Nipyapi login issue to NiFi with LDAP authentication

Question

Nipyapi login issue to NiFi with LDAP authentication

marcchanwork opened this issue 9 months ago · 5 comments

Nipyapi version: 0.19.1
NiFi version: 1.19.1
NiFi-Registry version: 1.19.1
Python version: 3.9.18
Operating System: Linux/Redhat 9

Description

Our nifi currently is connected to LDAP for login authentication. This caused an error during login via nipyapi:
"ValueError: Username/Password login not supported by this NiFi."

Saw in some posts that we can use client certificates to generate access token for login. I was able to proceed with cli.sh from the nifi-toolkit. So now I plan to adjust my current nipyapi script to also apply certificates upon login/access token request.

What I Did

I tried to add ssl_context but I am bit confused as to what settings / certificates do I need to use.
I have the following certs:
client.cer
client.key
truststore.jks
keystore.jks

I tried to do the following functions:
set_service_ssl_context, nipypi.nifi_config

Urgency

Not urgent but any help is appreciated. Please let me know what information I can add to this.

Answer 1 · 2024-03-21T15:29:43.000Z

Have you looked at the secure demo?
https://github.com/Chaffelson/nipyapi/blob/main/nipyapi/demo/secure_connection.py

Answer 2 · 2024-03-22T02:21:51.000Z

<Update 1>
@ottobackwards yes, I also supplemented the code from this similar issue: #319

nipyapi.config.default_ssl_context = {
    'ca_file':'/etc/nifi/truststore.pem',
    'client_cert_file': '/etc/nifi/machine.cer',
    'client_key_file': '/etc/nifi/machine..key',
}

nipyapi.utils.set_endpoint("https://server:8443/nifi-api", ssl=True, login=False, username=None, password=None)

which returns True

While running nipyapi.system.get_cluster() command, it returns
ValueError: Unable to view the controller. Contact the system administrator.

I have a login user "SCRIPT_USER", would it be possible to set as proxy user somewhere?

Answer 3 · 2024-03-23T19:58:42.000Z

I am sorry, I don't know. The secure demo works ( or did the last I tried ). I suggest you see if you can get the demo working without your stuff, and if you can, then you can examine the differences between your setups maybe?

Answer 4 · 2024-03-24T12:10:21.000Z

In the linked ticket, the user uses the set_ssl_context call, rather than updating the default context.
Possibly there is some mismatch between the behaviours of the default vs. explicit functions here - can you please try with the approach in the linked ticket?

I don't think you need a proxy user for plain NiFi usage - that was traditionally for when you wanted NiFi to take actions on Registry as a pass-through.

Answer 5 · 2024-09-30T08:55:38.000Z

Closing as no further action requested, please reopen if this still needs addressing.