Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

how create user and add to nifi groups using nifi api

Labels:
avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎07-26-2024 07:52 AM

hello Cloudera Community,

the process of creating a user and adding them to groups via the nifi WebUI mode works normally.

i need to create a user and add them to a group directly using the NiFi API (post, put, get).

how do I make this process 100% functional?

515 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-26-2024 01:25 PM

@yagoaparecidoti 

If you are using ldap-provider for authentication, you should preferably be using your ldap users and groups for authorization using the ldap-user-group-provider rather then needing to manage those user identities and group identities manually in NiFi via the file-user-user-group-provider.

When new users are added or removed in ldap, new groups created or removed in ldap, or new group membership are added in LDAP, this all automatically resync in NiFi.  And if you do all your Authorization through ldap groups, this management becomes automatic with little effort on your side except when needing to setup an all new group authorization.

Fetching a token for your ldap user who is authorized to view and modify user and groups:

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/access/token' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
--data-raw 'username=<username>&password=<password>' \
--insecure

 

This will return a Bearer Token that is only valid for the expiration period configured in your ldap-provider (default: 12 hours).  Replace $TOKEN with this response token string you got from above command in the rest of the examples.

Example command to add a new group:

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups' \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  --data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":0},"disconnectedNodeAcknowledged":false,"component":{"identity":"newgroup2","users":[]}}' \
  --insecure

 

In the response you will get the UUID assigned to this new group.
Example: f07dcb3f-0190-1000-0000-00003f3139fe


Example command to add new user:

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/users' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer $TOKEN \
  --data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":0},"disconnectedNodeAcknowledged":false,"component":{"identity":"newuser3"}}' \
  --insecure

 

In the response you will get the UUID of the new user.
Example: f089d520-0190-1000-ffff-ffffd5c79edc

Before you can add a user to the group, you need to get a list all user currently part of group.

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups' \
  -H 'Authorization: Bearer $TOKEN' \
  --insecure

 

You can parse the response json by group name or the group uuid.
With the json for the group you will find the current users and their assigned uuids

You'll need all those current user uuids and the uuid of the user(s) you want to add to the group.

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups/f07dcb3f-0190-1000-0000-00003f3139fe' \
  -X 'PUT' \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  --data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":4},"disconnectedNodeAcknowledged":false,"component":{"id":"f07dcb3f-0190-1000-0000-00003f3139fe","identity":"newgroup2","configurable":true,"users":[{"id":"f083ef9d-0190-1000-ffff-ffffa9456011"},{"id":"f089d520-0190-1000-ffff-ffffd5c79edc"},{"id":"350a48fc-018f-1000-0000-000018f120ca"}],"accessPolicies":[]}}' \
  --insecure

 


You should be able to add users at same time as you create a new group.  But that is not very common.  It is more common to add new users and associate them with already existing groups, hence the example provided above.  You can see in the new group example i have that the payload will accept user ids.  

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

469 Views
4 REPLIES 4

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-26-2024 09:37 AM

@yagoaparecidoti 

If you find you are adding that many users that the process is cumbersome, perhaps you should setup your NiFi to sync your users and groups from ldap/ad instead.  If you authorize the ldap groups, and user belonging or added to the ldap group would automatically then get the group authorizations in NiFi. 
Reference:

If still want to manage your users and groups manually in NiFi, here are my suggestions:

The easiest way is to create a service user certificate (clientAuth PrivateKey) that is trusted by your NiFi and then authorized to view and modify on Access users/user groups.  An TLS client certificate can be configured with as long of an expiration as you want.  Since the authentication is handled in the mutual TLS exchange there are not token (extra steps) need using this method.  MutualTLS authentication is always enabled with secure NiFi even if other methods are also enabled (MutualTLS is always checked first as secured NiFI will always WANT a client certificate in the handshake. NiFi move on to next authentication method only if no client certificate is provided).

If you another method of authenticating your user who have this access like the "ldap-provider" you would need to fetch an authentication token all the time  and then inlcude that authentication token in the rest-api request for each addition and modification to user and groups. Tokens expire.

The NiFI rest-api docs can help you with the rest-api endpoints.  I find it easier to open developer tools in my browser.  Perform the action as I would normally do via the NiFi UI and right click on the request in the developer tools and select copy as curl.  I can then see the exact rest-api call that was bing made along with and data that needs to go with that request.  There will be a bunch of unnecessary headers you will not need to include.

If you choose to go the route of using an authorized ldap user for your automation (not recommended), you'll also need to capture the rest-api call in dev tools for login to capture how to get and store the necessary token.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

 

501 Views
0 Kudos

avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎07-26-2024 10:13 AM

hi @MattWho

NiFi already has LDAP authentication configured and is working fine.

but for the user to actually be able to access the NiFi webUI, the NiFi admin user needs to create the user internally in NiFi first and add that user to a specific group, so that the user can log in without any issues.

using tokens in NiFi REST API calls is not a problem for me.

if you have an example of creating a user and adding them to groups using api nifi, I would be very grateful.

495 Views

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-26-2024 01:25 PM

@yagoaparecidoti 

If you are using ldap-provider for authentication, you should preferably be using your ldap users and groups for authorization using the ldap-user-group-provider rather then needing to manage those user identities and group identities manually in NiFi via the file-user-user-group-provider.

When new users are added or removed in ldap, new groups created or removed in ldap, or new group membership are added in LDAP, this all automatically resync in NiFi.  And if you do all your Authorization through ldap groups, this management becomes automatic with little effort on your side except when needing to setup an all new group authorization.

Fetching a token for your ldap user who is authorized to view and modify user and groups:

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/access/token' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
--data-raw 'username=<username>&password=<password>' \
--insecure

 

This will return a Bearer Token that is only valid for the expiration period configured in your ldap-provider (default: 12 hours).  Replace $TOKEN with this response token string you got from above command in the rest of the examples.

Example command to add a new group:

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups' \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  --data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":0},"disconnectedNodeAcknowledged":false,"component":{"identity":"newgroup2","users":[]}}' \
  --insecure

 

In the response you will get the UUID assigned to this new group.
Example: f07dcb3f-0190-1000-0000-00003f3139fe


Example command to add new user:

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/users' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer $TOKEN \
  --data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":0},"disconnectedNodeAcknowledged":false,"component":{"identity":"newuser3"}}' \
  --insecure

 

In the response you will get the UUID of the new user.
Example: f089d520-0190-1000-ffff-ffffd5c79edc

Before you can add a user to the group, you need to get a list all user currently part of group.

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups' \
  -H 'Authorization: Bearer $TOKEN' \
  --insecure

 

You can parse the response json by group name or the group uuid.
With the json for the group you will find the current users and their assigned uuids

You'll need all those current user uuids and the uuid of the user(s) you want to add to the group.

 

curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups/f07dcb3f-0190-1000-0000-00003f3139fe' \
  -X 'PUT' \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  --data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":4},"disconnectedNodeAcknowledged":false,"component":{"id":"f07dcb3f-0190-1000-0000-00003f3139fe","identity":"newgroup2","configurable":true,"users":[{"id":"f083ef9d-0190-1000-ffff-ffffa9456011"},{"id":"f089d520-0190-1000-ffff-ffffd5c79edc"},{"id":"350a48fc-018f-1000-0000-000018f120ca"}],"accessPolicies":[]}}' \
  --insecure

 


You should be able to add users at same time as you create a new group.  But that is not very common.  It is more common to add new users and associate them with already existing groups, hence the example provided above.  You can see in the new group example i have that the payload will accept user ids.  

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

470 Views

avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎07-29-2024 07:18 AM

hi @MattWho 


thank you very much for the clarification

the registration worked.

400 Views
webinar banner
Announcements
What's New @ Cloudera
Cloudera Streams Messaging Operator 1.1
What's New @ Cloudera
From Silos to Synergy: Unifying Data Warehousing and AI
What's New @ Cloudera
Cloudera Streaming Analytics 1.13 for Private Cloud Base
What's New @ Cloudera
Get started with Cloudera Data Engineering on AWS Graviton a...
What's New @ Cloudera
[NEW] Cloudera Data Engineering 1.22 for Public Cloud: Suppo...
View More Announcements