Support Questions

Shrink · ‎04-21-2025

Hello Team,
I am looking to control processers from NiFi iteslf. I learn that can be possible with Nifi Rest Api. But i am not able to connect api with InvokeHTTP processor. I am using NIFI 2.0.0-M4

There are multiple post/articles available on internet but unfortunately those are showing and talking about old version of these processor.
At first I have tried to access it with StandardSSLContextService2.0.0-M4 by saving certificate and then use it from java keystore
Then i tried to remove SSL certificate and disable all remote securities to push Nifi with "http". Here i tried with StandardOauth2AccessTokenProvider 2.0.0-M4. but it is still showing below error

If you could comment on this, it will be appreciated Or at least Please guide me with some latest tutorials/articles to understand this latest processors.

Thank you,

MattWho · ‎04-21-2025

@Shrink

Not sure why you would want to "control processors" within dataflows in NiFi. This is not typically a good design choice.

From the image shared, I see the NiFi URL is "http" and not "https". If your have you NiFi setup unsecured (HTTP), no NiFi authentication is going to be used even if setup in the NiFi core configuration files. If your NiFi was secured (HTTPS), you would still need a StandardRestrictedSSLContextService to at least provide a truststore that contained the complete trust chain for the ServerAuth certificate used in the NiFi nifi.properties keystore to establish the 1-way TLS connection before you would be able to redirect to the oauth2 endpoint to get a token. The other issue is you are not fetching a token from your oauth2 provider, but rather trying to fetch a token from whichever NiFi login provider you have configured. That is because the "rest-api/access/token" endpoint is used for the NiFi login providers (ldap-provider or kerberos-provider).

When I use InvokeHTTP processor to access NiFI's rest-api, i always use MutualTLS authentication. I find it the easiest because you don't need to worry about managing tokens or fetching new tokens each time the expire.

To support mutualTLS authentication, a StandardRestrictedSSLContextService would need to be used in the InvokeHTTP processor and Your NiFi would need to be secured (HTTPS). Your secured NiFi will have a keystore and truststore setup in nifi.properties file. NiFi out-of-the-box will generate generic self-signed keystore and truststore files for you. I strongly encourage you to use properly signed certificates in production.

Simplest approach to set this up is to simply use the same keystore and truststore from the nifi.properties in the StandardRestrictedSSLContextService you'll use with the invokeHTTP processor. You'll need to make sure that the NiFi ClientAuth certificate DN from the keytsore is properly authorized for the NiFi rest-api endpoints you want to use (this of course also means you are NOT using the out-of-the-box single-user-authorizer and instead using an authorizer that allows you manage user authorizations manually like the StandardManagedAuthorizer.)

NOTE: the Apache NiFi 2.0.0 releases where tech preview. NiFi 2.1+ are the official releases of the new 2.x line. 2.0.0-M4was last TP release, so it is going to be pretty close to the first GA release.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Shrink · ‎04-21-2025

Thanks @MattWho for detailed replay.

There are few set of processes which required to active only if those are required by another processes which is a rare event, but important run those on time.
If i removed all credentials and methods to access it with "http". If goes to No retry. Below is the InvokeHTTP configuration

Next i try with StandardRestrictedSSLContextService.
I use details from nifi.properties to configure service.

use same details to configure service

but it is till goes to No retry.
Here URL is ="https://localhost:8443/nifi-api/flow/process-groups/11d11155-1f75-15c9-4802-91f2b21aec2e"
and passing payload ={"id":"11d11156-1f75-15c9-6843-a34f61aff12d","state":"RUNNING"}

Please do share if you have any working example link

Thank you.

MattWho · ‎04-25-2025

@Shrink
So I see you are trying to start a Process Group (which starts all the NiFi components within that process group). You are not setup with a production ready certificate nor production ready authentication and authorization configuration which makes setting up the necessary authorizations not possible. You would need to switch to using the managed authorizer which allow you to use the file-user-group-provider. This provider will allow you to define your NiFi node certificate DN as a user which you can then authorize as needed to make the rest-api call you want to make.

Have you looked at using FlowFile Concurrency and Outbound Policy options available within the process group configuration to control the input and output of FlowFiles in and out of each process group? These settings would allow you to control the movement of FlowFiles from one PG to another and achieve I believe what you are trying to do with needing to programmatically start and stop Process groups via rest-api calls.

Configuring a Process Group

FlowFile Concurrency

OutBound Policy

Using rest-api calls first requires you to constantly check to make sure one PG is done processing all FlowFiles before you start the next. Not efficient design. You should try to design your dataflows so they are always running.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Cloudera Community

Support Questions

how to use StandardOauth2AccessTokenProvider 2.0.0-M4 & InvokeHTTP 2.0.0-M4 for Nifi Rest API