nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Bende <bbe...@gmail.com>
Subject Re: NiFi Toolkit CLI Token Creation
Date Wed, 12 Jun 2019 17:03:39 GMT
Right now the idea is that whoever is running the CLI would have access to
a NiFi server certificate and then you can proxy any user you want. There
should be examples of this in the readme or toolkit guide.

Supporting Kerberos auth was something I wanted to do, but it’s definitely
not a trivial effort.

On Wed, Jun 12, 2019 at 12:57 PM Andy LoPresto <alopresto@apache.org> wrote:

> Shawn,
>
> I’m not sure I understand your question.
>
> I am in the process of refactoring the TLS Toolkit to integrate with
> public certificate authorities, so in the near future it will be easier to
> use certificates signed by external authorities rather than self-signed.
>
> My understanding is that you are talking about the CLI Toolkit rather than
> the TLS Toolkit, but your reference to “token” was ambiguous, so I’m going
> to proceed with the understanding that you are referring to the JWT token
> used to identify an authenticated user when communicating with the NiFi
> API.
>
> You may want to look at JerseyNiFiClient [1], which has methods for
> getting various clients given an authentication token.
>
> You can create the token via the POST /access/kerberos API [2].
>
> [1]
> https://github.com/apache/nifi/blob/master/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/impl/JerseyNiFiClient.java#L163
> <
> https://github.com/apache/nifi/blob/master/nifi-toolkit/nifi-toolkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/impl/JerseyNiFiClient.java#L163
> >
> [2] https://nifi.apache.org/docs/nifi-docs/rest-api/index.html <
> https://nifi.apache.org/docs/nifi-docs/rest-api/index.html>
>
> Andy LoPresto
> alopresto@apache.org
> alopresto.apache@gmail.com
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
>
> > On Jun 12, 2019, at 9:39 AM, Shawn Weeks <sweeks@weeksconsulting.us>
> wrote:
> >
> > I work in an environment reluctant to create self signed ssl
> certificates and I’m looking at the feasibility of having the toolkit cli
> authenticate via Kerberos. I was expecting it to be as simple as adding
> another way to get the authentication token but I’m having trouble figuring
> out exactly when the token is created. I see lots of references to it after
> it’s been created.
> >
> > Thanks
> > Shawn
>
> --
Sent from Gmail Mobile

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message