I want to be made aware of when the overall queue size in NiFi exceeds a certain value.
I have tried to use the NiFi toolkit, but I've been unable to find anything in there that represents the total queue size.
I have been attempting this, which should allow me to access the connections in a group of processes in NiFi through the API. However, I cannot connect successfully to the API from NiFi.
I get the following error in NiFi when trying to connect to the API without credentials.
Unknown user with identity 'anonymous'. Contact the system administrator.
I believe I'll be able to view the queue size through the REST API, however in order to do this I'll need to authenticate using OAuth and Keycloak, and I'm not sure if this is possible since 2FA is required.
Any assistance in this issue would be much appreciated.
Remember that you can always use certification based authentication to interact with the APIs. Create a certificate using the same CA you used to authenticate between nodes in the NiFi cluster, add the user to NiFi and then use the private key to make the request.
For example, using curl, you could hit the endpoint like this:
curl --cacert nifi-ca.crt \
--key api-client.key --cert api-client.crt \
https://nifi-001:8443/flowfile-queues/{id}/flowfiles/{flowfile-uuid}/content
This assumes you have configured HTTPS on your nodes.
Related
I can't find any API to create a device using the command line. I specifically want to create a device that will authenticate using x.509 certificate, so not using the token, which is the default option.
Is it possible to create a device from command line using API?
Can I set x.509 certificate authentication by default, instead of tokens?
ThingsBoard instances offer an admin REST API described in this OpenAPI manifest :
https://cloud.thingsboard.io/swagger-ui.html
First you need to authenticate by requesting a JWT that will be sent as a header in the next requests.
You can perform these operations using a CLI tool like curl
Here are a few POST endpoints that should let you achieve the device creation you describe :
https://cloud.thingsboard.io/swagger-ui.html#!/device-controller/saveDeviceUsingPOST
https://cloud.thingsboard.io/swagger-ui.html#!/device-controller/saveDeviceCredentialsUsingPOST
Following this quickstart guide (Python version), I was able to quickly create and deploy a Python Flask app to a project owned by my organization. However, toward the end the guide instructs "Visit your deployed container by opening the service URL in a web browser", and but this is the step I can't get to work.
Curiously, in the logs
(https://console.cloud.google.com/logs/) the 'textPayload' data element for the request is "The request was not authenticated. Either...", which seems unusual, as I'd expect an unauthenticated request to return 401, not 403. In any case, it does not list my org email address in the request, suggesting my identity for some reason isn't being supplied. Any way to fix this so I can access the URL using a user with appropriate permissions?
Note: I can access the URL by manually running "curl -H 'Authorization: Bearer <my token>'"
Cloud Run URLs aren't directly accessible if the service only allows authenticated invocations because passing the URL on your browser will not generate the credential for you. You will have to pass auth credentials on your request and the easiest way to invoke the service is to use a tool like curl which is exactly what you noted.
You have two options to authenticate your end users which are the following:
Integrate Google Sign-In.
Implement Identity Platform or Firebase Authentication.
In either of the above choices, you need a public web or mobile app that handles the sign-in flow and then makes authenticated API calls to a Cloud Run (fully managed) service.
For more information on authenticating end users, check out the official documentation.
To complement what Mr. Donnald Cucharo said, you can also use Identity Aware Proxy (IAP) to expose your application in a secure way.
In Hyperledger composer rest api (composer-rest-server) are secure with Enabling authentication for the REST server. but in http://localhost:3000/explorer, All sensitive data is not encryption. Could i use cryptography or other approach to encrypt and decrypt like Zero Knowledge Proof to prevent data privacy (sensitive data)?
And I see Securing the REST server using HTTPS and TLS, when i run command composer-rest-server -c alice1#my-network -t and then open browser https://localhost:3000/explorer, but I don't know how to use it?
Thank you in advance!
Firstly, you would use TLS between the REST client and REST server - see https://hyperledger.github.io/composer/latest/integrating/securing-the-rest-server and general/useful info on TLS with diagrams here
You would really need to set up authentication (known user identities that are using it) with TLS like discussed here then connect to the authentication path for your application to authenticate the user using the REST APIs https://localhost:3000/auth/github: ((or whatever the authPath is for your implemented strategy)) and then interactions/ data in transit between client and server will be encrypted.
Once the REST server is up and running and TLS enabled - you will authenticate at your REST client as the user in question: once authenticated, that user gets an access token or similar. In terms of Composer and the deployed business network / smart contract - that user will (already) have been issued a business network card - that includes the user's blockchain identity (key/cert) and contain connection info/metadata (ie how to connect to the deployed/runtime business network out on the Fabric network). This access may be programmatically, from an application client that's using REST APIs (ie the app user that's logged in to the app, has been assigned this business network card) or indeed - a user is using the REST API client in a browser for example (eg. he/she would import it into their Wallet in the REST client then that would be the default identity in the REST API session, and which interacts / signs transactions that update the business network (create asset, update asset etc), as REST API operations to the REST Server (over TLS) that interacts with the Fabric network (over TLS).
I am attempting to setup a freeradius server to authenticate against a web service. The reason for this is that there is a complicated workflow involving account status and mac address. The workflow seemed out of place to be in freeradius. So my user names, and encrypted passwords are stored remotely to the radius server. Everything works fine using radclient to test. When I started using the the Access Point, I learned it only communicates with the radius server via eap-tls. This means that the User-Password argument is not available for my script.
Is there a way to have eap auth check for user authentication against my script? By this i mean, can i get the password to send to my secondary service?
Alternately, is there a way to get the User-Password from the encrypted eap-message data?
Access points don't usually place restrictions on the EAP type. The device connecting to the AP negotiates an EAP type with FreeRADIUS. If it's using EAP-TLS it's probably a windows machine that hasn't been configured to do anything different.
Investigate EAP flavours to find out which ones are available. If you have EAP-TTLS-PAP you can send the plaintext password from the wireless client, and user it to authenticate against the web service.
In FreeRADIUS v3.0.x there's a rlm_rest module, which can perform basic auth on behalf of the user, with very little configuration.
We have a web service api running on an EC2 instance on aws. We want to connect to it from external applications managed by us, eg iphone app, other frontend applications on different servers. I can't get my head around how to authenticate these. Do i add the ip to the EC2 security group, or IAM? and then when making JSON requests do i need to send the AWS access keys? are these sent in the headers? So say a sample call would be:
API.post("http://awsserver.com/app_api/v1/request", query: {
customer_name: "John Doe", customer_email: "test#test.com" }, headers:
{"AWS_ACCESS_KEY_ID"=>"exampletoken", "AWS_SECRET_KEY" =>
"secretexample"})
I have tried searching but surprisingly not a lot found. Any help would be great, thanks.
First of, do not send your access key and secret with any POST ever in plain text. The access key and secret key are used to generate unique tokens that expire to access AWS resources at your account level, not your application (API).
There are lots of assumptions I am making, however you will need to have the authentication done at your application level if you intend to have this API accessible from mobile devices as they will have changing IP's.
Look into OAuth where devices request access from some authentication mechanism in your application which will return a token you can send along in subsequent POST requests in the header.
For servers accessing your API you could certainly add those EC2 instance IP's to a security group opening access to your API server and deny all other IP's access, however keep in mind if the EC2 instances do not have Elastic IP's then on any restart they will have a different IP and need to be added to your security group.