Closed andyadamides closed 1 year ago
Is your CI session possibly working with a cluster of nodes and not a single node? This looks suspiciously like the errors you get when a token for cluster node-x is presented to cluster node-y by mistake.
Also, why are you manually setting up the bearer token instead of using the login optional functionality of set_endpoint?
Yes the issue relates to having a cluster setup rather than a single node: https://issues.apache.org/jira/browse/NIFI-10606
Also, why are you manually setting up the bearer token instead of using the login optional functionality of set_endpoint?
Are you suggesting to use service_login
? (https://nipyapi.readthedocs.io/en/latest/nipyapi-docs/nipyapi.html#nipyapi.security.service_login)
I find the easiest solution is nipyapi.utils.set_endpoint(uri, ssl, login, user, password)
If this doesn't work for your case I'd be keen to know the specifics to see if we can make you a better connection utility function - but set_endpoint is 100% intended to be a convenience method for this.
@Chaffelson This works:
curl --cacert "ca.crt" --cert "tls.crt" --key "tls.key" https://<host>:8443/nifi-api/access -v -k
Also, this works:
import requests
cert = ('tls.crt', 'tls.key')
response = requests.get('https://<host>:8443/nifi-api/access', cert=cert, verify=False)
print(response.json())
But the following doesn't:
nipyapi.config.nifi_config.verify_ssl = False
nipyapi.security.set_service_ssl_context(
service='nifi',
ca_file='ca.crt',
client_cert_file='tls.crt',
client_key_file='tls.key',
)
nipyapi.utils.set_endpoint("https://<host>:8443/nifi-api", ssl=True, login=False,
username=None, password=None)
nipyapi.security.get_service_access_status("nifi")
It gives me
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='<host>', port=8443): Max retries exceeded with url: /nifi-api/access (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1091)')))
I went through the code of set_endpoint
, it eventually calls set_service_ssl_context
; I have tried various permutations but I cannot get it work with nipyapi
while it works like a charm with curl
- what do you suggest trying out here?
After some fiddling around, turns out I have had to do it this way in order to work:
import nipyapi
nipyapi.config.nifi_config.verify_ssl = False
nipyapi.config.default_ssl_context = {
'ca_file':'ca.crt',
'client_cert_file':'tls.crt',
'client_key_file':'tls.key',
}
nipyapi.utils.set_endpoint("https://<host>:8443/nifi-api", ssl=True, login=False,
username=None, password=None)
nipyapi.security.get_service_access_status("nifi")
It may be a good idea if we update the documentation here with this specific example to help out others in future, as it's not in the secure_connection demo and it obviously seems a relevant usecase. Is there any particular reason for verify_ssl false? Is it just a self-signed certificate?
@Chaffelson Which part of the documentation would you suggest to edit, I can prepare it? i.e. here?
Yeah giving a better docstring with explanations would vastly improve usage - if you want to prepare it that would be much appreciated ^-^
When I execute the following from my local session:
It always succeeds, but when moving this same process in a set of CI Servers it randomly fails(sometimes it works, sometimes it doesn't) with:
The
user-log
has this when the above occurs:Are there any ideas as to what is going on or how to fix this?