security issue, Can not access to nifi-api with https

polingsky commented 2 years ago

Nipyapi version: 0.17.1
NiFi version:1.14.0
NiFi-Registry version: None
Python version: 3.9.7
Operating System: Debian GNU/Linux 11 (bullseye)

Description

I want to use nipyapi to operate nifi components, but something wrong my nifi is setup for https and use original 1.14.0 p12 files. keystore.p12 then i use ldap to authorize the policy

What I Did

I use the following command to export crt and key

openssl pkcs12 -in keystore.p12 -nocerts --nodes -out keystore_only.key openssl pkcs12 -in keystore.p12 -clcerts -nokeys -out keystore_only.crt

import nipyapi nipyapi.config.nifi_config.host = 'https://{url}:9443/nifi-api' nipyapi.config.nifi_config.verify_ssl=False nipyapi.config.nifi_config.cert_file="/app/keystore_only.crt" nipyapi.config.nifi_config.key_file="/app/keystore_only.key" nipyapi.config.nifi_config.username="{ldap_username}" nipyapi.config.nifi_config.password="{ldap_username_password}" nipyapi.canvas.get_root_pg_id()

I got error message:

nipyapi.nifi.rest.ApiException: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Date': 'Tue, 02 Nov 2021 04:51:50 GMT', 'X-Frame-Options': 'SAMEORIGIN', 'Content-Security-Policy': "frame-ancestors 'self'", 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Strict-Transport-Security': 'max-age=31540000', 'Vary': 'Accept-Encoding', 'Content-Type': 'text/plain', 'Content-Encoding': 'gzip', 'Content-Length': '90', 'Server': 'Jetty(9.4.42.v20210604)'}) HTTP response body: Unknown user with identity 'CN=localhost'. Contact the system administrator.

I have no idea about the error. I can use {ldap_username}/{ldap_username_password} to login nifi web

Does anyone know how to resolve the problem? thanks!

Urgency

Please give a brief description of how critical this issue is to you.
For example, if it's blocking your Production environment, or perhaps you are just notifying us of something you found but isn't blocking your workflow.

janis-ax commented 2 years ago

Probably that's not an issue from nipyapi. I'm not 100% sure, but I think you try to log in with the certificates instead of username and password.

Could you this code?

import nipyapi
nipyapi.config.nifi_config.host = 'https://{url}:9443/nifi-api'
nipyapi.config.nifi_config.verify_ssl=False
#nipyapi.config.nifi_config.cert_file="/app/keystore_only.crt"
#nipyapi.config.nifi_config.key_file="/app/keystore_only.key"
nipyapi.config.nifi_config.username="{ldap_username}"
nipyapi.config.nifi_config.password="{ldap_username_password}"
nipyapi.canvas.get_root_pg_id()

davinishi commented 1 year ago

@janis-ax this doesn't work as well

janis-ax commented 1 year ago

What exactly works not?

Chaffelson / nipyapi