Support Questions
Find answers, ask questions, and share your expertise
Alert: Please see the Cloudera blog for information on the Cloudera Response to CVE-2021-4428

NiFi API & "Unable to validate the access token" error

Rising Star


I'm getting the "Unable to validate the access token" when calling NiFi API, for all API end points that I checked. (I checked a few).

Following other posts in HCC, I'm first using the below call to get the access token, which is successful, it returns a token.

curl 'https://<nifi-server>:8077/nifi-api/access/token' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' --data 'username=<username>&password=<password>' --compressed --insecure

In the 2nd API call where I use the token from the above call, I'm getting the "Unable to validate the access token" for just about all end-points I checked. Below is one where I'm calling the System Diagnostics end point and returns the error.

curl 'https://<nifi-server>:8077/nifi-api/system-diagnostics' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1SUkJvbGxhLG91PURhdGEgTWFuYWdlbWVudCxvdT1QT0Usb3U9UGVvcGxlLGRjPW1kYW5kZXJzb24sZGM9ZWR1IiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiUlJCb2xsYSIsImtpZCI6MzMsImV4cCI6MTQ5MjA5OTcyNiwiaWF0IjoxNDkyMDkyNTI2fQ.xIViD0Ea_fok6qV5ghnf65FPbO9Reh_MQxVG2Q1krl4%' --compressed --insecure

I checked the 2 posts about this error in HCC and per the suggestions there, 1) I made sure we have LDAP authentication enabled 2) I made sure I'm using the same server and port in both curl commands 3) I checked several API end points to rule out that my login does not have permissions to the specific API end point; I tried the following API end points and all of them return the same "Unable to validate the access token" error - flow/status, flow/history, flow/about, flow/search-results, processors/{id}

Do you guys see what's wrong with these API calls ?

Thanks in advance.


Accepted Solutions

@Raj B

So, your basic flow is the sending systems pushes data to the load balancer and then the load balancer does a round robin approach to each node in the NiFi cluster?

What would the load balancer do if one of the nodes is down? Is it able to do automatic failover?

View solution in original post


@Raj B

I have found, depending on some of the default system settings, that I need an additional flag on the subsequent curl commands after getting the token. Try adding --tlsv1.2 after the compressed and insecure flags.

Also, you will still need the Content-type information on subsequent curl commands.

Rising Star

Hi @Wynner, thanks for helping me out.

Following your suggestion, I added the Content-type and --tslv1.2 option, and now I'm getting a different error - Bad Content-Type

<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 400 Bad Content-Type header value: 'text/html; Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1SUkJvbGxhLG91PURhdGEgTWFuYWdlbWVudCxvdT1QT0Usb3U9UGVvcGxlLGRjPW1kYW5kZXJzb24sZGM9ZWR1IiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiUlJCb2xsYSIsImtpZCI6MiwiZXhwIjoxNDkyNDQ0NTc3LCJpYXQiOjE0OTI0MzczNzd9.DKoOkdknxMj9lidDYqzkdyTUumh20CrPdFnXHiZRzYk%'</title>
<body><h2>HTTP ERROR 400</h2>
<p>Problem accessing /nifi-api/flow/history. Reason:
<pre>    Bad Content-Type header value: 'text/html; Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1SUkJvbGxhLG91PURhdGEgTWFuYWdlbWVudCxvdT1QT0Usb3U9UGVvcGxlLGRjPW1kYW5kZXJzb24sZGM9ZWR1IiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiUlJCb2xsYSIsImtpZCI6MiwiZXhwIjoxNDkyNDQ0NTc3LCJpYXQiOjE0OTI0MzczNzd9.DKoOkdknxMj9lidDYqzkdyTUumh20CrPdFnXHiZRzYk%'</pre></p><hr><a href="">Powered by Jetty:// 9.3.9.v20160517</a><hr/>


Here is my 2nd curl command:

curl 'https://<nifi-server>:8077/nifi-api/system-diagnostics' -H 'Content-Type: */*; Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1SUkJvbGxhLG91PURhdGEgTWFuYWdlbWVudCxvdT1QT0Usb3U9UGVvcGxlLGRjPW1kYW5kZXJzb24sZGM9ZWR1IiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiUlJCb2xsYSIsImtpZCI6MzMsImV4cCI6MTQ5MjA5OTcyNiwiaWF0IjoxNDkyMDkyNTI2fQ.xIViD0Ea_fok6qV5ghnf65FPbO9Reh_MQxVG2Q1krl4%' --compressed --insecure --tlsv1.2

@Raj B

Try something like this:

curl 'https://<nifi-server>:8077/nifi-api/system-diagnostics' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjbj1SUkJvbGxhLG91PURhdGEgTWFuYWdlbWVudCxvdT1QT0Usb3U9UGVvcGxlLGRjPW1kYW5kZXJzb24sZGM9ZWR1IiwiaXNzIjoiTGRhcFByb3ZpZGVyIiwiYXVkIjoiTGRhcFByb3ZpZGVyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiUlJCb2xsYSIsImtpZCI6MzMsImV4cCI6MTQ5MjA5OTcyNiwiaWF0IjoxNDkyMDkyNTI2fQ.xIViD0Ea_fok6qV5ghnf65FPbO9Reh_MQxVG2Q1krl4%' --compressed --insecure --tlsv1.2

In addition, make sure the user you are accessing the UI with has the correct policies to access to the system-diagnostics.

Rising Star

@Wynner thanks again.

I tried what you asked, but then it's back to "Unable to validate the access token." error again.

I'm finding that when I have two '-H' options, it is giving the "Unable to validate the access token."; when I have just one '-H' option, it is returning the "HTTP ERROR 400... Bad Content-Type";

In the NiFi API documentation for "/flow/about" end point, it says that error 400 refers to Invalid request. Errors 401 and 403 refer to authentication and authorization issues. So, it seems I'm not running against any access policy issues, it's more of a syntax issue with my curl command; would you agree ?

@Raj B

I would agree.

Are you running the curl commands on the same system with the NiFi instance you are running the curl command against?

Try running the curl commands from a remote system that can reach the NiFi instance.

Also, make sure you are not logged into the NiFi instance, via the UI, while you are running the curl commands, I have found that can cause some issues.

Rising Star


I'm not able to add comments to the thread above anymore, so I'm commenting here:

I was running curl commands from my local system and the NiFi instance is running on a server.

I also tried the curl commands against another NiFi instance as well and I'm getting the same errors - either error 400 or the token error.

As you suggested, I also logged out of the NiFi UI while running the curl command, but that didn't help either.

Not sure what's the problem here.

Let me give you a bit of background on what I'm trying to do, maybe you know of other ways to achieve it - from our load balancing appliance, I need a way to check the heartbeat of the nodes in the NiFi cluster, to see which nodes are available to receive data from the load balancer;

checking the System Diagnostics end point of the NiFi API is how I am approaching this.

Do you have suggestions for accomplishing this differently.

Thank you.

@Raj B

Can java be installed on the load balancer?

If so, I would install NiFi on the load balancer and then just add a Remote process group to the NiFi instance on the load balancer and let NiFi handle the load balancing.

Rising Star

@Wynner thank you for the suggestion, but unfortunately, the load balancer is an enterprise appliance, which is off limits for us to install NiFi on.

@Raj B

Is it possible to have NiFi pull the data from the source?