Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Unable to join Nifi cluster(tls is enabled) dynamically[1.6.0]

Labels:
avatar
author-rank hemantha_kumara
New Contributor

Created ‎07-23-2018 07:00 PM

Initially nifi secured cluster was having one node and after that I tried increase number of nodes to two in existing cluster by giving proper certificates but 2nd node could not join cluster

Here is the error

---

2018-07-23 12:27:17,572 ERROR [main] o.a.nifi.controller.StandardFlowService Failed to load flow from cluster due to: org.apache.nifi.controller.UninheritableFlowExce ption: Failed to connect node to cluster because local flow is different than cluster flow. org.apache.nifi.controller.UninheritableFlowException: Failed to connect node to cluster because local flow is different than cluster flow. at org.apache.nifi.controller.StandardFlowService.loadFromConnectionResponse(StandardFlowService.java:937) at org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:516) at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:872) at org.apache.nifi.NiFi.<init>(NiFi.java:157) at org.apache.nifi.NiFi.<init>(NiFi.java:71) at org.apache.nifi.NiFi.main(NiFi.java:292) Caused by: org.apache.nifi.controller.UninheritableFlowException: Proposed Authorizer is not inheritable by the flow controller because of Authorizer differences: Pro posed Authorizations do not match current Authorizations: Proposed fingerprint is not inheritable because the current access policies is not empty. at org.apache.nifi.controller.StandardFlowSynchronizer.sync(StandardFlowSynchronizer.java:308) at org.apache.nifi.controller.FlowController.synchronize(FlowController.java:1633) at org.apache.nifi.persistence.StandardXMLFlowConfigurationDAO.load(StandardXMLFlowConfigurationDAO.java:84) at org.apache.nifi.controller.StandardFlowService.loadFromBytes(StandardFlowService.java:723) at org.apache.nifi.controller.StandardFlowService.loadFromConnectionResponse(StandardFlowService.java:912) ... 5 common frames omitted

2,989 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-23-2018 07:38 PM

@Hemantha kumara

-

When a new node attempts to join an existing cluster, three files are compared between the cluster and teh node requesting to join that cluster:

1. flow.xml.gz

2. users.xml

3. authorizations.xml

-

In your case it is complaining about your authorizations not matching.

Normally with a new node, if the above three files do not exist, the new node will inherit them from the cluster.

Often times user copy all the config files from the cluster to the new node when standing it up. This can be an issue if you copied the authorizers.xml file from a cluster node that has initial admin identity and node identity values set. With these set, that node will generate a basic users.xml and authorizations.xml files from those values. Since you cluster probably has users.xml. and authorizations.xml files that have been updated over time they will not match.

-

So you have two options moving forward:

1. Copy the current users.xml and authorizations.xml files from anyone of the cluster nodes to this new node replacing the locally generated copies.

2. Delete the users.xml and authorizations.xml files on this new node. Edit the authorizers.xml and remove initial admin and node identity from that file. restart node so it instead inherits those files from the cluster.
-

IMPORTANT NOTE: All you nodes in your cluster are granted specific policies. The most important of which is the "Proxy user requests" policy. I recommend adding your new node to this policy before actually joining it to the cluster.

-

Thank you,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

View solution in original post

2,712 Views
0 Kudos
1
4 REPLIES 4

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-23-2018 07:38 PM

@Hemantha kumara

-

When a new node attempts to join an existing cluster, three files are compared between the cluster and teh node requesting to join that cluster:

1. flow.xml.gz

2. users.xml

3. authorizations.xml

-

In your case it is complaining about your authorizations not matching.

Normally with a new node, if the above three files do not exist, the new node will inherit them from the cluster.

Often times user copy all the config files from the cluster to the new node when standing it up. This can be an issue if you copied the authorizers.xml file from a cluster node that has initial admin identity and node identity values set. With these set, that node will generate a basic users.xml and authorizations.xml files from those values. Since you cluster probably has users.xml. and authorizations.xml files that have been updated over time they will not match.

-

So you have two options moving forward:

1. Copy the current users.xml and authorizations.xml files from anyone of the cluster nodes to this new node replacing the locally generated copies.

2. Delete the users.xml and authorizations.xml files on this new node. Edit the authorizers.xml and remove initial admin and node identity from that file. restart node so it instead inherits those files from the cluster.
-

IMPORTANT NOTE: All you nodes in your cluster are granted specific policies. The most important of which is the "Proxy user requests" policy. I recommend adding your new node to this policy before actually joining it to the cluster.

-

Thank you,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

2,713 Views
0 Kudos
1

avatar
author-rank hemantha_kumara
New Contributor

Created ‎07-24-2018 09:46 AM

Thanks @Matt Clarke

We are trying to automate Nifi secure cluster install and scale out.
Is it possible to update authorizers.xml(like REST apis) at the time of nifi secure cluster installation. I tried to update using rest api once secured cluster is up with initial admin, but it gave an error.

2,609 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-24-2018 06:49 PM

@Hemantha kumara

There are no rest-api hooks in to the nifi configuration files like the authorizers.xml.
If you are asking how to use the rest-api to add new users (users.xml <-- done via "tenants" rst-api endpoints) and/or authorizations (authorizations.xml <-- done via the Policies rest-api endpoints), that is a different question.

-

I suggest starting a new question in the forum.

-

Thanks,

Matt

2,609 Views
0 Kudos

avatar
author-rank vchhipa
Explorer

Created ‎12-10-2019 10:21 AM

I followed the suggestions #1 in this answer and it worked. 

If that doesn't work, to be sure that the files are identical on the servers, do md5sum of the files. 

2,471 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements