nipyapi icon indicating copy to clipboard operation
nipyapi copied to clipboard

Published 20 hours ago verified publisher icon Chaffelson

security issue, Can not access to nifi-api with https

Open polingsky opened this issue 4 years ago • 1 comments

  • Nipyapi version: 0.17.1
  • NiFi version:1.14.0
  • NiFi-Registry version: None
  • Python version: 3.9.7
  • Operating System: Debian GNU/Linux 11 (bullseye)

Description

I want to use nipyapi to operate nifi components, but something wrong my nifi is setup for https and use original 1.14.0 p12 files. keystore.p12 then i use ldap to authorize the policy

What I Did

I use the following command to export crt and key

openssl pkcs12 -in keystore.p12 -nocerts --nodes -out keystore_only.key openssl pkcs12 -in keystore.p12 -clcerts -nokeys -out keystore_only.crt

import nipyapi nipyapi.config.nifi_config.host = 'https://{url}:9443/nifi-api' nipyapi.config.nifi_config.verify_ssl=False nipyapi.config.nifi_config.cert_file="/app/keystore_only.crt" nipyapi.config.nifi_config.key_file="/app/keystore_only.key" nipyapi.config.nifi_config.username="{ldap_username}" nipyapi.config.nifi_config.password="{ldap_username_password}" nipyapi.canvas.get_root_pg_id()

I got error message:

nipyapi.nifi.rest.ApiException: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Date': 'Tue, 02 Nov 2021 04:51:50 GMT', 'X-Frame-Options': 'SAMEORIGIN', 'Content-Security-Policy': "frame-ancestors 'self'", 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Strict-Transport-Security': 'max-age=31540000', 'Vary': 'Accept-Encoding', 'Content-Type': 'text/plain', 'Content-Encoding': 'gzip', 'Content-Length': '90', 'Server': 'Jetty(9.4.42.v20210604)'}) HTTP response body: Unknown user with identity 'CN=localhost'. Contact the system administrator.

I have no idea about the error. I can use {ldap_username}/{ldap_username_password} to login nifi web

Does anyone know how to resolve the problem? thanks!

Urgency

Please give a brief description of how critical this issue is to you.
For example, if it's blocking your Production environment, or perhaps you are just notifying us of something you found but isn't blocking your workflow.

polingsky avatar Nov 02 '21 04:11 polingsky

Probably that's not an issue from nipyapi. I'm not 100% sure, but I think you try to log in with the certificates instead of username and password.

Could you this code?

import nipyapi
nipyapi.config.nifi_config.host = 'https://{url}:9443/nifi-api'
nipyapi.config.nifi_config.verify_ssl=False
#nipyapi.config.nifi_config.cert_file="/app/keystore_only.crt"
#nipyapi.config.nifi_config.key_file="/app/keystore_only.key"
nipyapi.config.nifi_config.username="{ldap_username}"
nipyapi.config.nifi_config.password="{ldap_username_password}"
nipyapi.canvas.get_root_pg_id()

janis-ax avatar Apr 21 '22 11:04 janis-ax

@janis-ax this doesn't work as well

davinishi avatar Apr 27 '23 11:04 davinishi

What exactly works not?

janis-ax avatar Apr 27 '23 11:04 janis-ax