Support Questions

ravi_tadepally · ‎06-21-2023

Hi NIFI Team,

We have currently installed NIFI with OIDC configuration which is working perfectly fine using the UI without any issues.

But when using NIFI toolkit commands and providing Bearer token we are receiving ''Unauthorized error".

Does NiFI provide any endpoint to get the OIDC Token separately which can then be used in the Toolkit commands? or please suggest if there is any other approach by which we can make a successful call to NIFI from Nifi Toolkit.

Thanks in advance

MattWho · ‎08-10-2023

@ravi_tadepally

The NiFi CLI toolkit currently only supports authentication with client certificate, client certificate with proxied user identity or basic auth (via basic auth token). There is no option to obtain a token via OIDC authentication method.

Using token based authentication to perform other NiFi Toolkit CLI commands is probably not the best approach. Tokens have limited life, are only valid fro use interacting with the specific NiFi instance from which it was issued.

The better approach would be to create a cli-nifi.properties file with a proxied entity (this would be your OIDC user identity):

 baseUrl=https://<nifi-hostname>:<NiFi-port>
 keystore=/path/to/<nifi-keystore.jks>
 keystoreType=JKS
 keystorePasswd=<nifi-keystore-password>
 keyPasswd=<nifi-key-password>
 truststore=/path/to/truststore.jks
 truststoreType=JKS
 truststorePasswd=<nifi-truststore-password>
 proxiedEntity=<OIDC username>

In a NIfI cluster, the NiFi keystore certificate should already be authorized to "proxy user requests". The "-p cli-nifi.properties" option in NiFi Cli toolkit will utilize the config file above to authenticate via the NiFi node certificate and then make authorized request on behalf of the proxied entity. So, no need to directly authenticate and obtain a token for that proxied entity.

example:

./cli.sh nifi cluster-summary -p cli-nifi.properties

would return following provided the proxied entity is authorized for that endpoint data:

Total node count: 3
Connected node count: 3
Clustered: true
Connected to cluster: true

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

View solution in original post

Lorecrook5 · ‎06-21-2023

Hello ravi_tadepally,

First of all check your Authentication Configuration, Verify Token Generation, Check Token Authorization, Investigates Error Logs, Validate OIDC Configuration.

I hope This will help.

Thanks

ravi_tadepally · ‎07-19-2023

Hi Lorecrook5,

Thank you for your reply.

I have verified the OIDC configuration used for NIFI and toolkit. In case of NIFI I am able to login to UI using OIDC configuration without any issues. But when using toolkit commands especially when running "access-token" cli command from toolkit I am getting below error.

"ERROR: Error executing command 'get-access-token' : Error performing login: Username/Password login not supported by this NiFi."

So my question here is if there is any command or endpoint that NIFI provides to get the OIDC token which can be used as a bearer token to pass on to rest of the commands? Without the token we are not able to perform any operations using other commands.

Appreciate your help on this. Thanks in advance.

MattWho · ‎08-10-2023

@ravi_tadepally

The NiFi CLI toolkit currently only supports authentication with client certificate, client certificate with proxied user identity or basic auth (via basic auth token). There is no option to obtain a token via OIDC authentication method.

Using token based authentication to perform other NiFi Toolkit CLI commands is probably not the best approach. Tokens have limited life, are only valid fro use interacting with the specific NiFi instance from which it was issued.

The better approach would be to create a cli-nifi.properties file with a proxied entity (this would be your OIDC user identity):

 baseUrl=https://<nifi-hostname>:<NiFi-port>
 keystore=/path/to/<nifi-keystore.jks>
 keystoreType=JKS
 keystorePasswd=<nifi-keystore-password>
 keyPasswd=<nifi-key-password>
 truststore=/path/to/truststore.jks
 truststoreType=JKS
 truststorePasswd=<nifi-truststore-password>
 proxiedEntity=<OIDC username>

In a NIfI cluster, the NiFi keystore certificate should already be authorized to "proxy user requests". The "-p cli-nifi.properties" option in NiFi Cli toolkit will utilize the config file above to authenticate via the NiFi node certificate and then make authorized request on behalf of the proxied entity. So, no need to directly authenticate and obtain a token for that proxied entity.

example:

./cli.sh nifi cluster-summary -p cli-nifi.properties

would return following provided the proxied entity is authorized for that endpoint data:

Total node count: 3
Connected node count: 3
Clustered: true
Connected to cluster: true

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt

ravi_tadepally · ‎08-10-2023

Hi @MattWho,

Thank you for your prompt response. The solution you have provided actually worked.

thanks for your help!

ravi_tadepally · ‎08-10-2023

Hi,

Any suggestions on the above topic is greatly appreciated.

Cloudera Community

Support Questions

NIFI Toolkit not working with OIDC configuration