You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Tomas Hudik <xh...@gmail.com> on 2019/10/09 13:23:47 UTC
access token (secured NiFi) in InvokeHTTP, PostHTTP
Hi there,
I have secured NiFi (TLS + Kerberos) and need to work with NiFi API.
From command line, I do:
1. generate access token: *curl -k -d "username=nifi-api@DOMAIN.COM
<ni...@DOMAIN.COM>&password=paSSword" -X POST
https://df3-tt-master-01.domain.com:9443/nifi-api/access/token
<https://df-test-master-01.cn.infra:9443/nifi-api/access/token>*
2. using access token: *curl -k -X GET
https://df3-tt-master-01.domain.com:9443/nifi-api/flow/about
<https://df-dev-master-01.cn.infra:9443/nifi-api/flow/about> -H
'Authorization: Bearer <access token>' *
However, I cannot generate and use access token within
*InvokeHTTP, PostHTTP. *
- Is it possible to use access token with those processors?
- If not, is there any workaround (like other processor) how to use NiFi
API within secured NiFi?
any idea/hint is highly appreciated! :)
thank you, Tomas
Re: access token (secured NiFi) in InvokeHTTP, PostHTTP
Posted by Joe Witt <jo...@gmail.com>.
Tomas
It just need someone to implement various standards. Right now I believe
it is purely TLS one way or mutual auth and also supports basic and digest.
Thanks
On Thu, Oct 10, 2019 at 11:00 AM Tomas Hudik <xh...@gmail.com> wrote:
> Hi Erik
> thank you very much for the mail.
>
> My try is not about coding API. I just want to know whether processors
> like *InvokeHTTP, PostHTTP *can work with the access token(if you have
> some kerberized site).
> (the example I have provided is just for fast try)
>
> Do you know whether those processors can somehow work with access token
> (or is it planned to implement it in some future releases,...)?
>
> best, Tomas
>
>
> On Wed, Oct 9, 2019 at 3:51 PM Erik Anderson <ea...@pobox.com> wrote:
>
>> Tomas,
>>
>> I wouldnt hand code the API yourself. You will get into serious
>> challenged to talk with all of the API endpoints, like deploying flows from
>> the NiFi Registry.
>>
>> The NiFi toolkit is what we use to talk to secure and unsecure (developer
>> sandbox) NiFi instances.
>>
>> https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html
>>
>> You can create 1 certificate user, like you did below, nifi-api
>>
>> tls-toolkit.sh client -c nifi-toolkit.mydomain.com -t
>> FooManInTheMiddleSecretJunk-p 8443 -D 'CN=nifi-api, OU=NIFI'
>>
>> you can use that JSON file, point the toolkit at the JSON file, create a
>> user in the NiFi UI called "CN=nifi-api, OU=NIFI"
>> and its just magic. It all works.
>>
>> I seem to remember we tried the python package nipyapi but it wasnt
>> working with a secured version of NiFi.
>>
>> Erik Anderson
>> Bloomberg
>>
>> On Wed, Oct 9, 2019, at 9:23 AM, Tomas Hudik wrote:
>>
>> Hi there,
>>
>> I have secured NiFi (TLS + Kerberos) and need to work with NiFi API.
>> From command line, I do:
>>
>> 1. generate access token: *curl -k -d "username=nifi-api@DOMAIN.COM
>> <ni...@DOMAIN.COM>&password=paSSword" -X POST
>> https://df3-tt-master-01.domain.com:9443/nifi-api/access/token
>> <https://df-test-master-01.cn.infra:9443/nifi-api/access/token>*
>> 2. using access token: *curl -k -X GET
>> https://df3-tt-master-01.domain.com:9443/nifi-api/flow/about
>> <https://df-dev-master-01.cn.infra:9443/nifi-api/flow/about> -H
>> 'Authorization: Bearer <access token>' *
>>
>> However, I cannot generate and use access token within *InvokeHTTP,
>> PostHTTP. *
>>
>>
>>
>> - Is it possible to use access token with those processors?
>> - If not, is there any workaround (like other processor) how to use
>> NiFi API within secured NiFi?
>>
>>
>> any idea/hint is highly appreciated! :)
>> thank you, Tomas
>>
>>
>>
Re: access token (secured NiFi) in InvokeHTTP, PostHTTP
Posted by Tomas Hudik <xh...@gmail.com>.
Hi Erik
thank you very much for the mail.
My try is not about coding API. I just want to know whether processors
like *InvokeHTTP, PostHTTP *can work with the access token(if you have
some kerberized site).
(the example I have provided is just for fast try)
Do you know whether those processors can somehow work with access token (or
is it planned to implement it in some future releases,...)?
best, Tomas
On Wed, Oct 9, 2019 at 3:51 PM Erik Anderson <ea...@pobox.com> wrote:
> Tomas,
>
> I wouldnt hand code the API yourself. You will get into serious
> challenged to talk with all of the API endpoints, like deploying flows from
> the NiFi Registry.
>
> The NiFi toolkit is what we use to talk to secure and unsecure (developer
> sandbox) NiFi instances.
>
> https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html
>
> You can create 1 certificate user, like you did below, nifi-api
>
> tls-toolkit.sh client -c nifi-toolkit.mydomain.com -t
> FooManInTheMiddleSecretJunk-p 8443 -D 'CN=nifi-api, OU=NIFI'
>
> you can use that JSON file, point the toolkit at the JSON file, create a
> user in the NiFi UI called "CN=nifi-api, OU=NIFI"
> and its just magic. It all works.
>
> I seem to remember we tried the python package nipyapi but it wasnt
> working with a secured version of NiFi.
>
> Erik Anderson
> Bloomberg
>
> On Wed, Oct 9, 2019, at 9:23 AM, Tomas Hudik wrote:
>
> Hi there,
>
> I have secured NiFi (TLS + Kerberos) and need to work with NiFi API.
> From command line, I do:
>
> 1. generate access token: *curl -k -d "username=nifi-api@DOMAIN.COM
> <ni...@DOMAIN.COM>&password=paSSword" -X POST
> https://df3-tt-master-01.domain.com:9443/nifi-api/access/token
> <https://df-test-master-01.cn.infra:9443/nifi-api/access/token>*
> 2. using access token: *curl -k -X GET
> https://df3-tt-master-01.domain.com:9443/nifi-api/flow/about
> <https://df-dev-master-01.cn.infra:9443/nifi-api/flow/about> -H
> 'Authorization: Bearer <access token>' *
>
> However, I cannot generate and use access token within *InvokeHTTP,
> PostHTTP. *
>
>
>
> - Is it possible to use access token with those processors?
> - If not, is there any workaround (like other processor) how to use
> NiFi API within secured NiFi?
>
>
> any idea/hint is highly appreciated! :)
> thank you, Tomas
>
>
>
Re: access token (secured NiFi) in InvokeHTTP, PostHTTP
Posted by Erik Anderson <ea...@pobox.com>.
Tomas,
I wouldnt hand code the API yourself. You will get into serious challenged to talk with all of the API endpoints, like deploying flows from the NiFi Registry.
The NiFi toolkit is what we use to talk to secure and unsecure (developer sandbox) NiFi instances.
https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html
You can create 1 certificate user, like you did below, nifi-api
tls-toolkit.sh client -c nifi-toolkit.mydomain.com -t FooManInTheMiddleSecretJunk-p 8443 -D 'CN=nifi-api, OU=NIFI'
you can use that JSON file, point the toolkit at the JSON file, create a user in the NiFi UI called "CN=nifi-api, OU=NIFI"
and its just magic. It all works.
I seem to remember we tried the python package nipyapi but it wasnt working with a secured version of NiFi.
Erik Anderson
Bloomberg
On Wed, Oct 9, 2019, at 9:23 AM, Tomas Hudik wrote:
> Hi there,
>
> I have secured NiFi (TLS + Kerberos) and need to work with NiFi API.
> From command line, I do:
> 1. generate access token: *curl -k -d "username=nifi-api@DOMAIN.COM&password=paSSword" -X POST https://df3-tt-master-01.domain.com:9443/nifi-api/access/token <https://df-test-master-01.cn.infra:9443/nifi-api/access/token>*
> 2. using access token: *curl -k -X GET https://df3-tt-master-01.domain.com:9443/nifi-api/flow/about <https://df-dev-master-01.cn.infra:9443/nifi-api/flow/about> -H 'Authorization: Bearer <access token>' *
> However, I cannot generate and use access token within *InvokeHTTP, PostHTTP. *
>
>
> * Is it possible to use access token with those processors?
> * If not, is there any workaround (like other processor) how to use NiFi API within secured NiFi?
>
> any idea/hint is highly appreciated! :)
> thank you, Tomas
>