I build a secured NiFi cluster authenticated by Kerberos and use TLS tool standalone mode to generate client certificates.
I am able to use NiFi Rest Api to access the unsecured cluster.
When I want to use username/password of principle created in Kerberos to build a REST call for a secured cluster in curl, I got below error.
Unknown user with identity 'anonymous'. Contact the system administrator.
I was wondering whether I should install some certificate in my local machine to use curl.
hi @Alvin Jin,
Please ensure that, you enable kerberos-provider section in login-identity-providers.xml
<provider> <identifier>kerberos-provider</identifier> <class>org.apache.nifi.kerberos.KerberosProvider</class> <property name="Default Realm">NIFI.APACHE.ORG</property> <property name="Authentication Expiration">12 hours</property> </provider>
This is a two step process, contains bearer token extraction and using the token posting the requests.
step 1(get the token) : kinit <username-pwd or kerberos key_tab_with_princ> token=$(curl -k -X POST --negotiate -u : https://<nifi-hostname>:9091/nifi-api/access/kerberos)
Step 2(get the data): curl -k -X GET 'https://<nifi-hostname>:9091/nifi-api/flow/status' -H 'Authorization: Bearer $token' --compressed
Thank you for your response. I did enable the kerberos-provider section.
I guess I need to install krb5-user on the machine I will run the above commends, right?
I was just wondering whether I need to use keytool to import nifi-cert.pem in my machine?
What's the usage of nifi-cert.pem generated by the tls-tool?
hi @Alvin Jin,
to ge kinit working you need to install krb5-workstation(Centos and RedHat), and make sure that you have updated your /etc/krb5.conf (should have your KDC server Realm - best to copy from the cluster )
on your second question:
Kerberos ticket will have your identity hence, you don't need again to make two way ssl ( -k option will use simple method for curl)
on the other note, if you want to go with user name and password (LDAP/file-based provider), token can be obtained using following command.
curl -k 'https://<nifi-server>:9091/nifi-api/access/token' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --data 'username=<username>&password=<password>' --compressed
Below command works to generate a token.
$ curl -k 'https://<nifi-server>:9091/nifi-api/access/token'-H 'Accept-Encoding: gzip, deflate, br'-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'-H 'Accept: */*'--data 'username=<username>&password=<password>'--compressed
$ curl -k -X GET 'https://<nifi-server>:9091/nifi-api/cluster/summary' -H 'Authorization: Bearer $token' --compressed
returns: Unable to validate the access token.
Any idea about it? Do I need to run above commands in one nifi node, or any machine?
Hi @Alvin Jin,
looks you have not substituted the token in place of $token can you please place the token as string and test ?
curl -k -X GET 'https://<nifi-server>:9091/nifi-api/cluster/summary' -H 'Authorization: Bearer <token which is generated from Above Command>' --compressed
I believe it's a typo. We should use " (double quotes) rather than ' (single quotes). The environment variable $token will be expanded.
curl -k -X GET 'https://<nifi-hostname>:9091/nifi-api/flow/status' -H "Authorization: Bearer $token" --compressed
When you obtain a token, that token is only valid against the specific node that it was issued from.
So if you use
token=$(curl -k -X POST --negotiate -u : https://<nifi-node1>:9091/nifi-api/access/kerberos)
Then that token can only be used to access NiFi end-points on nifi-node1 only.
You would need to obtain a different token for node2, node3, etc...
Also keep in mind that NIFI will only continue to accept a token for the configured expiration time. Default is 12 hours as you see in the kerberos-provider configuration. After expiration, a new token will be needed.