Nipyapi login issue to NiFi with LDAP authentication

Chaffelson / nipyapi

A convenient Python wrapper for Apache NiFi

Other

243 stars 76 forks source link

Nipyapi login issue to NiFi with LDAP authentication #344

Open marcchanwork opened 3 months ago

marcchanwork commented 3 months ago

Nipyapi version: 0.19.1
NiFi version: 1.19.1
NiFi-Registry version: 1.19.1
Python version: 3.9.18
Operating System: Linux/Redhat 9

Description

Our nifi currently is connected to LDAP for login authentication. This caused an error during login via nipyapi: "ValueError: Username/Password login not supported by this NiFi."

Saw in some posts that we can use client certificates to generate access token for login. I was able to proceed with cli.sh from the nifi-toolkit. So now I plan to adjust my current nipyapi script to also apply certificates upon login/access token request.

What I Did

I tried to add ssl_context but I am bit confused as to what settings / certificates do I need to use. I have the following certs: client.cer client.key truststore.jks keystore.jks

I tried to do the following functions: set_service_ssl_context, nipypi.nifi_config

Urgency

Not urgent but any help is appreciated. Please let me know what information I can add to this.

ottobackwards commented 3 months ago

Have you looked at the secure demo? https://github.com/Chaffelson/nipyapi/blob/main/nipyapi/demo/secure_connection.py

marcchanwork commented 3 months ago

<Update 1> @ottobackwards yes, I also supplemented the code from this similar issue: https://github.com/Chaffelson/nipyapi/issues/319

nipyapi.config.default_ssl_context = {
    'ca_file':'/etc/nifi/truststore.pem',
    'client_cert_file': '/etc/nifi/machine.cer',
    'client_key_file': '/etc/nifi/machine..key',
}

nipyapi.utils.set_endpoint("https://server:8443/nifi-api", ssl=True, login=False, username=None, password=None)

which returns True

While running nipyapi.system.get_cluster() command, it returns ValueError: Unable to view the controller. Contact the system administrator.

I have a login user "SCRIPT_USER", would it be possible to set as proxy user somewhere?

ottobackwards commented 3 months ago

I am sorry, I don't know. The secure demo works ( or did the last I tried ). I suggest you see if you can get the demo working without your stuff, and if you can, then you can examine the differences between your setups maybe?

Chaffelson commented 3 months ago

In the linked ticket, the user uses the set_ssl_context call, rather than updating the default context. Possibly there is some mismatch between the behaviours of the default vs. explicit functions here - can you please try with the approach in the linked ticket?

I don't think you need a proxy user for plain NiFi usage - that was traditionally for when you wanted NiFi to take actions on Registry as a pass-through.