Support Questions

Find answers, ask questions, and share your expertise

unable to set up nifi cluster using NIFI 1.0.0

avatar
Rising Star

Hi, @Bryan Bende i am following below post to set nifi cluster -

http://bryanbende.com/development/2016/08/17/apache-nifi-1-0-0-authorization-and-multi-tenancy

nifi-error.png

I am trying to set 3 node cluster using nifi 1.0.0. i have made the configuration changes as per the above post. but when i start all nodes in first go itself it threw "org.apache.nifi.controller.Uninheritable Flow Exception: Failed to connect node to cluster because local flow is different than cluster flow."

To solve this i deleted the flow.xml.gz file from all the nodes but it didn't solve the issue. Please check the attached screenshot of error.

i have encountered this issue in NIFI .0.7.0 clustering as well. it came when one of the node was not in sync with NCM. so at that time deleted flow.xml.gz file from child node only. and later after restarting it replicated the NCM's flow.xml.gz.

But in NIFI 1.0.0 as i'm not aware which node has elected as coordinator node so i had to delete flow.xml.gz file from all the nodes.

1 ACCEPTED SOLUTION

avatar
Master Guru

IE is actually not a supported browser, Microsoft Edge is though.

See here for the list of supported browsers:

https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#browser-support

View solution in original post

21 REPLIES 21

avatar
Rising Star

HeyBryan, I tried the way you mentioned, still getting same error/exception. one thing i didn't understand is that users.xml and authozations.xml files are auto generated files. although i tried coping these two files from my working node to other non-working nodes as you suggested however when i let them self generate authorization.xml remain same across all nodes but inside users.xml value of identity tag differs and always set to respective node host names. please check the screenshot. do not know if this is correct behavior.nifi-users-xml.png

avatar
Master Guru

users.xml and authorizations.xml are auto generated based on what you put in authorizers.xml, and authorizers.xml should be the same on all three nodes, authorizers.xml needs the Initial Admin and a Node Identity entry for all three nodes of your cluster.

In your screenshot it looks you haven't setup the Node Identities correctly, because two of them have dn01 and one of them have dn02. If theres three nodes they should have dn01, dn02, and dn03.

An example of authorizers.xml for your case would be:

<authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">your admin user</property>
        <property name="Legacy Authorized Users File"></property>
        
        <property name="Node Identity 1">DN of node1</property>
        <property name="Node Identity 2">DN of node2</property>
	<property name="Node Identity 2">DN of node3</property>        
    </authorizer>

and that should be the same on all three nodes.

avatar
Rising Star

Thanks for this suggestion. i want to tell you that cluster is up now. I rechecked everything. configuration was fine everywhere it just that i was setting this cluster on Azure and default nifi port 9443 was only open on one of the node hence other nodes were not coming up. I have setup a 3 node cluster now and able to see the UI on all three nodes.

Now I am going as per your post and trying to set Access Policies. As per your post " we can create a policy for the root process group by clicking the key icon in the operate palette on the left" but this key icon does not work. its not grey but it doesn't open any popup. is there any catch behind this? i checked user logs as well but find nothing.

avatar
Master Guru

Clicking the lock icon should bring up the policies window:

7998-02-create-policy.png

What browser are you using? You may want to look for Javascript errors to see if something is going wrong client side?

avatar
Rising Star

I'm using IE. surprisingly the certificates i generated using tls toolkit does not working in other browser.

For key icon issue i checked in browser console there comes a javascript error when i click on key icon. attached is screenshot of same. nifi-ui-error.png please check if you can help.

avatar
Master Guru

IE is actually not a supported browser, Microsoft Edge is though.

See here for the list of supported browsers:

https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#browser-support

avatar
Rising Star

Thanks for letting me this know. But i am not able to view Nifi UI in any other browser. i have generated certs using tls toolkit as mentioned in your post and used following command -

./tls-toolkit.sh standalone -n 'host1,host2' -C 'CN=admin, OU=my cert' -o '/nifi-1.0.0/cert-target-dir'

later imported the .p12 file in browser.

except IE everywhere i'm getting secure connection failed response. please check the attached screen shot of IE and firefox nifi-security-error.png

avatar
Master Guru

I think you might be running into this: https://support.mozilla.org/en-US/questions/1058856

You could try going into about:config of Firefox and adding the address into the insecure fallback hosts as that article mentions, or you could also try setting security.tls.version.min to 1.2 to see if it forces using 1.2.

I believe NiFi allows any of the TLS versions to be used, and I think when your Firefox negotiates with NiFi it ends up choosing TLSv1, and then Firefox says that is not supported anymore for some reason, at least this is what I am guessing based on the above link.

You could also just try Chrome, usually Chrome will prompt you with a warning about being unable to validate the site, which is normal because you are using a self-signed cert, and then you just add exception and continue.

For what its worth, Chrome 52 and Firefox 48.0.2 both work for me.

avatar
Rising Star

Hi @Bryan Bende

I've a question regarding the issue "org.apache.nifi.controller.Uninheritable Flow Exception: Failed to connect node to cluster because local flow is different than cluster flow"

I had 3 node cluster, I was working on one of the node and other two were down. I created some data flows and now i want to replicate this to other two nodes, So I simply restarted other two assuming they should replicate the flow automatically. but I got above error. so I deleted the old flow.gz.xml, user.xml and authorization.xml from two down nodes, cleaned the log folder and restarted again. Still got the same error in logs. Attached are the logsnifi-app.txt

Am I doing something wrong here?

What is the best way to replicate the data when adding a new node in running cluster or making a down node up from existing cluster.

avatar
Master Guru

What you described is the correct approach, you need to delete flow.xml.gz, users.xml, and authorizations.xml, you also need to make sure authorizers.xml is the same on all nodes. You can see from your log that it was authorizations that were the problem "Proposed Authorizations do not match current Authorizations".

You can either copy authorizers.xml from the good node to the others to ensure it is the same, or you can make sure the other nodes have no initial admin and no legacy authorized users file so that they will inherit the authorizations/users from the cluster.