Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
Contributor

Using NiFi REST API for unsecured cluster is straight-forward like below:

[root@<nifi-host> ~]# curl -v -X GET http://<nifi-host>:<port>/nifi-api/flow/current-user
* About to connect() to <nifi-host> port <port> (#0)
*   Trying <IP address>...
* Connected to <nifi-host> (<IP address>) port <port> (#0)
> GET /nifi-api/flow/current-user HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <nifi-host>:<port>
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< X-Frame-Options: SAMEORIGIN
< X-Frame-Options: SAMEORIGIN
< X-Frame-Options: SAMEORIGIN
< Cache-Control: private, no-cache, no-store, no-transform
< Server: Jetty(9.4.3.v20170317)
< Vary: Accept-Encoding, User-Agent
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< Date: Fri, 30 Jun 2017 22:15:09 GMT
< Content-Type: application/json
< Content-Length: 439
<
* Connection #0 to host <nifi-host> left intact
{"identity":"anonymous","anonymous":true,"provenancePermissions":{"canRead":true,"canWrite":true},"countersPermissions":{"canRead":true,"canWrite":true},"tenantsPermissions":{"canRead":true,"canWrite":true},"controllerPermissions":{"canRead":true,"canWrite":true},"policiesPermissions":{"canRead":true,"canWrite":true},"systemPermissions":{"canRead":true,"canWrite":true},"restrictedComponentsPermissions":{"canRead":true,"canWrite":true}} 

However if this cluster is using Kerberos for authentication then the curl call will need a Kerberos authentication token as below:

  • First do a kinit (using appropriate keytab/principal) on the nifi node you are logged into.
  • Now get a token using below API call:
token=`curl -k -X POST --negotiate -u : https://<nifi-node>:<port>/nifi-api/access/kerberos` 
  • Second you need to pass above generated token to the actual API call:
curl -k --header "Authorization: Bearer $token" https://<nifi-host>:<port>/nifi-api/flow/cluster/summary 
4,323 Views
Comments
Contributor

Hi @Arti Wadhwani,

Could we use username/password of the principle created in Kerberos to login?

Since I don't have kinit in nifi node.

Thanks.

Hi,

I am trying to access nifi-api using kerberos token. I ran the command to obtain the token that is mentioned in the post but I get the following error: Kerberos ticket login not supported by this NiFi.

I have kerberos provider configured in login-identity-providers.xml and I am able to run kinit also.

Can you please help me how to resolve this issue?

Rising Star

In case, you get below error, make sure you use Nifi host FQDN in API call and NOT IP address. Also, make sure DNS is configured correctly.

 

<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /nifi-api/access/kerberos. Reason:
<pre>    Unauthorized</pre>

 

 

 

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.
Version history
Last update:
‎06-30-2017 10:27 PM
Updated by:
Contributors
Top Kudoed Authors