Support Questions

Find answers, ask questions, and share your expertise

NIFI 2.0 Cluster Set Up

avatar
New Contributor

Hello

I am trying to set up a cluster with NiFi 2.0-M3 but have an error. 
My docker-compose file is here - https://hastebin.com/share/woqezesefi.yaml
Error:

2024-06-02 08:10:54,535 INFO [main] o.a.n.c.c.n.LeaderElectionNodeProtocolSender Determined that Cluster Coordinator is located at 248301603f5c:8082; will use this address for sending heartbeat messages
2024-06-02 08:10:54,536 INFO [main] o.a.n.c.p.AbstractNodeProtocolSender Cluster Coordinator is located at 248301603f5c/<unresolved>:8082. Will send Cluster Connection Request to this address
2024-06-02 08:10:54,571 WARN [main] o.a.nifi.controller.StandardFlowService Failed to connect to cluster due to: org.apache.nifi.cluster.protocol.ProtocolException: Failed marshalling 'CONNECTION_REQUEST' protocol message due to: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

The same docker-compose is working fine with NiFi v1.x but fails with 2.0-M3. I am able to ligin in UI but see just one node, others can't connect to cluster.Single instance of NiFi 2.0-M3 is running fine. Are there any new settings need to be done in NiFi 2.0-M3? 
Thank you.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@inkerinmaa 

An Apache NiFi multi-node clustered setup is much different then a standalone NiFi installation.

Your exception is related to a TLS exchange trust issue going on between your nodes.  In a NiFi cluster one of the nodes will be elected to the role of "cluster coordinator" by Zookeeper (ZK).  All of the nodes will communicate with ZK in order to learn which node is currently assigned to this role and then begin sending heartbeats to that elected node in order to join the cluster.  

It looks like you are just allowing your NiFi nodes to auto generate their own self-signed certificates on each node?  Works fine to do this in a standalone NiFi setup; however, you'll need to create keystores and truststores for your NiFi cluster nodes so that proper mutual trust can be established.  

I also see that your are using the Single-User login provider and authorizer.   For a NiFi cluster you'll also want to be using more production ready providers like the ldap-provider for login and the StandardManagedAuthorizer for all your authorizations.   

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

4 REPLIES 4

avatar
Community Manager

@inkerinmaa, Welcome to our community! To help you get the best possible answer, I have tagged our NiFi experts @SAMSAL @MattWho @steven-matison  who may be able to assist you further.

Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Master Mentor

@inkerinmaa 

An Apache NiFi multi-node clustered setup is much different then a standalone NiFi installation.

Your exception is related to a TLS exchange trust issue going on between your nodes.  In a NiFi cluster one of the nodes will be elected to the role of "cluster coordinator" by Zookeeper (ZK).  All of the nodes will communicate with ZK in order to learn which node is currently assigned to this role and then begin sending heartbeats to that elected node in order to join the cluster.  

It looks like you are just allowing your NiFi nodes to auto generate their own self-signed certificates on each node?  Works fine to do this in a standalone NiFi setup; however, you'll need to create keystores and truststores for your NiFi cluster nodes so that proper mutual trust can be established.  

I also see that your are using the Single-User login provider and authorizer.   For a NiFi cluster you'll also want to be using more production ready providers like the ldap-provider for login and the StandardManagedAuthorizer for all your authorizations.   

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
New Contributor

Hi, Matt. Thank you for your reply. I was reading v2 docs https://nifi.apache.org/documentation/v2/ and in section Basic Cluster Setup they described mandatory properties for the non-secure cluster. I thought v2 has the same option to be configured in non-secure way - since there is no direct mention in docs that the only way to set up a cluster is in secure way. This configuration I am going to use just for tests - strange that even for tests now it's required to deal with certs. I will try to do as you suggested with keystore and truststore. 

avatar
Master Mentor

@inkerinmaa 
Out of the box Apache NiFi is configured to be secure.  and Most browser do not support HTTP anymore and force redirect to HTTPS.  NiFi is going to come up in secured if you have the HTTPS port property configured in the nifi.properties file.  So you would need to unset that property for NiFi to start unsecure.

Thanks,
Matt