Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

https calls to nifi api

Highlighted

https calls to nifi api

New Contributor

how i was able to call api of nifi from postman even though  i added sslrestrictedcontextservice  to processor   how it get verified through truststore 

6 REPLIES 6
Highlighted

Re: https calls to nifi api

New Contributor

also how i will be able to call nifi api from local machine if truststore is configured. provided i have sslrestrictedcontextservice on processor side

Re: https calls to nifi api

Master Guru

@100 

 

I think more detail is needed here in order to help you with your query.

Which processor did you configure with the SSLRestrictedContextService Controller Service?
How was that processor and the controller service configured?
What is the rest-api call you are making from Postman?

What response to the rest-api call are you getting?

 

Thanks,

Matt

Highlighted

Re: https calls to nifi api

New Contributor

Hello @MattWho  thanks for your attention  , actually i have an api on port 8060 on nifi for that i have configured SSLRestrictedContextService and is working fine  and rest api is  getting call only from certified clients which are on truststore ....However i want to know to make my api authorized by username and password what changes will have to do , will i have to add any service ? or something else to do and also  please suggest me the changes in api calling structure i have no idea about it ..

Note: i have configured ldap server for user authentication and  is working fine for login purpose etc.

Please suggest if any more information is needed. Thanks 

Highlighted

Re: https calls to nifi api

Master Guru

@100 

 

Please share with me the exact NiFi processors in use here.

Are you saying you have an external service listening on 8060 that you use a processor like InvokeHTTP to consume from that rest-api?

NiFi authentication through the ldap-provider is only used for authentication to NiFi's rest-api endpoints.  It cannot be used for authenticated access to endpoint established by a NiFi processor(s).  Those processors typically only support TLS based authentication. 

 

I am still not very clear on what you have setup here.  Screenshots of list of processors being used would be helpful.  Each processor runs its own code and does not typically have access to the NiFi core capabilities.

 

Hope this helps,

Matt

Highlighted

Re: https calls to nifi api

New Contributor

Hello @MattWho   U r  right i have a service listening  on port 8060.... however to authenticate its calling. from selected clients only  i have added their certificates in truststore and  i have enabled sslrestricedcontextservice added keystore and truststore in that service..... howevere while  https:/nifiurl:8443/bsa from that client  say https://client.com   i am not able to commuinicate . to nifi ....however .my trusstore shows the entry of that client . i have enabled need authentication also.

Highlighted

Re: https calls to nifi api

New Contributor

 

 

 

   
                  <authorizers>
 
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity 1">cn=admin,ou=people,dc=nifi,dc=com</property>
    </userGroupProvider>



    <!-- To enable the ldap-user-group-provider remove 2 lines. This is 1 of 2.
    <userGroupProvider>
        <identifier>ldap-user-group-provider</identifier>
        <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
        <property name="Authentication Strategy">START_TLS</property>

        <property name="Manager DN"></property>
        <property name="Manager Password"></property>

        <property name="TLS - Keystore"></property>
        <property name="TLS - Keystore Password"></property>
        <property name="TLS - Keystore Type"></property>
        <property name="TLS - Truststore"></property>
        <property name="TLS - Truststore Password"></property>
        <property name="TLS - Truststore Type"></property>
        <property name="TLS - Client Auth"></property>
        <property name="TLS - Protocol"></property>
        <property name="TLS - Shutdown Gracefully"></property>

        <property name="Referral Strategy">FOLLOW</property>
        <property name="Connect Timeout">10 secs</property>
        <property name="Read Timeout">10 secs</property>

        <property name="Url"></property>
        <property name="Page Size"></property>
        <property name="Sync Interval">30 mins</property>

        <property name="User Search Base"></property>
        <property name="User Object Class">person</property>
        <property name="User Search Scope">ONE_LEVEL</property>
        <property name="User Search Filter"></property>
        <property name="User Identity Attribute"></property>
        <property name="User Group Name Attribute"></property>
        <property name="User Group Name Attribute - Referenced Group Attribute"></property>

        <property name="Group Search Base"></property>
        <property name="Group Object Class">group</property>
        <property name="Group Search Scope">ONE_LEVEL</property>
        <property name="Group Search Filter"></property>
        <property name="Group Name Attribute"></property>
        <property name="Group Member Attribute"></property>
        <property name="Group Member Attribute - Referenced User Attribute"></property>
    </userGroupProvider>
    To enable the ldap-user-group-provider remove 2 lines. This is 2 of 2. -->

   
    <!-- To enable the composite-configurable-user-group-provider remove 2 lines. This is 1 of 2.
    <userGroupProvider>
        <identifier>composite-configurable-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>
        <property name="Configurable User Group Provider">file-user-group-provider</property>
        <property name="User Group Provider 1"></property>
    </userGroupProvider>
    To enable the composite-configurable-user-group-provider remove 2 lines. This is 2 of 2. -->

    
    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>
        <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group Provider">file-user-group-provider</property>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">cn=admin,ou=people,dc=nifi,dc=com</property>
        <property name="Legacy Authorized Users File"></property>
   <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>

    
    <authorizer>
        <identifier>managed-authorizer</identifier>
        <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy Provider">file-access-policy-provider</property>
    </authorizer>

    <!-- <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">cn=admin,ou=people,dc=nifi,dc=com</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1"></property>
    </authorizer>
    -->
</authorizers>

 

Don't have an account?
Coming from Hortonworks? Activate your account here