Any secured (HTTPS) NiFi instance requires client authentication for every REST API request, so the first thing you need to know is how your NiFi server is configured to authenticate clients. There are lots of options, including client certificates, login with LDAP username and password, or authenticate with Kerberos ticket, Knox identity, or OpenId connect. These options are explained in the NiFi Administration Guide [1]. One way to determine this is by looking at the files in the /conf directory (i.e., nifi.properties).
Once you know how the NiFi server authenticates client requests, you must configure the REST API client you are using to perform the same authentication steps. This varies based on authentication mechanism, but is basically either a client certificate provided during the TLS connection handshake or obtaining a JWT access token using one of the /access/* REST API endpoints that uses some form of client credential to authenticate and generate a signed JWT token that is then passed back to the server on later requests. You may find it helpful to use your browser’s developer console while using the NiFi Web UI to look at the REST API network interactions between the UI and the server. This may show you how to obtain an authentication token (assuming that is how your NiFi instance is configured) and also how to perform operations such as start or stop a processor. Lastly, while this can be done using CURL, you may find it helpful to use one of the community clients, such as NiPyApi [2], which abstracts some of the details of interacting with the NiFi REST API. [1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication [2] https://github.com/Chaffelson/nipyapi From: Tian TD Deng <[email protected]> Reply-To: <[email protected]> Date: Friday, March 16, 2018 at 11:20 To: <[email protected]> Cc: <[email protected]> Subject: Re: Error when sending HTTPS request to Nifi using the Restful API Hi Kevin, Thanks a lot for your help. I tried to modify the property " nifi.security.needClientAuth " from true to false, unfortunately, it didn't work, displayed the same error. However, I find that the "nifi.security.user.login.identity.provider" is not set to any value in the nifi.properties. So in this case, what should I do to send a HTTPS request to the Nifi Restful API to do something like start/stop the processor using curl? Thanks & Best Regards Joey(Tian) Deng ------------------------------------------------------------------------------------------- IT Specialist IBM China Global Delivery Center Tel: (+86) 27 59269644 E-mail: [email protected] WhatsApp: +86 15671158671 ------------------------------------------------------------------------------------------- ----- Original message ----- From: Kevin Doran <[email protected]> To: <[email protected]> Cc: Subject: Re: Error when sending HTTPS request to Nifi using the Restful API Date: Fri, Mar 16, 2018 9:58 PM When using access tokens, make sure your NiFi instance is configured to not require client certificates for the TLS certificates: nifi.security.needClientAuth=false This is because you only want the NiFi server (not the client) to establish its identity with a TLS certificate; the client will establish identity after the TLS connection is established by passing the username and password credentials that will be validated by the Login Identity Provider you configured for NiFi. For example: nifi.security.user.login.identity.provider=ldap-provider where “ldap-provider” is configured in login-identity-providers.xml Hope this helps! Kevin From: Tian TD Deng <[email protected]> Reply-To: <[email protected]> Date: Friday, March 16, 2018 at 04:51 To: <[email protected]> Subject: Error when sending HTTPS request to Nifi using the Restful API Dear All, I was trying to send HTTPS request to Nifi using the Restful API via curl, however, it didn't work as expected. curl -k --tlsv1.2 https://localhost:8443/nifi-api/access/token --data 'username=test&password=password' Could you please help to give some advice about this? Thanks a lot! Thanks & Best Regards Joey(Tian) Deng ------------------------------------------------------------------------------------------- IT Specialist IBM China Global Delivery Center Tel: (+86) 27 59269644 E-mail: [email protected] WhatsApp: +86 15671158671 -------------------------------------------------------------------------------------------
