Support Questions

Find answers, ask questions, and share your expertise

Use REST API to access a secured NiFi cluster

avatar
Expert Contributor

Hi guys,

I build a secured NiFi cluster authenticated by Kerberos and use TLS tool standalone mode to generate client certificates.

I am able to use NiFi Rest Api to access the unsecured cluster.

When I want to use username/password of principle created in Kerberos to build a REST call for a secured cluster in curl, I got below error.

Unknown user with identity 'anonymous'. Contact the system administrator.

I was wondering whether I should install some certificate in my local machine to use curl.

Thanks.

8 REPLIES 8

avatar
Super Collaborator

hi @Alvin Jin,

Please ensure that, you enable kerberos-provider section in login-identity-providers.xml

<provider>
        <identifier>kerberos-provider</identifier>
        <class>org.apache.nifi.kerberos.KerberosProvider</class>
        <property name="Default Realm">NIFI.APACHE.ORG</property>
        <property name="Authentication Expiration">12 hours</property>
</provider>

then,

This is a two step process, contains bearer token extraction and using the token posting the requests.

step 1(get the token) :
kinit <username-pwd or kerberos key_tab_with_princ>

token=$(curl -k -X POST --negotiate -u : https://<nifi-hostname>:9091/nifi-api/access/kerberos) 
Step 2(get the data): 
curl -k -X GET 'https://<nifi-hostname>:9091/nifi-api/flow/status' -H 'Authorization: Bearer $token' --compressed 

avatar
Expert Contributor

hi @bkosaraju,

Thank you for your response. I did enable the kerberos-provider section.

I guess I need to install krb5-user on the machine I will run the above commends, right?

I was just wondering whether I need to use keytool to import nifi-cert.pem in my machine?

What's the usage of nifi-cert.pem generated by the tls-tool?

Thanks.

avatar
Super Collaborator

hi @Alvin Jin,

to ge kinit working you need to install krb5-workstation(Centos and RedHat), and make sure that you have updated your /etc/krb5.conf (should have your KDC server Realm - best to copy from the cluster )

on your second question:

Kerberos ticket will have your identity hence, you don't need again to make two way ssl ( -k option will use simple method for curl)

on the other note, if you want to go with user name and password (LDAP/file-based provider), token can be obtained using following command.

curl -k 'https://<nifi-server>:9091/nifi-api/access/token' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --data 'username=<username>&password=<password>' --compressed

avatar
New Contributor

The documentation indicates that this request accepts text/plain, and when I try the curl params you specified, it returns 415 Unsupported Media Type.

avatar
Expert Contributor

Hi @bkosaraju,

Below command works to generate a token.

$ curl -k 'https://<nifi-server>:9091/nifi-api/access/token'-H 'Accept-Encoding: gzip, deflate, br'-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'-H 'Accept: */*'--data 'username=<username>&password=<password>'--compressed

However,

$ curl -k -X GET 'https://<nifi-server>:9091/nifi-api/cluster/summary' -H 'Authorization: Bearer $token' --compressed

returns: Unable to validate the access token.

Any idea about it? Do I need to run above commands in one nifi node, or any machine?

Thanks.

avatar
Super Collaborator

Hi @Alvin Jin,

looks you have not substituted the token in place of $token can you please place the token as string and test ?

curl -k -X GET 'https://<nifi-server>:9091/nifi-api/cluster/summary' -H 'Authorization: Bearer <token which is generated from Above Command>' --compressed

avatar
Cloudera Employee

I believe it's a typo. We should use " (double quotes) rather than ' (single quotes). The environment variable $token will be expanded.

curl -k -X GET 'https://<nifi-hostname>:9091/nifi-api/flow/status' -H "Authorization: Bearer $token" --compressed 

 

avatar
Master Mentor

@Alvin Jin

When you obtain a token, that token is only valid against the specific node that it was issued from.

So if you use

token=$(curl -k -X POST --negotiate -u : https://<nifi-node1>:9091/nifi-api/access/kerberos) 

Then that token can only be used to access NiFi end-points on nifi-node1 only.

You would need to obtain a different token for node2, node3, etc...

Also keep in mind that NIFI will only continue to accept a token for the configured expiration time. Default is 12 hours as you see in the kerberos-provider configuration. After expiration, a new token will be needed.

Thanks,

Matt