Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

How to access NiFi API on a secure NiFi instance

Labels:
avatar
author-rank Raj_B
Expert Contributor

Created ‎04-06-2017 01:59 PM

Hello,

In a secure NiFi instance (LDAP/SSL), our users are unable to access the NiFi API. When this URL - https://nifiserver:8077/nifi-api/system-diagnostics - is launched in a browser, this error shows up : "Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

In NiFi Admin guide's access policies (https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#access-policies), I did not find anything related to granting permissions for NiFi API access.

So, how do you let users access NiFi API in a secure environment.

Thanks.

5,135 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎04-06-2017 02:40 PM

@Raj B

There is no specific policy specific to complete nifi-api access. Different nifi-api end-points will require that the user making the call to that end-point has the equivalent access policy.

For example, in order for a user to view the "system diagnostics" via the NiFi UI, the user will need to have bee granted the global policy "view system diagnostics". 

curl 'https://<hostname>:<port>/nifi-api/system-diagnostics' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuaWZpYWRtaW4iLCJpc3MiOiJMZGFwUHJvdmlkZXIiLCJhdWQiOiJMZGFwUHJvdmlkZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJuaWZpYWRtaW4iLCJraWQiOjEsImV4cCI6MTQ5MTUyNzg0OSwiaWF0IjoxNDkxNDg0NjQ5fQ.1xou9lsBLBMaNuUUGJjebuYE1E8dzGWA7IPzb6_vEv0' --compressed --insecure

The "Bearer" presented in the rest-api call will be checked against the access policies assigned to that user.

Just remember that everything you do via NiFi's UI, are nothing more then calls to nifi-api.

Thanks,

Matt

View solution in original post

4,196 Views
3 REPLIES 3

avatar
author-rank MattWho author-rank
Super Mentor

Created ‎04-06-2017 02:40 PM

@Raj B

There is no specific policy specific to complete nifi-api access. Different nifi-api end-points will require that the user making the call to that end-point has the equivalent access policy.

For example, in order for a user to view the "system diagnostics" via the NiFi UI, the user will need to have bee granted the global policy "view system diagnostics". 

curl 'https://<hostname>:<port>/nifi-api/system-diagnostics' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuaWZpYWRtaW4iLCJpc3MiOiJMZGFwUHJvdmlkZXIiLCJhdWQiOiJMZGFwUHJvdmlkZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJuaWZpYWRtaW4iLCJraWQiOjEsImV4cCI6MTQ5MTUyNzg0OSwiaWF0IjoxNDkxNDg0NjQ5fQ.1xou9lsBLBMaNuUUGJjebuYE1E8dzGWA7IPzb6_vEv0' --compressed --insecure

The "Bearer" presented in the rest-api call will be checked against the access policies assigned to that user.

Just remember that everything you do via NiFi's UI, are nothing more then calls to nifi-api.

Thanks,

Matt

4,197 Views

avatar
author-rank Raj_B
Expert Contributor

Created ‎04-06-2017 02:44 PM

Thanks @Matt Clarke, your last sentence ("everything you do via NiFi's UI, are nothing more then calls to nifi-api") cleared it all up for me.

4,196 Views
0 Kudos

avatar
author-rank ilavarasu_p
New Contributor

Created ‎04-29-2019 01:14 PM

Hi,

I am able to successfully access the /nifi-api/tenants/user-groups rest API using curl with --insecure option.

But I get 403 error for an equivalent code in Java.

Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: https://localhost:8080/nifi-api/tenants/user-groups

Could you please advice?

Java code:

url = new URL(endPoint);
conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(sslsocketfactory);
conn.setDoInput(true);
conn.setDoOutput(true);
conn.setRequestMethod("GET");
conn.setRequestProperty("Accept-Encoding", "gzip, deflate, br");
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
conn.setRequestProperty("Accept", "*/*");
conn.setRequestProperty("Authorization", "Bearer " + "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1uaWZpLWFkbWluLG91PXVzZXJzLGRjPWV4YW1wbGUsZGM9b3JnIiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibmlmaS1hZG1pbiIsImtpZCI6NSwiZXhwIjoxNTU2NTQ5NDkzLCJpYXQiOjE1NTY1MDYyOTN9.arWkNU_4K0VWc_v-FgERgjcNeU8-EjpyOP74-4pHkHs");

bufferedreader = new BufferedReader(new InputStreamReader(new GZIPInputStream(conn.getInputStream())));

String response;
while ((response = bufferedreader.readLine()) != null) {
    System.out.println("Response = " + response);
}
4,196 Views
0 Kudos
webinar banner
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) supports instance group ...
What's New @ Cloudera
Cloudera Operational Database (COD) has updated the instanc...
What's New @ Cloudera
Cloudera Operational Database (COD) supports configuring roo...
What's New @ Cloudera
Cloudera Operational Database (COD) has updated the HDFS ins...
Product Announcements
[ANNOUNCE] CDP Private Cloud Base 7.1.7 Service Pack 3 Relea...
View More Announcements
meetups banner