Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Calling nifi Api using Postman

Labels:
avatar
author-rank SAMSAL
Super Guru

Created ‎05-18-2022 09:04 AM

Hi,

 

I have a secured Nifi cluster. Im trying to call a nifi api to start\stop processor using postman. I followed the instruction for the api "PUT /processors/{id}/run-status". Provided the Bearer token and the Json Body. However I keep getting 403 Forbidden message. Does anybody know why? I'm able to run other APIs successfully such as getting processor info "GET /processors/{id}"! Im guessing its because Im using SSL secured nifi with jks keystore and truststore, but not sure how to provide this information to postman. Can anyone help please?

 

9,591 Views
0 Kudos
0
12 REPLIES 12

avatar
author-rank araujo author-rank
Super Guru

Created ‎05-18-2022 04:13 PM

@SAMSAL ,

 

If your NiFi cluster was secured only with TLS (no Kerberos and/or LDAP external providers for authentication), you must have generate a client TLS certificate that you can use to authenticate with NiFi and register that certificate in your browser before you can make any calls to it.

 

If you have an external authentication provider configured, you can make a call to POST /nifi-api/access/token, passing username and password as form parameters to perform the authentication. If you're using Postman, this call will save the returned token in a cookie and you'll be able to perform the next calls as usual.

 

Otherwise, is you're using an external script, you can get the returned token and pass that as a bearer token for the subsequent calls. For example:

token=$(curl \
  -X POST \
  -H 'Content-Type: application/x-www-form-urlencoded') \
  -d 'username=admin&password=supersecret1' \
  "https://nifi.example.com:8443/nifi-api/access/token"

curl \
  -X GET \
  -H "Authorization: Bearer $token" \
  "https://nifi.example.com:8443/nifi-api/processors/d95f5430-0180-1000-ffff-ffff96c5d76f"

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
8,301 Views
0 Kudos

avatar
author-rank SAMSAL
Super Guru

Created on ‎05-18-2022 04:30 PM - edited ‎05-18-2022 04:31 PM

Thanks Andre,

I did manage to get the token using access/token api. however when I provided the token in postman as Bearer authentication I still get the 403 Forbidden response. Here is my request and response info as captured by Fiddler, let me know if you see anything wrong:

PUT https://[server name]:9443/nifi-api/processors/385fcdc0-0180-1000-0000-000030a768e3/run-status HTTP/1.1
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Keep-Alive: timeout=100, max=50000
Authorization: Bearer [access token]
User-Agent: PostmanRuntime/7.29.0
Postman-Token: 5900c41a-f704-43f3-a2e4-a425eeb22569
Host: [host name]:9443
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 215

{
"revision": {
"clientId": "8F3BD748-DBCC-4703-8743-1D98A24B95C2",
"version": 1.16,
"lastModifier": "user.name"
},
"state": "RUNNING",
"disconnectedNodeAcknowledged": true
}

 

Response:

 

HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31540000
Content-Length: 0
Server: Jetty(9.4.45.v20220203)

 

 

8,298 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎05-18-2022 06:06 PM

@SAMSAL ,

 

Have you enabled Ranger for authorization or are you managing policies in the NiFi UI?

You are probably authenticated correctly, but your user may be lacking the necessary permissions to perform the API call.

 

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
8,279 Views
0 Kudos

avatar
author-rank SAMSAL
Super Guru

Created on ‎05-19-2022 01:10 PM - edited ‎05-19-2022 01:11 PM

Hi Andre,

Not sure what do you mean by "enabled Ranger for authorization"? Can you please elaborate? Also the user Im getting the access token for is the same user that can log in to nifi and have all kind of permissions added to view\modify any workflow. Not sure what else I could be missing.

Thanks

 

8,251 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎05-19-2022 02:48 PM

Could you please share your authorizers.xml file?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
8,238 Views
0 Kudos

avatar
author-rank SAMSAL
Super Guru

Created ‎05-19-2022 02:58 PM

Hi Andre,

 

I sent you the authorizers content in private message. thanks for your help

8,236 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎05-19-2022 04:26 PM

Could you please also send me your authorizations.xml and users.xml files?

What's the user you're using for authentication in Postman?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
8,215 Views
0 Kudos

avatar
author-rank SAMSAL
Super Guru

Created ‎05-19-2022 06:40 PM

I sent you both the users and authorizations xml content in private message. Thanks!

8,204 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created on ‎05-19-2022 08:14 PM - edited ‎05-19-2022 08:15 PM

@SAMSAL ,

 

Here's what I think is happening:

  • Your user, who has id "168b019c-0180-1000-ffff-fffffbf36c3a" (from users.xml) only has access to the processor group with id "155cec02-0180-1000-6d4b-ac96d2372f41". For authorizations.xml:

 

<policy identifier="168b74d6-0180-1000-ffff-ffffd79ba94d" resource="/process-groups/155cec02-0180-1000-6d4b-ac96d2372f41" action="R">
  <group identifier="1966f436-0180-1000-ffff-ffffd1d17786"/>
  <user identifier="168b019c-0180-1000-ffff-fffffbf36c3a"/>
</policy>
<policy identifier="168bae4a-0180-1000-ffff-ffff98c1495b" resource="/process-groups/155cec02-0180-1000-6d4b-ac96d2372f41" action="W">
  <group identifier="1966f436-0180-1000-ffff-ffffd1d17786"/>
  <user identifier="168b019c-0180-1000-ffff-fffffbf36c3a"/>
</policy>

 

  • Your PUT command is referencing a processor with id "385fcdc0-0180-1000-0000-000030a768e3". I don't know how your canvas is organized, but my guess is that this processor does not belong inside the processor group "155cec02-0180-1000-6d4b-ac96d2372f41" and because of that the user is being denied access (403 Forbidden).

To solve that you can login to the UI using an admin user, right-click on the Process Group that contains the processor that you're trying to manipulate and click on "Manage access policies".

 

In the Access Policies page, add your user to the "view the component" and "modify the component" policies.

 

After that, try again.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
8,194 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements