Support Questions
Find answers, ask questions, and share your expertise

Use REST API to access a secured NiFi cluster


Hi guys,

I build a secured NiFi cluster authenticated by Kerberos and use TLS tool standalone mode to generate client certificates.

I am able to use NiFi Rest Api to access the unsecured cluster.

When I want to use username/password of principle created in Kerberos to build a REST call for a secured cluster in curl, I got below error.

Unknown user with identity 'anonymous'. Contact the system administrator.

I was wondering whether I should install some certificate in my local machine to use curl.



Super Collaborator

hi @Alvin Jin,

Please ensure that, you enable kerberos-provider section in login-identity-providers.xml

        <property name="Default Realm">NIFI.APACHE.ORG</property>
        <property name="Authentication Expiration">12 hours</property>


This is a two step process, contains bearer token extraction and using the token posting the requests.

step 1(get the token) :
kinit <username-pwd or kerberos key_tab_with_princ>

token=$(curl -k -X POST --negotiate -u : https://<nifi-hostname>:9091/nifi-api/access/kerberos) 
Step 2(get the data): 
curl -k -X GET 'https://<nifi-hostname>:9091/nifi-api/flow/status' -H 'Authorization: Bearer $token' --compressed 


hi @bkosaraju,

Thank you for your response. I did enable the kerberos-provider section.

I guess I need to install krb5-user on the machine I will run the above commends, right?

I was just wondering whether I need to use keytool to import nifi-cert.pem in my machine?

What's the usage of nifi-cert.pem generated by the tls-tool?


Super Collaborator

hi @Alvin Jin,

to ge kinit working you need to install krb5-workstation(Centos and RedHat), and make sure that you have updated your /etc/krb5.conf (should have your KDC server Realm - best to copy from the cluster )

on your second question:

Kerberos ticket will have your identity hence, you don't need again to make two way ssl ( -k option will use simple method for curl)

on the other note, if you want to go with user name and password (LDAP/file-based provider), token can be obtained using following command.

curl -k 'https://<nifi-server>:9091/nifi-api/access/token' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --data 'username=<username>&password=<password>' --compressed

New Contributor

The documentation indicates that this request accepts text/plain, and when I try the curl params you specified, it returns 415 Unsupported Media Type.


Hi @bkosaraju,

Below command works to generate a token.

$ curl -k 'https://<nifi-server>:9091/nifi-api/access/token'-H 'Accept-Encoding: gzip, deflate, br'-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'-H 'Accept: */*'--data 'username=<username>&password=<password>'--compressed


$ curl -k -X GET 'https://<nifi-server>:9091/nifi-api/cluster/summary' -H 'Authorization: Bearer $token' --compressed

returns: Unable to validate the access token.

Any idea about it? Do I need to run above commands in one nifi node, or any machine?


Super Collaborator

Hi @Alvin Jin,

looks you have not substituted the token in place of $token can you please place the token as string and test ?

curl -k -X GET 'https://<nifi-server>:9091/nifi-api/cluster/summary' -H 'Authorization: Bearer <token which is generated from Above Command>' --compressed

Cloudera Employee

I believe it's a typo. We should use " (double quotes) rather than ' (single quotes). The environment variable $token will be expanded.

curl -k -X GET 'https://<nifi-hostname>:9091/nifi-api/flow/status' -H "Authorization: Bearer $token" --compressed 


Master Guru

@Alvin Jin

When you obtain a token, that token is only valid against the specific node that it was issued from.

So if you use

token=$(curl -k -X POST --negotiate -u : https://<nifi-node1>:9091/nifi-api/access/kerberos) 

Then that token can only be used to access NiFi end-points on nifi-node1 only.

You would need to obtain a different token for node2, node3, etc...

Also keep in mind that NIFI will only continue to accept a token for the configured expiration time. Default is 12 hours as you see in the kerberos-provider configuration. After expiration, a new token will be needed.



; ;