Also important to note that if no credential access is configured (LDAP, Kerberos, OIDC, Knox, etc.) and client certificate authentication is the only available mechanism, the access token endpoint is useless and will not generate a token, because every subsequent request will still require the client certificate to be present.
Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Mar 16, 2018, at 8:43 AM, Kevin Doran <[email protected]> wrote: > > Any secured (HTTPS) NiFi instance requires client authentication for every > REST API request, so the first thing you need to know is how your NiFi server > is configured to authenticate clients. There are lots of options, including > client certificates, login with LDAP username and password, or authenticate > with Kerberos ticket, Knox identity, or OpenId connect. These options are > explained in the NiFi Administration Guide [1]. One way to determine this is > by looking at the files in the /conf directory (i.e., nifi.properties). > > Once you know how the NiFi server authenticates client requests, you must > configure the REST API client you are using to perform the same > authentication steps. This varies based on authentication mechanism, but is > basically either a client certificate provided during the TLS connection > handshake or obtaining a JWT access token using one of the /access/* REST API > endpoints that uses some form of client credential to authenticate and > generate a signed JWT token that is then passed back to the server on later > requests. > > You may find it helpful to use your browser’s developer console while using > the NiFi Web UI to look at the REST API network interactions between the UI > and the server. This may show you how to obtain an authentication token > (assuming that is how your NiFi instance is configured) and also how to > perform operations such as start or stop a processor. > > Lastly, while this can be done using CURL, you may find it helpful to use one > of the community clients, such as NiPyApi [2], which abstracts some of the > details of interacting with the NiFi REST API. > > [1] > https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication > > <https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication> > [2] https://github.com/Chaffelson/nipyapi > <https://github.com/Chaffelson/nipyapi> > > From: Tian TD Deng <[email protected] <mailto:[email protected]>> > Reply-To: <[email protected] <mailto:[email protected]>> > Date: Friday, March 16, 2018 at 11:20 > To: <[email protected] <mailto:[email protected]>> > Cc: <[email protected] <mailto:[email protected]>> > Subject: Re: Error when sending HTTPS request to Nifi using the Restful API > > Hi Kevin, > > Thanks a lot for your help. > I tried to modify the property " nifi.security.needClientAuth " from true to > false, unfortunately, it didn't work, displayed the same error. > > However, I find that the "nifi.security.user.login.identity.provider" is > not set to any value in the nifi.properties. > > So in this case, what should I do to send a HTTPS request to the Nifi Restful > API to do something like start/stop the processor using curl? > > Thanks & Best Regards > > Joey(Tian) Deng > ------------------------------------------------------------------------------------------- > IT Specialist > IBM China Global Delivery Center > Tel: (+86) 27 59269644 > E-mail: [email protected] <mailto:[email protected]> > WhatsApp: +86 15671158671 > ------------------------------------------------------------------------------------------- > > >> ----- Original message ----- >> From: Kevin Doran <[email protected] <mailto:[email protected]>> >> To: <[email protected] <mailto:[email protected]>> >> Cc: >> Subject: Re: Error when sending HTTPS request to Nifi using the Restful API >> Date: Fri, Mar 16, 2018 9:58 PM >> >> >> When using access tokens, make sure your NiFi instance is configured to not >> require client certificates for the TLS certificates: >> >> nifi.security.needClientAuth=false >> >> >> This is because you only want the NiFi server (not the client) to establish >> its identity with a TLS certificate; the client will establish identity >> after the TLS connection is established by passing the username and password >> credentials that will be validated by the Login Identity Provider you >> configured for NiFi. For example: >> >> nifi.security.user.login.identity.provider=ldap-provider >> >> where “ldap-provider” is configured in login-identity-providers.xml >> >> Hope this helps! >> Kevin >> >> From: Tian TD Deng <[email protected] <mailto:[email protected]>> >> Reply-To: <[email protected] <mailto:[email protected]>> >> Date: Friday, March 16, 2018 at 04:51 >> To: <[email protected] <mailto:[email protected]>> >> Subject: Error when sending HTTPS request to Nifi using the Restful API >> >> Dear All, <> >> >> I was trying to send HTTPS request to Nifi using the Restful API via curl, >> however, it didn't work as expected. >> >> curl -k --tlsv1.2 https://localhost:8443/nifi-api/access/token >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__localhost-3A8443_nifi-2Dapi_access_token&d=DwMFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=5y4NPimmNGBw_uxhYgQmALaAwRfbIeRE6cMFQ9S3Shs&m=_lXJrQmuNdQxBiY5EymD-n9z3uR1tmWqLaoHGyRzU7Y&s=j8Ss_CTYXxglpLDJuNSzwH0COn30NbjKFylpMvzWeng&e=> >> --data 'username=test&password=password' >> >> <image001.png> >> >> Could you please help to give some advice about this? >> Thanks a lot! >> >> Thanks & Best Regards >> >> Joey(Tian) Deng >> ------------------------------------------------------------------------------------------- >> IT Specialist >> IBM China Global Delivery Center >> Tel: (+86) 27 59269644 >> E-mail: [email protected] <mailto:[email protected]> >> WhatsApp: +86 15671158671 >> ------------------------------------------------------------------------------------------- >> >> >> > > > > <image001.png>
signature.asc
Description: Message signed with OpenPGP using GPGMail
