nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: NiFi Toolkit CLI Token Creation
Date Wed, 12 Jun 2019 17:06:10 GMT
I meant to say that you obviously could generate certs for CLI users, but I
was just mentioning an alternative where you can proxy an identity.

Right now the CLI never obtains a token because it is all cert based.

On Wed, Jun 12, 2019 at 1:03 PM Bryan Bende <bbende@gmail.com> wrote:

> Right now the idea is that whoever is running the CLI would have access to
> a NiFi server certificate and then you can proxy any user you want. There
> should be examples of this in the readme or toolkit guide.
>
> Supporting Kerberos auth was something I wanted to do, but it’s definitely
> not a trivial effort.
>
> On Wed, Jun 12, 2019 at 12:57 PM Andy LoPresto <alopresto@apache.org>
> wrote:
>
>> Shawn,
>>
>> I’m not sure I understand your question.
>>
>> I am in the process of refactoring the TLS Toolkit to integrate with
>> public certificate authorities, so in the near future it will be easier to
>> use certificates signed by external authorities rather than self-signed.
>>
>> My understanding is that you are talking about the CLI Toolkit rather
>> than the TLS Toolkit, but your reference to “token” was ambiguous, so I’m
>> going to proceed with the understanding that you are referring to the JWT
>> token used to identify an authenticated user when communicating with the
>> NiFi API.
>>
>> You may want to look at JerseyNiFiClient [1], which has methods for
>> getting various clients given an authentication token.
>>
>> You can create the token via the POST /access/kerberos API [2].
>>
>> [1]
>> https://github.com/apache/nifi/blob/master/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/impl/JerseyNiFiClient.java#L163
>> <
>> https://github.com/apache/nifi/blob/master/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/impl/JerseyNiFiClient.java#L163
>> >
>> [2] https://nifi.apache.org/docs/nifi-docs/rest-api/index.html <
>> https://nifi.apache.org/docs/nifi-docs/rest-api/index.html>
>>
>> Andy LoPresto
>> alopresto@apache.org
>> alopresto.apache@gmail.com
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>>
>> > On Jun 12, 2019, at 9:39 AM, Shawn Weeks <sweeks@weeksconsulting.us>
>> wrote:
>> >
>> > I work in an environment reluctant to create self signed ssl
>> certificates and I’m looking at the feasibility of having the toolkit cli
>> authenticate via Kerberos. I was expecting it to be as simple as adding
>> another way to get the authentication token but I’m having trouble figuring
>> out exactly when the token is created. I see lots of references to it after
>> it’s been created.
>> >
>> > Thanks
>> > Shawn
>>
>> --
> Sent from Gmail Mobile
>
-- 
Sent from Gmail Mobile

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message