Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

how to stop and start processor-group in NIFI using REST

Labels:
avatar
author-rank simon_jespersen
Expert Contributor

Created ‎03-02-2018 09:14 AM

Hi,

I am trying to start and stop my processor-group with a curl commando

Im on a hdf 2.1.1 using kerberos 

curl -k -i -H 'Content-Type: application/json' -XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}'  https://localhost:9091//nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3

the response from NIFI is following 

HTTP/1.1 405 JSPs only permit GET POST or HEAD
Date: Fri, 02 Mar 2018 09:10:03 GMT
Content-Length: 0
Server: Jetty(9.3.9.v20160517)

If i remove the -k param i got following response 

curl  -i -H 'Content-Type: application/json' -XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}'  https://localhost:9091//nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

what can i do to obtain this from commandline

7,683 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shu_ashu
Master Guru

Created ‎03-02-2018 10:28 AM

@Simon Jespersen

You are having two forward slashes in your curl call after https://localhost:9091, just use one forward slash and run again the your curl call

curl -k -i -H 'Content-Type: application/json'-XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}'  https://localhost:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3

If you are still facing some issues then follow the below steps to start/stop processor groups in kerberos HDF2.1.1.

if our HDF is Kerberised then we need to pass our access token with CURL api call.

Steps to Start/Stop Processor Group:-

1.First do kinit in your NiFi node

bash$ kinit

2.Check the validity of the kerberos ticket and make sure your your ticket is valid

bash$ klist

3. Now create access token 

bash$ token=`curl -k -X POST --negotiate -u : https://localhost:9091/nifi-api/access/kerberos` https://localhost:9091/nifi/

4.Use the created token in your curl call to start processor group

bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85

5.Use the created token in your curl call to stop processor group

bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"STOPPED"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85

View solution in original post

6,504 Views
7 REPLIES 7

avatar
author-rank Shu_ashu
Master Guru

Created ‎03-02-2018 10:28 AM

@Simon Jespersen

You are having two forward slashes in your curl call after https://localhost:9091, just use one forward slash and run again the your curl call

curl -k -i -H 'Content-Type: application/json'-XPUT -d '{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}'  https://localhost:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3

If you are still facing some issues then follow the below steps to start/stop processor groups in kerberos HDF2.1.1.

if our HDF is Kerberised then we need to pass our access token with CURL api call.

Steps to Start/Stop Processor Group:-

1.First do kinit in your NiFi node

bash$ kinit

2.Check the validity of the kerberos ticket and make sure your your ticket is valid

bash$ klist

3. Now create access token 

bash$ token=`curl -k -X POST --negotiate -u : https://localhost:9091/nifi-api/access/kerberos` https://localhost:9091/nifi/

4.Use the created token in your curl call to start processor group

bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"RUNNING"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85

5.Use the created token in your curl call to stop processor group

bash$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"cdb54c9a-0158-1000-5566-c45ca9692f85","state":"STOPPED"}' https://localhost:9091/nifi-api/flow/process-groups/cdb54c9a-0158-1000-5566-c45ca9692f85
6,505 Views

avatar
author-rank simon_jespersen
Expert Contributor

Created ‎03-02-2018 01:18 PM

It seems to work when i send the header "Authorization: Bearer $token" But then another problem appear

I did following:

1.
myuser@localhost ~]$ kinit
Password for myuser@CCTA.DK:
myuser@localhost ~]$

2. 

myuser@localhost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_742017602
Default principal: myuser@CCTA.DK
Valid starting       Expires              Service principal 
03/02/2018 14:09:46  03/03/2018 00:09:46  krbtgt/CCTA.DK@CCTA.DK
        renew until 03/09/2018 14:09:39
myuser@localhost ~]$

3.

myuser@localhost ~]$ token=`curl -k -X POST --negotiate -u : https://sktudv01hdf01.ccta.dk:9091/nifi-api/access/kerberos`                                                                                                                % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0   269    0     0   2112      0 --:--:-- --:--:-- --:--:--  2112
myuser@localhost ~]$

4.

myuser@localhost ~]$ curl -k --header "Authorization: Bearer $token" -i -H 'Content-Type: application/json' -XPUT -d'{"id":"a9d5c45f-015b-1000-0000-00006d9844d3","state":"STOPPED"}' https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3
HTTP/1.1 403 Forbidden
Date: Fri, 02 Mar 2018 13:10:50 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Server: Jetty(9.3.9.v20160517)
Unable to perform the desired action due to insufficient permissions. Contact the system administrator.myus

er@localhost ~]$

My user should have admin rights

6,504 Views

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-02-2018 01:37 PM

@Simon Jespersen

Tail your nifi-user.log while you execute the curl command. This will give you exactly what user identity string is being passed to the NiFi authorizer. You can then compare that string with what has been added to and authorized within your NiFi.

6,504 Views

avatar
author-rank simon_jespersen
Expert Contributor

Created ‎03-02-2018 01:51 PM

The NIFI log when i execute the curl string 



018-03-02 14:49:51,442 INFO [NiFi Web Server-21012857] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3MjA5NjBAQ0NUQS5ESyIsImlzcyI6IktlcmJlcm9zU2VydmljZSIsImF1ZCI6IktlcmJlcm9zU2VydmljZSIsInByZWZlcnJlZF91c2VybmFtZSI6IncyMDk2MEBDQ1RBLkRLIiwia2lkIjoxNSwiZXhwIjoxNTIwMDQxMzczLCJpYXQiOjE1MTk5OTgxNzN9.OX5DsmHY4Y6mpxqEMGIvT4q_FbHJUDzLItMbjM4heBI) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82)
2018-03-02 14:49:51,442 INFO [NiFi Web Server-21012857] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser
2018-03-02 14:49:51,447 INFO [NiFi Web Server-21004041] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<myuser><CN=sktudv01hdf01.ccta.dk, OU=CCTA.DK>) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82)
2018-03-02 14:49:51,447 INFO [NiFi Web Server-21004041] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser
2018-03-02 14:49:51,448 INFO [NiFi Web Server-21004041] o.a.n.w.a.c.AccessDeniedExceptionMapper myuser does not have permission to access the requested resource. Returning Forbidden response.
2018-03-02 14:49:51,452 INFO [NiFi Web Server-21012857] o.a.n.w.a.c.AccessDeniedExceptionMapper myuser does not have permission to access the requested resource. Returning Forbidden response.
2018-03-02 14:49:51,452 INFO [NiFi Web Server-21009169] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<myuser><CN=sktudv01hdf01.ccta.dk, OU=CCTA.DK>) PUT https://sktudv01hdf01.ccta.dk:9091/nifi-api/flow/process-groups/a9d5c45f-015b-1000-0000-00006d9844d3 (source ip: 172.20.242.82)
2018-03-02 14:49:51,452 INFO [NiFi Web Server-21009169] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for myuser
6,504 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-02-2018 02:01 PM

@Simon Jespersen

It states that "myuser" is not authorized to access this resource. Would need to look at your authorizer now to determine why.

Assuming you are using NiFi's built-in file based authorizer, you would need to check teh users.xml and authorizations.xml files or carefullly inspect what permissions have been created for "myuser" within teh NiFi UI.

6,504 Views

avatar
author-rank pankajgaikwad
Explorer

Created on ‎11-28-2024 11:48 PM - edited ‎11-28-2024 11:49 PM

Hello @Shu_ashu 
I want to make this call from the postman so what I need to do then right now I'm getting forbidden error

 

142 Views

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎11-29-2024 06:18 AM

@pankajgaikwad As this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post. Thanks.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
132 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements