I meant to say that you obviously could generate certs for CLI users, but I was just mentioning an alternative where you can proxy an identity.
Right now the CLI never obtains a token because it is all cert based. On Wed, Jun 12, 2019 at 1:03 PM Bryan Bende <bbe...@gmail.com> wrote: > Right now the idea is that whoever is running the CLI would have access to > a NiFi server certificate and then you can proxy any user you want. There > should be examples of this in the readme or toolkit guide. > > Supporting Kerberos auth was something I wanted to do, but it’s definitely > not a trivial effort. > > On Wed, Jun 12, 2019 at 12:57 PM Andy LoPresto <alopre...@apache.org> > wrote: > >> Shawn, >> >> I’m not sure I understand your question. >> >> I am in the process of refactoring the TLS Toolkit to integrate with >> public certificate authorities, so in the near future it will be easier to >> use certificates signed by external authorities rather than self-signed. >> >> My understanding is that you are talking about the CLI Toolkit rather >> than the TLS Toolkit, but your reference to “token” was ambiguous, so I’m >> going to proceed with the understanding that you are referring to the JWT >> token used to identify an authenticated user when communicating with the >> NiFi API. >> >> You may want to look at JerseyNiFiClient [1], which has methods for >> getting various clients given an authentication token. >> >> You can create the token via the POST /access/kerberos API [2]. >> >> [1] >> https://github.com/apache/nifi/blob/master/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/impl/JerseyNiFiClient.java#L163 >> < >> https://github.com/apache/nifi/blob/master/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/impl/JerseyNiFiClient.java#L163 >> > >> [2] https://nifi.apache.org/docs/nifi-docs/rest-api/index.html < >> https://nifi.apache.org/docs/nifi-docs/rest-api/index.html> >> >> Andy LoPresto >> alopre...@apache.org >> alopresto.apa...@gmail.com >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >> >> > On Jun 12, 2019, at 9:39 AM, Shawn Weeks <swe...@weeksconsulting.us> >> wrote: >> > >> > I work in an environment reluctant to create self signed ssl >> certificates and I’m looking at the feasibility of having the toolkit cli >> authenticate via Kerberos. I was expecting it to be as simple as adding >> another way to get the authentication token but I’m having trouble figuring >> out exactly when the token is created. I see lots of references to it after >> it’s been created. >> > >> > Thanks >> > Shawn >> >> -- > Sent from Gmail Mobile > -- Sent from Gmail Mobile