Hello,
I'm trying to start/stop a processor using the NiFi API in a kerberized NiFi cluster (Cloudera Data Flow) but the PUT request to do it fails in identifying the authenticated user. Other requests like get processor information, get current user information, etc. works fine.
I'm running the process in a bash script in the same machine as the NiFi node. I have just one node in this environment with load balancer.
Here is the process I follow:
1. Create kerberos token in the system (kinit my.username)
2. Create NiFi token calling the /access/kerberos endpoint
curl -k -X POST --negotiate -u : "https://node-ip:8443/nifi-api/access/kerberos"
3.Store the token in a variable and check I'm authenticated
curl -k --header "Authorization: Bearer $token" "https://node-ip:8443/nifi-api/access" {"accessStatus":{"identity":"my.username","status":"ACTIVE","message":"Access Granted: Token authenticated."}}
4.Get processor information -> OK
curl -k --header "Authorization: Bearer $token" "https://node-ip:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5"
nifi-user.log
2023-03-30 08:35:04,316 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started node-ip [<my.username><CN=node-host, O=Default Company Ltd, L=Default City, C=XX>] GET https://node-host:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5
2023-03-30 08:35:04,318 INFO [NiFi Web Server-20] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [my.username] node-ip GET https://node-host:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5
5. PUT to stop de processor -> Fails
curl -k -X PUT --header "Autorization: Bearer $token" -H 'Content-Type: application/json' -H 'Accept: application/json' --data '{"revision":{"version":0,"clientId":"2be2965c-0187-1000-ae7e-fa5be1baf085"},"state":"STOPPED"}' "https://node-ip:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5/run-status"
nifi-user.log
2023-03-30 08:44:09,318 INFO [NiFi Web Server-46774] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started node-ip [<anonymous>] PUT https://node-ip:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5/run-status
2023-03-30 08:44:09,318 INFO [NiFi Web Server-46774] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [anonymous] node-ip PUT https://node-ip:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5/run-status
2023-03-30 08:44:09,323 INFO [NiFi Web Server-46778] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started node-ip [<><CN=node-host, O=Default Company Ltd, L=Default City, C=XX>] PUT https://node-host:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5/run-status
2023-03-30 08:44:09,325 INFO [NiFi Web Server-46778] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [anonymous] node-ip PUT https://node-host:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5/run-status
2023-03-30 08:44:09,338 INFO [NiFi Web Server-46776] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started node-ip [<><CN=node-host, O=Default Company Ltd, L=Default City, C=XX>] PUT https://node-host:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5/run-status
2023-03-30 08:44:09,340 INFO [NiFi Web Server-46776] o.a.n.w.s.NiFiAuthenticationFilter Authentication Success [anonymous] node-ip PUT https://node-host:8443/nifi-api/processors/1e4ebf99-0181-1000-0000-000063a3fcd5/run-status
curl returned error
Node node-host:8443 is unable to fulfill this request due to: No applicable policies could be found. Contact the system administrator.
As you can see, in the PUT request the username appears as "anonymous" instead of "my.username". Ranger audit logs show same info: username anonymous instead of my.username so the request is denied.
Could anyone give me some recomendation to troubleshoot this case?
Of course, same username works perfectly in the NiFi GUI
Thank you very much!
