Support Questions

Find answers, ask questions, and share your expertise

Nifi 2.0.0 M1 Installation & Running Issues

avatar
Super Guru

Hi,

I have managed to download the latest Nifi 2.0.0 M1 and I'm trying to run it on my windows 10 machine. Doing some preliminary testing I ran into the following issues:

1- The system requirement indicates that (https://nifi.apache.org/project-documentation.html ) indicates that at minimum I need Java 17, but when I try to start nifi using run.bat I get the following error:

 

 

Error: LinkageError occurred while loading main class org.apache.nifi.bootstrap.RunNiFi
        java.lang.UnsupportedClassVersionError: org/apache/nifi/bootstrap/RunNiFi has been compiled by a more recent version of the Java Runtime (class file version 65.0), this version of the Java Runtime only recognizes class file versions up to 61.0

 

 

It turns out it needs Java 21. Not sure if the documentation has not been updated or if Im missing something.

2- After upgrading to Java 21, Im able to start nifi using default configuration, the log file doesn't show any error and default username and password are generated, however when I try to browse for  https://127.0.0.1:8443/nifi I get the following error:

SAMSAL_0-1701211397521.png

Not sure if this is something local to my machine but upon some internet search, I replaced url from 127.0.0.1 to localhost and it worked as I get to  the log in screen.

3- This is not related to to 2.0 but I Want to mention in case someone else runs into the same issue. Basically by default, the generated user doesnt have access to security settings regarding Users & Policies. To enable this you need to set the :

 

 

nifi.security.user.authorizer=managed-authorizer

 

 

And add the generated username to the authorizers.xml as mentioned here :

https://community.cloudera.com/t5/Support-Questions/No-show-Users-and-Policies-in-Global-Menu/td-p/3...

 

4- The ExecuteScript processor doesnt have Python(Jython) script engine. It could be its deprecated , but that is not mentioned in the depricated components site (https://cwiki.apache.org/confluence/display/NIFI/Deprecated+Components+and+Features ) . It only talks about removing support for Ruby , ECMAScript  but not python . If its deprecated , what is the alternative ? Is it using Python API ?

 

4- Minor glitch I noticed when browsing nifi using chrome , for some reason the "Import from Registry" Icon is not showing!

SAMSAL_1-1701212125491.png

It shows up in Edge and it shows up if I open chrome in private mode. Not sure if its caching issue or what.

Please advise.

Thanks

 

1 ACCEPTED SOLUTION

avatar
Master Mentor

@SAMSAL 

1. The system requirements in the admin guide portion of the Apache NiFi 2.0.0-M1 is incorrect.  Apache NiFi 2.0.0-M1 does require minimum of Java 21.

2. The SNI exception is caused by using an IP or using a hostname not found within the SAN of the PrivateKeyEntry located in the NiFi keystore.  This is per spec for Java 21.

3. It is not clear why you would want to configure a Managed-Authorizer and still use the Single-User-Provider for authentication?   Is this because you plan on having your other users authenticate via TLS certificates?  The Single User authentication and authorization providers were developed simply to allow an out-of-the-box secured NiFi setup.  If a multi-tenant setup is desired, neither the single-user-provider or single-user-authorizer should be used.

4. Jython was removed due to Security concerns via https://issues.apache.org/jira/browse/NIFI-12378.  
Apache NiFi 2.0.0 now natively supports Python allowing users to create python processors.  I am not aware of any that have been created yet.

5. I had no issue with UI in my Chrome browser (perhaps related to your Chrome version?).

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

5 REPLIES 5

avatar
Super Collaborator

@steven-matison actually commented on another post NiFi 2.0 and I was just starting to read up on it...glad you got a head start on this @SAMSAL 

Don't recall where but I did see Java 21 was the minimum requirement. Also, could be Jython is gone because of the "Native" support @steven-matison mentioned in that other post.

Release Notes - Apache NiFi - Apache Software Foundation

New Features of 2.0.0-M1

  • Initial version of native Python API for Processors
  • Stateless Execution mode for Process Groups
  • Flow Analysis Rules API
  • Kubernetes-based Leader Election and State Management extensions
  • Python-based Processors for interacting with ChatGPT and Vector Databases
  • ListenOTLP Processor for collecting OpenTelemetry
  • ListenSlack and ConsumeSlack Processors for handling messages from Slack
  • EncryptContentAge and DecryptContentAge Processors supporting age-encryption.org specification
  • Schema Registry Services for Amazon Glue and Apicurio
  • Parameter Provider for 1Password Vault
  • YamlTreeReader for YAML as Records
  • PackageFlowFile Processor for writing file streams and attributes as FlowFile Version 3
  • Migrated from H2 Database Engine to JetBrains Xodus for storing Flow Configuration History

Now I want to go and try the shiny new toy...

 

avatar
Master Mentor

@SAMSAL 

1. The system requirements in the admin guide portion of the Apache NiFi 2.0.0-M1 is incorrect.  Apache NiFi 2.0.0-M1 does require minimum of Java 21.

2. The SNI exception is caused by using an IP or using a hostname not found within the SAN of the PrivateKeyEntry located in the NiFi keystore.  This is per spec for Java 21.

3. It is not clear why you would want to configure a Managed-Authorizer and still use the Single-User-Provider for authentication?   Is this because you plan on having your other users authenticate via TLS certificates?  The Single User authentication and authorization providers were developed simply to allow an out-of-the-box secured NiFi setup.  If a multi-tenant setup is desired, neither the single-user-provider or single-user-authorizer should be used.

4. Jython was removed due to Security concerns via https://issues.apache.org/jira/browse/NIFI-12378.  
Apache NiFi 2.0.0 now natively supports Python allowing users to create python processors.  I am not aware of any that have been created yet.

5. I had no issue with UI in my Chrome browser (perhaps related to your Chrome version?).

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Super Collaborator

avatar
Super Guru

Thanks @MattWho ,

As far as the managed Managed-Authorizer, I usually configure my access using LDAP provider but without providing my AD account any access I wont be able to log in to Nifi. I use the Single-User-Provider with the auto generated username and password to grant myself access in Nifi before I change to ldap-provider and be able to log in. Not sure if this is the right way to do it. let me know what you think.

Thanks

 

avatar
Master Mentor

@SAMSAL 
The managed Authorizer uses the file-access-policy-provider (generates the authorizations.xml if it does no already exist) and then a user-group-provider.  In your case that would make most sense to be the ldap-user-group-provider.  You may also want to use the Composite-configurable-user-group-provider (configure it with ldap-user-group-provider and file-user-group-provider).  Having both a file based provider and ldap provider allows sycning of ldap users and groups  form ldap automatically as well as the file provider allowing you to manually add non ldap user/client identities for authorization as well.    Non ldap client/user identities might be certifcate based clients like other NiFi nodes/instance, etc..

Within the file-access-policy-provider you define the initial admin identity. That user identity could be set to your ldap user account identity.  Then on first start up with managed provider, it generates the authorizations.xml file seeded with the policies necessary for that initial admin user identity to act as admin.  So you could skip the single-user-provider step.

Matt