Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Use REST API to access a secured NiFi cluster

Labels:
avatar
author-rank alvinuw
Expert Contributor

Created ‎09-19-2017 06:40 PM

Hi guys,

I build a secured NiFi cluster authenticated by Kerberos and use TLS tool standalone mode to generate client certificates.

I am able to use NiFi Rest Api to access the unsecured cluster.

When I want to use username/password of principle created in Kerberos to build a REST call for a secured cluster in curl, I got below error.

Unknown user with identity 'anonymous'. Contact the system administrator.

I was wondering whether I should install some certificate in my local machine to use curl.

Thanks.

9,514 Views
0 Kudos
8 REPLIES 8

avatar
author-rank bkosaraju
Super Collaborator

Created ‎09-20-2017 08:14 AM

hi @Alvin Jin,

Please ensure that, you enable kerberos-provider section in login-identity-providers.xml 

<provider>
        <identifier>kerberos-provider</identifier>
        <class>org.apache.nifi.kerberos.KerberosProvider</class>
        <property name="Default Realm">NIFI.APACHE.ORG</property>
        <property name="Authentication Expiration">12 hours</property>
</provider>

then,

This is a two step process, contains bearer token extraction and using the token posting the requests.

step 1(get the token) :
kinit <username-pwd or kerberos key_tab_with_princ>

token=$(curl -k -X POST --negotiate -u : https://<nifi-hostname>:9091/nifi-api/access/kerberos) 
Step 2(get the data): 
curl -k -X GET 'https://<nifi-hostname>:9091/nifi-api/flow/status' -H 'Authorization: Bearer $token' --compressed
8,022 Views
0 Kudos

avatar
author-rank alvinuw
Expert Contributor

Created ‎09-20-2017 01:39 PM

hi @bkosaraju,

Thank you for your response. I did enable the kerberos-provider section.

I guess I need to install krb5-user on the machine I will run the above commends, right?

I was just wondering whether I need to use keytool to import nifi-cert.pem in my machine?

What's the usage of nifi-cert.pem generated by the tls-tool?

Thanks.

8,022 Views
0 Kudos

avatar
author-rank bkosaraju
Super Collaborator

Created ‎09-20-2017 02:26 PM

hi @Alvin Jin,

to ge kinit working you need to install krb5-workstation(Centos and RedHat), and make sure that you have updated your /etc/krb5.conf (should have your KDC server Realm - best to copy from the cluster )

on your second question:

Kerberos ticket will have your identity hence, you don't need again to make two way ssl ( -k option will use simple method for curl)

on the other note, if you want to go with user name and password (LDAP/file-based provider), token can be obtained using following command. 

curl -k 'https://<nifi-server>:9091/nifi-api/access/token' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' --data 'username=<username>&password=<password>' --compressed
8,022 Views
0 Kudos

avatar
author-rank jeremiah_evans
New Contributor

Created ‎01-22-2018 05:14 PM

The documentation indicates that this request accepts text/plain, and when I try the curl params you specified, it returns 415 Unsupported Media Type.

8,022 Views
0 Kudos

avatar
author-rank alvinuw
Expert Contributor

Created ‎09-25-2017 07:53 PM

Hi @bkosaraju,

Below command works to generate a token.

$ curl -k 'https://<nifi-server>:9091/nifi-api/access/token'-H 'Accept-Encoding: gzip, deflate, br'-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'-H 'Accept: */*'--data 'username=<username>&password=<password>'--compressed

However,

$ curl -k -X GET 'https://<nifi-server>:9091/nifi-api/cluster/summary' -H 'Authorization: Bearer $token' --compressed

returns: Unable to validate the access token.

Any idea about it? Do I need to run above commands in one nifi node, or any machine?

Thanks.

8,022 Views
0 Kudos

avatar
author-rank bkosaraju
Super Collaborator

Created ‎09-26-2017 03:10 AM

Hi @Alvin Jin,

looks you have not substituted the token in place of $token can you please place the token as string and test ?

curl -k -X GET 'https://<nifi-server>:9091/nifi-api/cluster/summary' -H 'Authorization: Bearer <token which is generated from Above Command>' --compressed
8,022 Views
0 Kudos

avatar
tmons author-rank
Cloudera Employee

Created on ‎11-11-2019 07:11 PM - edited ‎11-11-2019 07:18 PM

I believe it's a typo. We should use " (double quotes) rather than ' (single quotes). The environment variable $token will be expanded.

curl -k -X GET 'https://<nifi-hostname>:9091/nifi-api/flow/status' -H "Authorization: Bearer $token" --compressed 

 

7,653 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎09-26-2017 12:55 PM

@Alvin Jin

When you obtain a token, that token is only valid against the specific node that it was issued from.

So if you use

token=$(curl -k -X POST --negotiate -u : https://<nifi-node1>:9091/nifi-api/access/kerberos)

Then that token can only be used to access NiFi end-points on nifi-node1 only.

You would need to obtain a different token for node2, node3, etc...

Also keep in mind that NIFI will only continue to accept a token for the configured expiration time. Default is 12 hours as you see in the kerberos-provider configuration. After expiration, a new token will be needed.

Thanks,

Matt

8,022 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements