Support Questions

simon_jespersen · ‎03-02-2018

Hi,

I am trying to start and stop my processor-group with a curl commando

Im on a hdf 2.1.1 using kerberos

curl -k -i -H 'Content-Type: application/json' -XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}'  https://localhost:9091//nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3

the response from NIFI is following

HTTP/1.1 405 JSPs only permit GET POST or HEAD
Date: Fri, 02 Mar 2018 09:10:03 GMT
Content-Length: 0
Server: Jetty(9.3.9.v20160517)

If i remove the -k param i got following response

curl  -i -H 'Content-Type: application/json' -XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}'  https://localhost:9091//nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

what can i do to obtain this from commandline

Shu_ashu · ‎03-02-2018

@Simon Jespersen

You are having two forward slashes in your curl call after https://localhost:9091, just use one forward slash and run again the your curl call

curl -k -i -H 'Content-Type: application/json'-XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}'  https://localhost:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3

If you are still facing some issues then follow the below steps to start/stop processor groups in kerberos HDF2.1.1.

if our HDF is Kerberised then we need to pass our access token with CURL api call.

Steps to Start/Stop Processor Group:-

1.First do kinit in your NiFi node

bash$ kinit

2.Check the validity of the kerberos ticket and make sure your your ticket is valid

bash$ klist

3. Now create access token

bash$ token=`curl -k -X POST --negotiate -u : https://localhost:9091/nifi-api/access/kerberos` https://localhost:9091/nifi/

4.Use the created token in your curl call to start processor group

bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85

5.Use the created token in your curl call to stop processor group

bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"STOPPED"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85

View solution in original post

Shu_ashu · ‎03-02-2018

@Simon Jespersen

You are having two forward slashes in your curl call after https://localhost:9091, just use one forward slash and run again the your curl call

curl -k -i -H 'Content-Type: application/json'-XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}'  https://localhost:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3

If you are still facing some issues then follow the below steps to start/stop processor groups in kerberos HDF2.1.1.

if our HDF is Kerberised then we need to pass our access token with CURL api call.

Steps to Start/Stop Processor Group:-

1.First do kinit in your NiFi node

bash$ kinit

2.Check the validity of the kerberos ticket and make sure your your ticket is valid

bash$ klist

3. Now create access token

bash$ token=`curl -k -X POST --negotiate -u : https://localhost:9091/nifi-api/access/kerberos` https://localhost:9091/nifi/

4.Use the created token in your curl call to start processor group

bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85

5.Use the created token in your curl call to stop processor group

bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"STOPPED"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85

simon_jespersen · ‎03-02-2018

It seems to work when i send the header "Authorization: Bearer $token" But then another problem appear

I did following:

1.
myuser@localhost ~]$ kinit
Password for myuser@CCTA.DK:
myuser@localhost ~]$

2.

myuser@localhost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_742017602
Default principal: myuser@CCTA.DK
Valid starting       Expires              Service principal 
03/02/2018 14:09:46  03/03/2018 00:09:46  krbtgt/CCTA.DK@CCTA.DK
        renew until 03/09/2018 14:09:39
myuser@localhost ~]$

3.

myuser@localhost ~]$ token=`curl -k -X POST --negotiate -u : https://sktudv01hdf01.ccta.dk:9091/nifi-api/access/kerberos`                                                                                                                % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0   269    0     0   2112      0 --:--:-- --:--:-- --:--:--  2112
myuser@localhost ~]$

4.

myuser@localhost ~]$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"a9d5c45f-015b-1000-0000-00006d9844d3","state":"STOPPED"}' https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3
HTTP/1.1 403 Forbidden
Date: Fri, 02 Mar 2018 13:10:50 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Server: Jetty(9.3.9.v20160517)
Unable to perform the desired action due to insufficient permissions. Contact the system administrator.myus

er@localhost ~]$

My user should have admin rights

MattWho · ‎03-02-2018

@Simon Jespersen

Tail your nifi-user.log while you execute the curl command. This will give you exactly what user identity string is being passed to the NiFi authorizer. You can then compare that string with what has been added to and authorized within your NiFi.

simon_jespersen · ‎03-02-2018

The NIFI log when i execute the curl string



018-03-02 14:49:51,442 INFO [NiFi Web Server-21012857] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3MjA5NjBAQ0NUQS5ESyIsImlzcyI6IktlcmJlcm9zU2VydmljZSIsImF1ZCI6IktlcmJlcm9zU2VydmljZSIsInByZWZlcnJlZF91c2VybmFtZSI6IncyMDk2MEBDQ1RBLkRLIiwia2lkIjoxNSwiZXhwIjoxNTIwMDQxMzczLCJpYXQiOjE1MTk5OTgxNzN9.OX5DsmHY4Y6mpxqEMGIvT4q_FbHJUDzLItMbjM4heBI) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82)
2018-03-02 14:49:51,442 INFO [NiFi Web Server-21012857] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser
2018-03-02 14:49:51,447 INFO [NiFi Web Server-21004041] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<myuser><CN=sktudv01hdf01.ccta.dk, OU=CCTA.DK>) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82)
2018-03-02 14:49:51,447 INFO [NiFi Web Server-21004041] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser
2018-03-02 14:49:51,448 INFO [NiFi Web Server-21004041] o.a.n.w.a.c.AccessDeniedExceptionMapper myuser does not have permission to access the requested resource. Returning Forbidden response.
2018-03-02 14:49:51,452 INFO [NiFi Web Server-21012857] o.a.n.w.a.c.AccessDeniedExceptionMapper myuser does not have permission to access the requested resource. Returning Forbidden response.
2018-03-02 14:49:51,452 INFO [NiFi Web Server-21009169] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<myuser><CN=sktudv01hdf01.ccta.dk, OU=CCTA.DK>) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82)
2018-03-02 14:49:51,452 INFO [NiFi Web Server-21009169] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser

MattWho · ‎03-02-2018

@Simon Jespersen

It states that "myuser" is not authorized to access this resource. Would need to look at your authorizer now to determine why.

Assuming you are using NiFi's built-in file based authorizer, you would need to check teh users.xml and authorizations.xml files or carefullly inspect what permissions have been created for "myuser" within teh NiFi UI.

Cloudera Community

Support Questions

how to stop and start processor-group in NIFI using REST