Support Questions
Find answers, ask questions, and share your expertise

Calling nifi Api using Postman

Expert Contributor

Hi,

 

I have a secured Nifi cluster. Im trying to call a nifi api to start\stop processor using postman. I followed the instruction for the api "PUT /processors/{id}/run-status". Provided the Bearer token and the Json Body. However I keep getting 403 Forbidden message. Does anybody know why? I'm able to run other APIs successfully such as getting processor info "GET /processors/{id}"! Im guessing its because Im using SSL secured nifi with jks keystore and truststore, but not sure how to provide this information to postman. Can anyone help please?

 

10 REPLIES 10

Master Collaborator

@SAMSAL ,

 

If your NiFi cluster was secured only with TLS (no Kerberos and/or LDAP external providers for authentication), you must have generate a client TLS certificate that you can use to authenticate with NiFi and register that certificate in your browser before you can make any calls to it.

 

If you have an external authentication provider configured, you can make a call to POST /nifi-api/access/token, passing username and password as form parameters to perform the authentication. If you're using Postman, this call will save the returned token in a cookie and you'll be able to perform the next calls as usual.

 

Otherwise, is you're using an external script, you can get the returned token and pass that as a bearer token for the subsequent calls. For example:

token=$(curl \
  -X POST \
  -H 'Content-Type: application/x-www-form-urlencoded') \
  -d 'username=admin&password=supersecret1' \
  "https://nifi.example.com:8443/nifi-api/access/token"

curl \
  -X GET \
  -H "Authorization: Bearer $token" \
  "https://nifi.example.com:8443/nifi-api/processors/d95f5430-0180-1000-ffff-ffff96c5d76f"

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Expert Contributor

Thanks Andre,

I did manage to get the token using access/token api. however when I provided the token in postman as Bearer authentication I still get the 403 Forbidden response. Here is my request and response info as captured by Fiddler, let me know if you see anything wrong:

PUT https://[server name]:9443/nifi-api/processors/385fcdc0-0180-1000-0000-000030a768e3/run-status HTTP/1.1
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Keep-Alive: timeout=100, max=50000
Authorization: Bearer [access token]
User-Agent: PostmanRuntime/7.29.0
Postman-Token: 5900c41a-f704-43f3-a2e4-a425eeb22569
Host: [host name]:9443
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 215

{
"revision": {
"clientId": "8F3BD748-DBCC-4703-8743-1D98A24B95C2",
"version": 1.16,
"lastModifier": "user.name"
},
"state": "RUNNING",
"disconnectedNodeAcknowledged": true
}

 

Response:

 

HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31540000
Content-Length: 0
Server: Jetty(9.4.45.v20220203)

 

 

Master Collaborator

@SAMSAL ,

 

Have you enabled Ranger for authorization or are you managing policies in the NiFi UI?

You are probably authenticated correctly, but your user may be lacking the necessary permissions to perform the API call.

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Expert Contributor

Hi Andre,

Not sure what do you mean by "enabled Ranger for authorization"? Can you please elaborate? Also the user Im getting the access token for is the same user that can log in to nifi and have all kind of permissions added to view\modify any workflow. Not sure what else I could be missing.

Thanks

 

Master Collaborator

Could you please share your authorizers.xml file?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Expert Contributor

Hi Andre,

 

I sent you the authorizers content in private message. thanks for your help

Master Collaborator

Could you please also send me your authorizations.xml and users.xml files?

What's the user you're using for authentication in Postman?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Expert Contributor

I sent you both the users and authorizations xml content in private message. Thanks!

Master Collaborator

@SAMSAL ,

 

Here's what I think is happening:

  • Your user, who has id "168b019c-0180-1000-ffff-fffffbf36c3a" (from users.xml) only has access to the processor group with id "155cec02-0180-1000-6d4b-ac96d2372f41". For authorizations.xml:

 

<policy identifier="168b74d6-0180-1000-ffff-ffffd79ba94d" resource="/process-groups/155cec02-0180-1000-6d4b-ac96d2372f41" action="R">
  <group identifier="1966f436-0180-1000-ffff-ffffd1d17786"/>
  <user identifier="168b019c-0180-1000-ffff-fffffbf36c3a"/>
</policy>
<policy identifier="168bae4a-0180-1000-ffff-ffff98c1495b" resource="/process-groups/155cec02-0180-1000-6d4b-ac96d2372f41" action="W">
  <group identifier="1966f436-0180-1000-ffff-ffffd1d17786"/>
  <user identifier="168b019c-0180-1000-ffff-fffffbf36c3a"/>
</policy>

 

  • Your PUT command is referencing a processor with id "385fcdc0-0180-1000-0000-000030a768e3". I don't know how your canvas is organized, but my guess is that this processor does not belong inside the processor group "155cec02-0180-1000-6d4b-ac96d2372f41" and because of that the user is being denied access (403 Forbidden).

To solve that you can login to the UI using an admin user, right-click on the Process Group that contains the processor that you're trying to manipulate and click on "Manage access policies".

 

In the Access Policies page, add your user to the "view the component" and "modify the component" policies.

 

After that, try again.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Expert Contributor

Hi Andre,

Thanks again for taking the time and look into my access policy files. If you have noticed in the users.xml I have created an admin group with id "1966f436-0180-1000-ffff-ffffd1d17786" that the user "168b019c-0180-1000-ffff-fffffbf36c3a" is part of, this user group should have access to everything on the nifi canvas so Im assuming my user id implicitly will have access to everything as well, is that correct? even with that I went and give access to my user id explicitly to the target processor group with permission to view, modify and operate component, but still getting the 403 error! Keep in mind when I call the same API using nifi InovkeHttp providing the same access token it only works when I provide SSL Context Service that points to the same truststore & keystore files used to secure the nifi instance, could that be the problem in postman since I did not provide the SSL context there even though Im using https in the url? Im not sure how this can be configured in postman. Thanks for your help.

; ;