security issue, Can not access to nifi-api with https

Question

security issue, Can not access to nifi-api with https

polingsky opened this issue 3 years ago · 3 comments

Nipyapi version: 0.17.1
NiFi version:1.14.0
NiFi-Registry version: None
Python version: 3.9.7
Operating System: Debian GNU/Linux 11 (bullseye)

Description

I want to use nipyapi to operate nifi components, but something wrong
my nifi is setup for https and use original 1.14.0 p12 files. keystore.p12
then i use ldap to authorize the policy

What I Did

I use the following command to export crt and key

openssl pkcs12 -in keystore.p12 -nocerts --nodes -out keystore_only.key
openssl pkcs12 -in keystore.p12 -clcerts -nokeys -out keystore_only.crt

import nipyapi
nipyapi.config.nifi_config.host = 'https://{url}:9443/nifi-api'
nipyapi.config.nifi_config.verify_ssl=False
nipyapi.config.nifi_config.cert_file="/app/keystore_only.crt"
nipyapi.config.nifi_config.key_file="/app/keystore_only.key"
nipyapi.config.nifi_config.username="{ldap_username}"
nipyapi.config.nifi_config.password="{ldap_username_password}"
nipyapi.canvas.get_root_pg_id()

I got error message:

nipyapi.nifi.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Date': 'Tue, 02 Nov 2021 04:51:50 GMT', 'X-Frame-Options': 'SAMEORIGIN', 'Content-Security-Policy': "frame-ancestors 'self'", 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Strict-Transport-Security': 'max-age=31540000', 'Vary': 'Accept-Encoding', 'Content-Type': 'text/plain', 'Content-Encoding': 'gzip', 'Content-Length': '90', 'Server': 'Jetty(9.4.42.v20210604)'})
HTTP response body: Unknown user with identity 'CN=localhost'. Contact the system administrator.

I have no idea about the error.
I can use {ldap_username}/{ldap_username_password} to login nifi web

Does anyone know how to resolve the problem? thanks!

Urgency

Please give a brief description of how critical this issue is to you.
For example, if it's blocking your Production environment, or perhaps you are just notifying us of something you found but isn't blocking your workflow.

Answer 1 · 2022-04-21T11:02:14.000Z

Probably that's not an issue from nipyapi. I'm not 100% sure, but I think you try to log in with the certificates instead of username and password.

Could you this code?

import nipyapi
nipyapi.config.nifi_config.host = 'https://{url}:9443/nifi-api'
nipyapi.config.nifi_config.verify_ssl=False
#nipyapi.config.nifi_config.cert_file="/app/keystore_only.crt"
#nipyapi.config.nifi_config.key_file="/app/keystore_only.key"
nipyapi.config.nifi_config.username="{ldap_username}"
nipyapi.config.nifi_config.password="{ldap_username_password}"
nipyapi.canvas.get_root_pg_id()

Answer 2 · 2023-04-27T11:44:39.000Z

@janis-ax this doesn't work as well

Answer 3 · 2023-04-27T11:46:18.000Z

What exactly works not?