Created 05-18-2022 09:04 AM
Hi,
I have a secured Nifi cluster. Im trying to call a nifi api to start\stop processor using postman. I followed the instruction for the api "PUT /processors/{id}/run-status". Provided the Bearer token and the Json Body. However I keep getting 403 Forbidden message. Does anybody know why? I'm able to run other APIs successfully such as getting processor info "GET /processors/{id}"! Im guessing its because Im using SSL secured nifi with jks keystore and truststore, but not sure how to provide this information to postman. Can anyone help please?
Created 05-18-2022 04:13 PM
@SAMSAL ,
If your NiFi cluster was secured only with TLS (no Kerberos and/or LDAP external providers for authentication), you must have generate a client TLS certificate that you can use to authenticate with NiFi and register that certificate in your browser before you can make any calls to it.
If you have an external authentication provider configured, you can make a call to POST /nifi-api/access/token, passing username and password as form parameters to perform the authentication. If you're using Postman, this call will save the returned token in a cookie and you'll be able to perform the next calls as usual.
Otherwise, is you're using an external script, you can get the returned token and pass that as a bearer token for the subsequent calls. For example:
token=$(curl \
-X POST \
-H 'Content-Type: application/x-www-form-urlencoded') \
-d 'username=admin&password=supersecret1' \
"https://nifi.example.com:8443/nifi-api/access/token"
curl \
-X GET \
-H "Authorization: Bearer $token" \
"https://nifi.example.com:8443/nifi-api/processors/d95f5430-0180-1000-ffff-ffff96c5d76f"
Cheers,
André
Created on 05-18-2022 04:30 PM - edited 05-18-2022 04:31 PM
Thanks Andre,
I did manage to get the token using access/token api. however when I provided the token in postman as Bearer authentication I still get the 403 Forbidden response. Here is my request and response info as captured by Fiddler, let me know if you see anything wrong:
PUT https://[server name]:9443/nifi-api/processors/385fcdc0-0180-1000-0000-000030a768e3/run-status HTTP/1.1
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Keep-Alive: timeout=100, max=50000
Authorization: Bearer [access token]
User-Agent: PostmanRuntime/7.29.0
Postman-Token: 5900c41a-f704-43f3-a2e4-a425eeb22569
Host: [host name]:9443
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 215
{
"revision": {
"clientId": "8F3BD748-DBCC-4703-8743-1D98A24B95C2",
"version": 1.16,
"lastModifier": "user.name"
},
"state": "RUNNING",
"disconnectedNodeAcknowledged": true
}
Response:
HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31540000
Content-Length: 0
Server: Jetty(9.4.45.v20220203)
Created 05-18-2022 06:06 PM
@SAMSAL ,
Have you enabled Ranger for authorization or are you managing policies in the NiFi UI?
You are probably authenticated correctly, but your user may be lacking the necessary permissions to perform the API call.
André
Created on 05-19-2022 01:10 PM - edited 05-19-2022 01:11 PM
Hi Andre,
Not sure what do you mean by "enabled Ranger for authorization"? Can you please elaborate? Also the user Im getting the access token for is the same user that can log in to nifi and have all kind of permissions added to view\modify any workflow. Not sure what else I could be missing.
Thanks
Created 05-19-2022 02:48 PM
Could you please share your authorizers.xml file?
Created 05-19-2022 02:58 PM
Hi Andre,
I sent you the authorizers content in private message. thanks for your help
Created 05-19-2022 04:26 PM
Could you please also send me your authorizations.xml and users.xml files?
What's the user you're using for authentication in Postman?
Created 05-19-2022 06:40 PM
I sent you both the users and authorizations xml content in private message. Thanks!
Created on 05-19-2022 08:14 PM - edited 05-19-2022 08:15 PM
@SAMSAL ,
Here's what I think is happening:
<policy identifier="168b74d6-0180-1000-ffff-ffffd79ba94d" resource="/process-groups/155cec02-0180-1000-6d4b-ac96d2372f41" action="R">
<group identifier="1966f436-0180-1000-ffff-ffffd1d17786"/>
<user identifier="168b019c-0180-1000-ffff-fffffbf36c3a"/>
</policy>
<policy identifier="168bae4a-0180-1000-ffff-ffff98c1495b" resource="/process-groups/155cec02-0180-1000-6d4b-ac96d2372f41" action="W">
<group identifier="1966f436-0180-1000-ffff-ffffd1d17786"/>
<user identifier="168b019c-0180-1000-ffff-fffffbf36c3a"/>
</policy>
To solve that you can login to the UI using an admin user, right-click on the Process Group that contains the processor that you're trying to manipulate and click on "Manage access policies".
In the Access Policies page, add your user to the "view the component" and "modify the component" policies.
After that, try again.
Cheers,
André