clouderacloudera-managercloudera-cdp

Does anyone know how to start work with Manager API Java client?

I created Cloudera cluster on AWS by this instruction https://docs.cloudera.com/cdp-public-cloud/cloud/getting-started/topics/cdp-deploy_cdp_using_terraform.html and these Terraform scripts https://github.com/cloudera-labs/cdp-tf-quickstarts

It works, I'm able to login to CDP console and to do some operation.

Now I'm trying to do some automation with Cloudera Manager API and java client https://github.com/cloudera/cm_api/tree/master

When I'm trying to do authentications like that:

ApiClient apiClient = Configuration.getDefaultApiClient();

// Configure HTTP basic authorization: basic
apiClient.setBasePath("path");
apiClient.setUsername("username");
apiClient.setPassword("password");

ClustersResourceApi resourceApi = new ClustersResourceApi(apiClient);   
//do API calls

I got an error. I tried to repeat it with curl:

curl -u 'username':'password' -i 'https://....cloudera.site/api/v32/clusters?clusterType=any' \
>   -H 'Accept: application/json, text/javascript, */*; q=0.01' 
HTTP/1.1 302 Found
Server: nginx
Date: Tue, 15 Oct 2024 13:09:19 GMT
Content-Length: 0
Connection: keep-alive
Location: https://....cloudera.site/{cluster}/knoxsso/api/v1/websso?originalUrl=https://...cloudera.site:443/v32/clusters?clusterType=any
x-response-nginx: true

So, it seems the server wants to do SSO like on WEB UI. I wasn't able to find any documentation how to do proper authorization. Does anyone know how to start work with Manager API Java client?

Solution

  • The issue here stemmed from how the connection to Cloudera Manager was being routed.

    1. Connecting via a URL like https://....cloudera.site/ routes the connection through Cloudera's cloud infrastructure. This requires Single Sign-On (SSO) with 2-factor authentication (2FA) for security.

    2. Connecting directly to the Cloudera Manager machine (e.g., using an SSH tunnel to the cluster's master node) bypasses the Cloudera cloud and its SSO proxies. This allows direct access to the Cloudera Manager service, and explains why the code worked in that scenario.

    In essence, the code itself wasn't the problem; the difference in authentication methods between the two connection types was the key factor.