor during running those. So i build a flow that call API */processor-group to get bulletin for each group, so that if some group has ERROR processor, they will PutEmail to me know which group failed.
Detail of my flow is: Cluster 3 nodes (a, b, c) call API processor-group to Node a every 5 mins (i just update from 20 sec to 5 mins) to PutEmail where a processor ERROR. Is there anyother way to do that ?
Thank you for your above solution!

Master Guru

@ThongPham 

Sounds like you may making a lot of unnecessary rest-api calls that could impact your NiFi's overall performance.   Have you maybe looked at using the SiteToSiteBulletingReportingTask?

This reporting task will send a FlowFile to a remote input port upon execution of bulletin(s) are produced.  That Remote Input Port could then be built into a dataflow that makes notifications via putEmail.  So instead of constantly calling the rest-api to see if something happened in the last 5 minutes, the flow will simply send something out when it happens only.

 

If you found this response assisted with your query, please take a moment to login and click on "Accept as Solution" below this post.

Thank you,

Matt

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.