Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Issues with GetHttp and NTLM authentication in NiFi,Consuming HTTP API with NTLM auth doesn't work

Labels:
avatar
author-rank michael_kalika
Contributor

Created ‎11-23-2016 04:14 PM

I'm trying to consume API protected with NTLM authentication [Windows server]. I configured GetHttp process with Url of the server and username + password.

Username in a format of domain/username. I doubled checked the credentials and they are fine.

The GetHttp doesn't work and I am getting 401 [unauthorized] error from the API server.

Here's NiFi log output:

2016-11-23 17:45:22,272 WARN [Timer-Driven Process Thread-7]
o.a.http.impl.auth.HttpAuthenticator NEGOTIATE authentication error: No valid
credentials provided (Mechanism level: No valid credentials provided (Mechanism
level: Failed to find any Kerberos tgt))
2016-11-23 17:45:22,272 WARN [Timer-Driven Process Thread-7]
o.a.http.impl.auth.HttpAuthenticator NTLM authentication error: Credentials
cannot be used for NTLM authentication:
org.apache.http.auth.UsernamePasswordCredentials
2016-11-23 17:45:22,274 ERROR [Timer-Driven Process
Thread-7] o.a.nifi.processors.standard.GetHTTP
GetHTTP[id=91ce7dfd-0158-1000-1c53-cf24cf132983] received status code
401:Unauthorized from http://internal.api.ep/dosomething

I will appreciate any recommendation how to work this out.

Thank you!

8,469 Views
1 ACCEPTED SOLUTION

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-23-2016 05:18 PM

Looks like gethttp does not support nt authentication from looking at the code. if you open a jira we can get it added and have a patch available.

View solution in original post

7,532 Views
0 Kudos
12 REPLIES 12

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-23-2016 04:17 PM

try adding this to the wifi bootstrap.. http.auth.ntlm.domain = your domain ..

or you can add username@domain as the user.

6,936 Views
0 Kudos

avatar
author-rank michael_kalika
Contributor

Created ‎11-23-2016 04:28 PM

Thank you! I've just tried both ways and it doesn't work. Anything else I can do?

6,936 Views
0 Kudos

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-23-2016 04:30 PM

did you add like so to nifi bootstrap

jvm.args.x(+1 the last arg)=-Dhttp.auth.ntlm.domain=hortonworks.com (replace with your domain)/

6,936 Views
0 Kudos

avatar
author-rank michael_kalika
Contributor

Created ‎11-23-2016 04:41 PM

yes, I added the line in bootstrap.conf configuration as you recommended:

http.auth.ntlm.domain=mydomain

still doesn't work

6,936 Views
0 Kudos

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-23-2016 04:34 PM

alternatively you can try entering username like so "hortonworks.com\karthik"

6,936 Views
0 Kudos

avatar
author-rank michael_kalika
Contributor

Created ‎11-23-2016 04:40 PM

Thank you! this is is exactly what I did... I tried it with domain\username, username@domain. Also changed bootstrap.conf configuration as you recommended:

http.auth.ntlm.domain=mydomain

still doesn't work...

6,936 Views
0 Kudos

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎11-23-2016 05:18 PM

Looks like gethttp does not support nt authentication from looking at the code. if you open a jira we can get it added and have a patch available.

7,533 Views
0 Kudos

avatar
author-rank michael_kalika
Contributor

Created ‎11-23-2016 08:13 PM

done! thank you very much!

https://issues.apache.org/jira/browse/NIFI-3096

6,936 Views
0 Kudos

avatar
author-rank knarayanan author-rank
Super Collaborator

Created ‎12-01-2016 04:23 AM

I have done the needed code changes. Unfortunately i do not have a way to test this. If i sent you the NAR with the code change, would you be able to test it. Basically, just swap out the nifi-standar-nar-x.x.x from the lib, with the one i send you. Please test it on a local, non-prod instance.

6,936 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements