Created 07-26-2024 07:52 AM
hello Cloudera Community,
the process of creating a user and adding them to groups via the nifi WebUI mode works normally.
i need to create a user and add them to a group directly using the NiFi API (post, put, get).
how do I make this process 100% functional?
Created 07-26-2024 01:25 PM
@yagoaparecidoti
If you are using ldap-provider for authentication, you should preferably be using your ldap users and groups for authorization using the ldap-user-group-provider rather then needing to manage those user identities and group identities manually in NiFi via the file-user-user-group-provider.
When new users are added or removed in ldap, new groups created or removed in ldap, or new group membership are added in LDAP, this all automatically resync in NiFi. And if you do all your Authorization through ldap groups, this management becomes automatic with little effort on your side except when needing to setup an all new group authorization.
Fetching a token for your ldap user who is authorized to view and modify user and groups:
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/access/token' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
--data-raw 'username=<username>&password=<password>' \
--insecure
This will return a Bearer Token that is only valid for the expiration period configured in your ldap-provider (default: 12 hours). Replace $TOKEN with this response token string you got from above command in the rest of the examples.
Example command to add a new group:
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
--data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":0},"disconnectedNodeAcknowledged":false,"component":{"identity":"newgroup2","users":[]}}' \
--insecure
In the response you will get the UUID assigned to this new group.
Example: f07dcb3f-0190-1000-0000-00003f3139fe
Example command to add new user:
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/users' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer $TOKEN \
--data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":0},"disconnectedNodeAcknowledged":false,"component":{"identity":"newuser3"}}' \
--insecure
In the response you will get the UUID of the new user.
Example: f089d520-0190-1000-ffff-ffffd5c79edc
Before you can add a user to the group, you need to get a list all user currently part of group.
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups' \
-H 'Authorization: Bearer $TOKEN' \
--insecure
You can parse the response json by group name or the group uuid.
With the json for the group you will find the current users and their assigned uuids
You'll need all those current user uuids and the uuid of the user(s) you want to add to the group.
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups/f07dcb3f-0190-1000-0000-00003f3139fe' \
-X 'PUT' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
--data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":4},"disconnectedNodeAcknowledged":false,"component":{"id":"f07dcb3f-0190-1000-0000-00003f3139fe","identity":"newgroup2","configurable":true,"users":[{"id":"f083ef9d-0190-1000-ffff-ffffa9456011"},{"id":"f089d520-0190-1000-ffff-ffffd5c79edc"},{"id":"350a48fc-018f-1000-0000-000018f120ca"}],"accessPolicies":[]}}' \
--insecure
You should be able to add users at same time as you create a new group. But that is not very common. It is more common to add new users and associate them with already existing groups, hence the example provided above. You can see in the new group example i have that the payload will accept user ids.
Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 07-26-2024 09:37 AM
@yagoaparecidoti
If you find you are adding that many users that the process is cumbersome, perhaps you should setup your NiFi to sync your users and groups from ldap/ad instead. If you authorize the ldap groups, and user belonging or added to the ldap group would automatically then get the group authorizations in NiFi.
Reference:
If still want to manage your users and groups manually in NiFi, here are my suggestions:
The easiest way is to create a service user certificate (clientAuth PrivateKey) that is trusted by your NiFi and then authorized to view and modify on Access users/user groups. An TLS client certificate can be configured with as long of an expiration as you want. Since the authentication is handled in the mutual TLS exchange there are not token (extra steps) need using this method. MutualTLS authentication is always enabled with secure NiFi even if other methods are also enabled (MutualTLS is always checked first as secured NiFI will always WANT a client certificate in the handshake. NiFi move on to next authentication method only if no client certificate is provided).
If you another method of authenticating your user who have this access like the "ldap-provider" you would need to fetch an authentication token all the time and then inlcude that authentication token in the rest-api request for each addition and modification to user and groups. Tokens expire.
The NiFI rest-api docs can help you with the rest-api endpoints. I find it easier to open developer tools in my browser. Perform the action as I would normally do via the NiFi UI and right click on the request in the developer tools and select copy as curl. I can then see the exact rest-api call that was bing made along with and data that needs to go with that request. There will be a bunch of unnecessary headers you will not need to include.
If you choose to go the route of using an authorized ldap user for your automation (not recommended), you'll also need to capture the rest-api call in dev tools for login to capture how to get and store the necessary token.
Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 07-26-2024 10:13 AM
hi @MattWho
NiFi already has LDAP authentication configured and is working fine.
but for the user to actually be able to access the NiFi webUI, the NiFi admin user needs to create the user internally in NiFi first and add that user to a specific group, so that the user can log in without any issues.
using tokens in NiFi REST API calls is not a problem for me.
if you have an example of creating a user and adding them to groups using api nifi, I would be very grateful.
Created 07-26-2024 01:25 PM
@yagoaparecidoti
If you are using ldap-provider for authentication, you should preferably be using your ldap users and groups for authorization using the ldap-user-group-provider rather then needing to manage those user identities and group identities manually in NiFi via the file-user-user-group-provider.
When new users are added or removed in ldap, new groups created or removed in ldap, or new group membership are added in LDAP, this all automatically resync in NiFi. And if you do all your Authorization through ldap groups, this management becomes automatic with little effort on your side except when needing to setup an all new group authorization.
Fetching a token for your ldap user who is authorized to view and modify user and groups:
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/access/token' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
--data-raw 'username=<username>&password=<password>' \
--insecure
This will return a Bearer Token that is only valid for the expiration period configured in your ldap-provider (default: 12 hours). Replace $TOKEN with this response token string you got from above command in the rest of the examples.
Example command to add a new group:
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
--data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":0},"disconnectedNodeAcknowledged":false,"component":{"identity":"newgroup2","users":[]}}' \
--insecure
In the response you will get the UUID assigned to this new group.
Example: f07dcb3f-0190-1000-0000-00003f3139fe
Example command to add new user:
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/users' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer $TOKEN \
--data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":0},"disconnectedNodeAcknowledged":false,"component":{"identity":"newuser3"}}' \
--insecure
In the response you will get the UUID of the new user.
Example: f089d520-0190-1000-ffff-ffffd5c79edc
Before you can add a user to the group, you need to get a list all user currently part of group.
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups' \
-H 'Authorization: Bearer $TOKEN' \
--insecure
You can parse the response json by group name or the group uuid.
With the json for the group you will find the current users and their assigned uuids
You'll need all those current user uuids and the uuid of the user(s) you want to add to the group.
curl 'https://<nifi-hostname>:<nifi-port>/nifi-api/tenants/user-groups/f07dcb3f-0190-1000-0000-00003f3139fe' \
-X 'PUT' \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
--data-raw '{"revision":{"clientId":"f06dc8a3-0190-1000-f61c-a511bdac0cf1","version":4},"disconnectedNodeAcknowledged":false,"component":{"id":"f07dcb3f-0190-1000-0000-00003f3139fe","identity":"newgroup2","configurable":true,"users":[{"id":"f083ef9d-0190-1000-ffff-ffffa9456011"},{"id":"f089d520-0190-1000-ffff-ffffd5c79edc"},{"id":"350a48fc-018f-1000-0000-000018f120ca"}],"accessPolicies":[]}}' \
--insecure
You should be able to add users at same time as you create a new group. But that is not very common. It is more common to add new users and associate them with already existing groups, hence the example provided above. You can see in the new group example i have that the payload will accept user ids.
Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.
Thank you,
Matt
Created 07-29-2024 07:18 AM