Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Nifi invalid access token rest api

Labels:
avatar
author-rank KD9
New Contributor

Created ‎09-29-2022 12:32 PM

Hello Everyone,

 

We are triggering our Nifi processors (version 1.16.2 , LDAP integrated ) through Curl within cron job. Curl is invoking the processor using access token (as we moved from http call to https)

 

Generating access token :

 

curl https://$hostip:$port/nifi-api/access/token -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' --data 'username="${ldapusername}"&password="${ldappassword}"' '--compressed --insecure

 

 

Curl invoking Nifi processor using acces token stored in variable $nifi_token :

 

curl -i -H 'Content-Type: application/json' -H 'Authorization:Bearer '$nifi_token -XPUT -d '{"id":"'${processorid }'","state":"STOPPED"}' https://$hostip:$port/nifi-api/flow/process-groups/$processorid '--insecure'

 

But it is failing for token expiration :

 

WWW-Authenticate: Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Expired JWT", error_uri="https://tools.ietf.org/html/rfc6750#section Server: Jetty(9.4.46.v20220331)

 

How can we set this access token to not expire ?

Or can we not used access token and using LDAP credentials within curl script to invoke the Nifi processors.

 

We tried modifying "nifi.security.user.jws.key.rotation.period" property to set the expiration duration in nifi.properties following 

https://exceptionfactory.com/posts/2021/10/23/improving-jwt-authentication-in-apache-nifi/
https://en.wikipedia.org/wiki/ISO_8601#Durations
https://nifi.apache.org/docs/nifi-docs/rest-api/index.html

but still it fails and the curl is unable to trigger the Nifi processor.

 

Thank you in advance !

2,344 Views
0 Kudos
0
1 REPLY 1

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-30-2022 02:31 PM

@KD9   How long the NiFi server will validate a clients token is configured within the login-identity-providers.xml file via the following property:

Authentication Expiration

When setting up an automated process, using client tokens is not the best method.  A better option would be to authenticate your client via a client certificate.   With a client certificate, there is not need to obtain a token.  That Client certificate will continue to work for the life of the certificate (certificates do have a valid until date set when you generate the certificate).   So instead of passing a bearer token in your curl command, you would use your client pem key.   The owner DN from the client certificate would be used as the user identity that you would then need to authorize in NiFi for the rest-api endpoint(s) needed for your automation.

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

Thank you,

Matt



2,308 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements