Created 03-02-2018 09:14 AM
Hi,
I am trying to start and stop my processor-group with a curl commando
Im on a hdf 2.1.1 using kerberos
curl -k -i -H 'Content-Type: application/json' -XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091//nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3
the response from NIFI is following
HTTP/1.1 405 JSPs only permit GET POST or HEAD Date: Fri, 02 Mar 2018 09:10:03 GMT Content-Length: 0 Server: Jetty(9.3.9.v20160517)
If i remove the -k param i got following response
curl -i -H 'Content-Type: application/json' -XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091//nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
what can i do to obtain this from commandline
Created 03-02-2018 10:28 AM
You are having two forward slashes in your curl call after https://localhost:9091, just use one forward slash and run again the your curl call
curl -k -i -H 'Content-Type: application/json'-XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3
If you are still facing some issues then follow the below steps to start/stop processor groups in kerberos HDF2.1.1.
if our HDF is Kerberised then we need to pass our access token with CURL api call.
Steps to Start/Stop Processor Group:-
1.First do kinit in your NiFi node
bash$ kinit
2.Check the validity of the kerberos ticket and make sure your your ticket is valid
bash$ klist
3. Now create access token
bash$ token=`curl -k -X POST --negotiate -u : https://localhost:9091/nifi-api/access/kerberos` https://localhost:9091/nifi/
4.Use the created token in your curl call to start processor group
bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85
5.Use the created token in your curl call to stop processor group
bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"STOPPED"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85
Created 03-02-2018 10:28 AM
You are having two forward slashes in your curl call after https://localhost:9091, just use one forward slash and run again the your curl call
curl -k -i -H 'Content-Type: application/json'-XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3
If you are still facing some issues then follow the below steps to start/stop processor groups in kerberos HDF2.1.1.
if our HDF is Kerberised then we need to pass our access token with CURL api call.
Steps to Start/Stop Processor Group:-
1.First do kinit in your NiFi node
bash$ kinit
2.Check the validity of the kerberos ticket and make sure your your ticket is valid
bash$ klist
3. Now create access token
bash$ token=`curl -k -X POST --negotiate -u : https://localhost:9091/nifi-api/access/kerberos` https://localhost:9091/nifi/
4.Use the created token in your curl call to start processor group
bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85
5.Use the created token in your curl call to stop processor group
bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"STOPPED"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85
Created 03-02-2018 01:18 PM
It seems to work when i send the header "Authorization: Bearer $token" But then another problem appear
I did following:
1.
myuser@localhost ~]$ kinit Password for myuser@CCTA.DK: myuser@localhost ~]$
2.
myuser@localhost ~]$ klist Ticket cache: FILE:/tmp/krb5cc_742017602 Default principal: myuser@CCTA.DK
Valid starting Expires Service principal
03/02/2018 14:09:46 03/03/2018 00:09:46 krbtgt/CCTA.DK@CCTA.DK renew until 03/09/2018 14:09:39 myuser@localhost ~]$
3.
myuser@localhost ~]$ token=`curl -k -X POST --negotiate -u : https://sktudv01hdf01.ccta.dk:9091/nifi-api/access/kerberos` % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 269 0 0 2112 0 --:--:-- --:--:-- --:--:-- 2112 myuser@localhost ~]$
4.
myuser@localhost ~]$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"a9d5c45f-015b-1000-0000-00006d9844d3","state":"STOPPED"}' https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 HTTP/1.1 403 Forbidden Date: Fri, 02 Mar 2018 13:10:50 GMT Content-Type: text/plain Transfer-Encoding: chunked Server: Jetty(9.3.9.v20160517) Unable to perform the desired action due to insufficient permissions. Contact the system administrator.myus er@localhost ~]$
My user should have admin rights
Created 03-02-2018 01:37 PM
Tail your nifi-user.log while you execute the curl command. This will give you exactly what user identity string is being passed to the NiFi authorizer. You can then compare that string with what has been added to and authorized within your NiFi.
Created 03-02-2018 01:51 PM
The NIFI log when i execute the curl string
018-03-02 14:49:51,442 INFO [NiFi Web Server-21012857] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3MjA5NjBAQ0NUQS5ESyIsImlzcyI6IktlcmJlcm9zU2VydmljZSIsImF1ZCI6IktlcmJlcm9zU2VydmljZSIsInByZWZlcnJlZF91c2VybmFtZSI6IncyMDk2MEBDQ1RBLkRLIiwia2lkIjoxNSwiZXhwIjoxNTIwMDQxMzczLCJpYXQiOjE1MTk5OTgxNzN9.OX5DsmHY4Y6mpxqEMGIvT4q_FbHJUDzLItMbjM4heBI) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82) 2018-03-02 14:49:51,442 INFO [NiFi Web Server-21012857] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser 2018-03-02 14:49:51,447 INFO [NiFi Web Server-21004041] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<myuser><CN=sktudv01hdf01.ccta.dk, OU=CCTA.DK>) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82) 2018-03-02 14:49:51,447 INFO [NiFi Web Server-21004041] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser 2018-03-02 14:49:51,448 INFO [NiFi Web Server-21004041] o.a.n.w.a.c.AccessDeniedExceptionMapper myuser does not have permission to access the requested resource. Returning Forbidden response. 2018-03-02 14:49:51,452 INFO [NiFi Web Server-21012857] o.a.n.w.a.c.AccessDeniedExceptionMapper myuser does not have permission to access the requested resource. Returning Forbidden response. 2018-03-02 14:49:51,452 INFO [NiFi Web Server-21009169] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<myuser><CN=sktudv01hdf01.ccta.dk, OU=CCTA.DK>) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82) 2018-03-02 14:49:51,452 INFO [NiFi Web Server-21009169] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser
Created 03-02-2018 02:01 PM
It states that "myuser" is not authorized to access this resource. Would need to look at your authorizer now to determine why.
Assuming you are using NiFi's built-in file based authorizer, you would need to check teh users.xml and authorizations.xml files or carefullly inspect what permissions have been created for "myuser" within teh NiFi UI.