Support Questions

Find answers, ask questions, and share your expertise

Calling nifi Api using Postman

avatar
Super Guru

Hi,

 

I have a secured Nifi cluster. Im trying to call a nifi api to start\stop processor using postman. I followed the instruction for the api "PUT /processors/{id}/run-status". Provided the Bearer token and the Json Body. However I keep getting 403 Forbidden message. Does anybody know why? I'm able to run other APIs successfully such as getting processor info "GET /processors/{id}"! Im guessing its because Im using SSL secured nifi with jks keystore and truststore, but not sure how to provide this information to postman. Can anyone help please?

 

11 REPLIES 11

avatar
Super Guru

@SAMSAL ,

 

If your NiFi cluster was secured only with TLS (no Kerberos and/or LDAP external providers for authentication), you must have generate a client TLS certificate that you can use to authenticate with NiFi and register that certificate in your browser before you can make any calls to it.

 

If you have an external authentication provider configured, you can make a call to POST /nifi-api/access/token, passing username and password as form parameters to perform the authentication. If you're using Postman, this call will save the returned token in a cookie and you'll be able to perform the next calls as usual.

 

Otherwise, is you're using an external script, you can get the returned token and pass that as a bearer token for the subsequent calls. For example:

token=$(curl \
  -X POST \
  -H 'Content-Type: application/x-www-form-urlencoded') \
  -d 'username=admin&password=supersecret1' \
  "https://nifi.example.com:8443/nifi-api/access/token"

curl \
  -X GET \
  -H "Authorization: Bearer $token" \
  "https://nifi.example.com:8443/nifi-api/processors/d95f5430-0180-1000-ffff-ffff96c5d76f"

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Super Guru

Thanks Andre,

I did manage to get the token using access/token api. however when I provided the token in postman as Bearer authentication I still get the 403 Forbidden response. Here is my request and response info as captured by Fiddler, let me know if you see anything wrong:

PUT https://[server name]:9443/nifi-api/processors/385fcdc0-0180-1000-0000-000030a768e3/run-status HTTP/1.1
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Keep-Alive: timeout=100, max=50000
Authorization: Bearer [access token]
User-Agent: PostmanRuntime/7.29.0
Postman-Token: 5900c41a-f704-43f3-a2e4-a425eeb22569
Host: [host name]:9443
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 215

{
"revision": {
"clientId": "8F3BD748-DBCC-4703-8743-1D98A24B95C2",
"version": 1.16,
"lastModifier": "user.name"
},
"state": "RUNNING",
"disconnectedNodeAcknowledged": true
}

 

Response:

 

HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31540000
Content-Length: 0
Server: Jetty(9.4.45.v20220203)

 

 

avatar
Super Guru

@SAMSAL ,

 

Have you enabled Ranger for authorization or are you managing policies in the NiFi UI?

You are probably authenticated correctly, but your user may be lacking the necessary permissions to perform the API call.

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Super Guru

Hi Andre,

Not sure what do you mean by "enabled Ranger for authorization"? Can you please elaborate? Also the user Im getting the access token for is the same user that can log in to nifi and have all kind of permissions added to view\modify any workflow. Not sure what else I could be missing.

Thanks

 

avatar
Super Guru

Could you please share your authorizers.xml file?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Super Guru

Hi Andre,

 

I sent you the authorizers content in private message. thanks for your help

avatar
Super Guru

Could you please also send me your authorizations.xml and users.xml files?

What's the user you're using for authentication in Postman?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Super Guru

I sent you both the users and authorizations xml content in private message. Thanks!

avatar
Super Guru

@SAMSAL ,

 

Here's what I think is happening:

  • Your user, who has id "168b019c-0180-1000-ffff-fffffbf36c3a" (from users.xml) only has access to the processor group with id "155cec02-0180-1000-6d4b-ac96d2372f41". For authorizations.xml:

 

<policy identifier="168b74d6-0180-1000-ffff-ffffd79ba94d" resource="/process-groups/155cec02-0180-1000-6d4b-ac96d2372f41" action="R">
  <group identifier="1966f436-0180-1000-ffff-ffffd1d17786"/>
  <user identifier="168b019c-0180-1000-ffff-fffffbf36c3a"/>
</policy>
<policy identifier="168bae4a-0180-1000-ffff-ffff98c1495b" resource="/process-groups/155cec02-0180-1000-6d4b-ac96d2372f41" action="W">
  <group identifier="1966f436-0180-1000-ffff-ffffd1d17786"/>
  <user identifier="168b019c-0180-1000-ffff-fffffbf36c3a"/>
</policy>

 

  • Your PUT command is referencing a processor with id "385fcdc0-0180-1000-0000-000030a768e3". I don't know how your canvas is organized, but my guess is that this processor does not belong inside the processor group "155cec02-0180-1000-6d4b-ac96d2372f41" and because of that the user is being denied access (403 Forbidden).

To solve that you can login to the UI using an admin user, right-click on the Process Group that contains the processor that you're trying to manipulate and click on "Manage access policies".

 

In the Access Policies page, add your user to the "view the component" and "modify the component" policies.

 

After that, try again.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.