Support Questions
Find answers, ask questions, and share your expertise

Unable to join Nifi cluster(tls is enabled) dynamically[1.6.0]

Solved Go to solution

Unable to join Nifi cluster(tls is enabled) dynamically[1.6.0]

New Contributor

Initially nifi secured cluster was having one node and after that I tried increase number of nodes to two in existing cluster by giving proper certificates but 2nd node could not join cluster

Here is the error

---

2018-07-23 12:27:17,572 ERROR [main] o.a.nifi.controller.StandardFlowService Failed to load flow from cluster due to: org.apache.nifi.controller.UninheritableFlowExce ption: Failed to connect node to cluster because local flow is different than cluster flow. org.apache.nifi.controller.UninheritableFlowException: Failed to connect node to cluster because local flow is different than cluster flow. at org.apache.nifi.controller.StandardFlowService.loadFromConnectionResponse(StandardFlowService.java:937) at org.apache.nifi.controller.StandardFlowService.load(StandardFlowService.java:516) at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:872) at org.apache.nifi.NiFi.<init>(NiFi.java:157) at org.apache.nifi.NiFi.<init>(NiFi.java:71) at org.apache.nifi.NiFi.main(NiFi.java:292) Caused by: org.apache.nifi.controller.UninheritableFlowException: Proposed Authorizer is not inheritable by the flow controller because of Authorizer differences: Pro posed Authorizations do not match current Authorizations: Proposed fingerprint is not inheritable because the current access policies is not empty. at org.apache.nifi.controller.StandardFlowSynchronizer.sync(StandardFlowSynchronizer.java:308) at org.apache.nifi.controller.FlowController.synchronize(FlowController.java:1633) at org.apache.nifi.persistence.StandardXMLFlowConfigurationDAO.load(StandardXMLFlowConfigurationDAO.java:84) at org.apache.nifi.controller.StandardFlowService.loadFromBytes(StandardFlowService.java:723) at org.apache.nifi.controller.StandardFlowService.loadFromConnectionResponse(StandardFlowService.java:912) ... 5 common frames omitted

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Unable to join Nifi cluster(tls is enabled) dynamically[1.6.0]

Master Guru
@Hemantha kumara

-

When a new node attempts to join an existing cluster, three files are compared between the cluster and teh node requesting to join that cluster:

1. flow.xml.gz

2. users.xml

3. authorizations.xml

-

In your case it is complaining about your authorizations not matching.

Normally with a new node, if the above three files do not exist, the new node will inherit them from the cluster.

Often times user copy all the config files from the cluster to the new node when standing it up. This can be an issue if you copied the authorizers.xml file from a cluster node that has initial admin identity and node identity values set. With these set, that node will generate a basic users.xml and authorizations.xml files from those values. Since you cluster probably has users.xml. and authorizations.xml files that have been updated over time they will not match.

-

So you have two options moving forward:

1. Copy the current users.xml and authorizations.xml files from anyone of the cluster nodes to this new node replacing the locally generated copies.

2. Delete the users.xml and authorizations.xml files on this new node. Edit the authorizers.xml and remove initial admin and node identity from that file. restart node so it instead inherits those files from the cluster.
-

IMPORTANT NOTE: All you nodes in your cluster are granted specific policies. The most important of which is the "Proxy user requests" policy. I recommend adding your new node to this policy before actually joining it to the cluster.

-

Thank you,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

View solution in original post

4 REPLIES 4

Re: Unable to join Nifi cluster(tls is enabled) dynamically[1.6.0]

Master Guru
@Hemantha kumara

-

When a new node attempts to join an existing cluster, three files are compared between the cluster and teh node requesting to join that cluster:

1. flow.xml.gz

2. users.xml

3. authorizations.xml

-

In your case it is complaining about your authorizations not matching.

Normally with a new node, if the above three files do not exist, the new node will inherit them from the cluster.

Often times user copy all the config files from the cluster to the new node when standing it up. This can be an issue if you copied the authorizers.xml file from a cluster node that has initial admin identity and node identity values set. With these set, that node will generate a basic users.xml and authorizations.xml files from those values. Since you cluster probably has users.xml. and authorizations.xml files that have been updated over time they will not match.

-

So you have two options moving forward:

1. Copy the current users.xml and authorizations.xml files from anyone of the cluster nodes to this new node replacing the locally generated copies.

2. Delete the users.xml and authorizations.xml files on this new node. Edit the authorizers.xml and remove initial admin and node identity from that file. restart node so it instead inherits those files from the cluster.
-

IMPORTANT NOTE: All you nodes in your cluster are granted specific policies. The most important of which is the "Proxy user requests" policy. I recommend adding your new node to this policy before actually joining it to the cluster.

-

Thank you,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

View solution in original post

Re: Unable to join Nifi cluster(tls is enabled) dynamically[1.6.0]

New Contributor

Thanks @Matt Clarke

We are trying to automate Nifi secure cluster install and scale out.
Is it possible to update authorizers.xml(like REST apis) at the time of nifi secure cluster installation. I tried to update using rest api once secured cluster is up with initial admin, but it gave an error.

Re: Unable to join Nifi cluster(tls is enabled) dynamically[1.6.0]

Master Guru

@Hemantha kumara

There are no rest-api hooks in to the nifi configuration files like the authorizers.xml.
If you are asking how to use the rest-api to add new users (users.xml <-- done via "tenants" rst-api endpoints) and/or authorizations (authorizations.xml <-- done via the Policies rest-api endpoints), that is a different question.

-

I suggest starting a new question in the forum.

-

Thanks,

Matt

Re: Unable to join Nifi cluster(tls is enabled) dynamically[1.6.0]

Explorer

I followed the suggestions #1 in this answer and it worked. 

If that doesn't work, to be sure that the files are identical on the servers, do md5sum of the files.