About asand3r

asand3r · ‎07-29-2025

Hello, guys! I still have a three-node cluster Apache NiFi 1.18.0 (yeap, upgrade task in by backlog =)) and trying to setup it behind HAProxy just for UI (/nifi endpoint). I wanna to implement a health check to balance user requests only to nodes in CONNECTED status to avoid issues when nodes moves to maintenance (offload, disconnect). Is it good idea, right? Or maybe I do some overengineering things? 😃 By the way, I have next HAProxy config file: frontend nifi_443 bind *:443 ssl crt /etc/haproxy/ssl/cert_file.pem http-request set-path /nifi if { path / } mode http option httplog acl DST_IP dst 10.0.0.10 use_backend nifi_ui_9443 if DST_IP backend nifi_ui_9443 mode http option httpchk http-check send meth GET uri /nifi-api/access/config ver HTTP/1.1 hdr Host nifi-cluster.corp.company.com http-check expect status 200 cookie SERVERID insert indirect nocache balance leastconn server srv_1 10.0.0.1:9443 check ssl verify none cookie web1 server srv_2 10.0.0.2:9443 check ssl verify none cookie web2 server srv_3 10.0.0.3:9443 check ssl verify none cookie web3 Basically it works fine when all nodes are CONNECTED, but if some node goes to DISCONNECTED state, http-check to selected API method still returns 200 and HAProxy continues to route users to that node. So, give an advice, please. How can I configure HAProxy health-check to get expected behavior? Thanks a lot.

asand3r · ‎07-24-2025

Thank you, @MattWho. It's a bit clear for me now.

asand3r · ‎07-22-2025

@MattWho thanks for such detailed answer. You asked do we work with very small files?.. I can't surely tell you, but probably it so -- we often read data from Kafka and Data Provenance page shows that content is rounds near some kilobytes -- always it is almost less than 200 Kb. The second question about leaving FlowFiles in connections -- yes, it is so. Also, thanks for your attention to software version, we planning updates. 😃

asand3r · ‎07-17-2025

Hi, everyone. We have a three-node Apache NiFi Cluster 1.18.0. Content archive is enabled (15 minutes deep), content repository is on it's own disk. Today we noticed that 2nd node use a lot of disk space by content repository (>80%). I've checked archive files and they fill only about 500 Mb disk space. Other space was used by current content data. Other nodes used content repo as usual -- about 25%. Because we start to receive next errors and 2nd node performance goes down, I've start 2nd node offloading (~ 13:10 on graph down below): Unable to write flowfile content to content repository container repo0 due to archive file size constraints; waiting for archive cleanup. Total number of files currently archived = 63 After 2nd node was successfully offloaded I've connect it to the cluster again and now it works fine -- data processing, content repo uses as usual. But when offloading processed, I've track disk space utilization graphs and noticed that 1st and 3rd node did not utilize disk space proportional that 2nd node frees: As you can see on screenshot, 2nd node free about 160 Gb of disk space, but 1st got only about +15 Gb and 3rd -- +6 Gb. Did we loose data? Or other nodes just process in place all data from 2nd while offloading process?

asand3r · ‎06-19-2025

@Shu_ashu hi, could you answer one more question?.. What should I do, if we have many Hadoop clusters? Is it OK if I put hdfs-site.xml and core-site.xml for each cluster in lib directory with different names? E.g.: ./lib/hadoop1_hdfs-site.xml ./lib/hadoop1_core-site.xml ./lib/hadoop2_hdfs-site.xml ./lib/hadoop2_core-site.xml

asand3r · ‎06-03-2025

One more update if someone will read it in future. I sad that: I did it and restart NiFi service, but users.xml file was not updated. So, should I update users.xml manually? But I was wrong and my users.xml is correctly updates after user changes in NiFi UI. So, the question in not had a reason, all works fine.

asand3r · ‎06-02-2025

@MattWho yeah, thanks a lot! You are totally right. 😃

asand3r · ‎06-02-2025

Hello, everyone. I have an issue with NiFi Registry 1.20 -- UI button "Add user" is inactive with Initial Admins account. But, if I check the user permissions, it looks good enough: The Initial Admin user is LDAP user and also member of "nifi admins" LDAP group. My authorizers.xml file: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers> <userGroupProvider> <identifier>ldap-user-group-provider-1</identifier> <class>org.apache.nifi.registry.security.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">LDAPS</property> <property name="Manager DN">user</property> <property name="Manager Password">password</property> <property name="TLS - Keystore">./conf/keystore.jks</property> <property name="TLS - Keystore Password">pass</property> <property name="TLS - Keystore Type">JKS</property> <property name="TLS - Truststore">./conf/truststore.jks</property> <property name="TLS - Truststore Password">pass</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth">None</property> <property name="TLS - Protocol">TLSv1.2</property> <property name="TLS - Shutdown Gracefully"></property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">60 secs</property> <property name="Url">ldaps://ldap.company.com</property> <property name="Page Size">500</property> <property name="Sync Interval">5 mins</property> <property name="Group Membership - Enforce Case Sensitivity">false</property> <property name="User Search Base">ou</property> <property name="User Object Class">user</property> <property name="User Search Scope">SUBTREE</property> <property name="User Search Filter">some filter</property> <property name="User Identity Attribute">sAMAccountName</property> <property name="User Group Name Attribute"></property> <property name="User Group Name Attribute - Referenced Group Attribute"></property> <property name="Group Search Base">ou</property> <property name="Group Object Class">group</property> <property name="Group Search Scope">SUBTREE</property> <property name="Group Search Filter">some search filter</property> <property name="Group Name Attribute">cn</property> <property name="Group Member Attribute">member</property> <property name="Group Member Attribute - Referenced User Attribute">distinguishedName</property> </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider-2</identifier> .... </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider-3</identifier> .... </userGroupProvider> <userGroupProvider> <identifier>ldap-user-group-provider-4</identifier> .... </userGroupProvider> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">/opt/nifi-registry/nifi-registry-current/conf/authorizations/users.xml</property> <property name="Initial User Identity 1">cn=some_init_user_for_nifi_01, ou=nifi</property> <property name="Initial User Identity 2">cn=some_init_user_for_nifi_02, ou=nifi</property> <property name="Initial User Identity 3">cn=some_init_user_for_nifi_03, ou=nifi</property> </userGroupProvider> <userGroupProvider> <identifier>composite-configurable-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class> <property name="User Group Provider 0">file-user-group-provider</property> <property name="User Group Provider 1">ldap-user-group-provider-1</property> <property name="User Group Provider 2">ldap-user-group-provider-2</property> <property name="User Group Provider 3">ldap-user-group-provider-3</property> <property name="User Group Provider 4">ldap-user-group-provider-4</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-configurable-user-group-provider</property> <property name="Authorizations File">/opt/nifi-registry/nifi-registry-current/conf/authorizations/authorizations.xml</property> <property name="Initial Admin Identity">init_admin_name</property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> Could you guess please what is wrong?

asand3r · ‎05-31-2025

@MattD thanks for that explicit answer. Could you explain also, how I must manage cluster node accounts? For instance, I have two-nodes cluster and all identities set in authorizers.xml like that: <userGroupProvider> <identifier>nifi-nodes</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">/opt/nifi/nifi-1.18.0/conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=test-nifi-01.company.com, OU=NiFi</property> <property name="Initial User Identity 2">CN=test-nifi-02.company.com, OU=NiFi</property> </userGroupProvider> Now, I have two issues: 1. I want to replace a first node certificate, but it subject changed from "CN=test-nifi-01.company.com, OU=NiFi" to, let us say, "CN=test-nifi-01.company.com, OU=NiFi, O=company, L=City". On my mind, I must add a new certificate to keystore and change a node user identity to userGroupProvider above like this: <userGroupProvider> <identifier>nifi-nodes</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">/opt/nifi/nifi-1.18.0/conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=test-nifi-01.company.com, OU=NiFi, O=company, L=City</property> <property name="Initial User Identity 2">CN=test-nifi-02.company.com, OU=NiFi</property> </userGroupProvider> <accessPolicyProvider> <identifier>composite-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">ldap-and-nifi-nodes</property> <property name="Authorizations File">/opt/nifi/nifi-1.18.0/conf/authorizations.xml</property> <property name="Initial Admin Identity">init-adin-user-name</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=test-nifi-01.company.com, OU=NiFi, O=company, L=City</property> <property name="Node Identity 2">CN=test-nifi-02.company.com, OU=NiFi</property> </accessPolicyProvider> I did it and restart NiFi service, but users.xml file was not updated. So, should I update users.xml manually? 2. If I want to add a node to my cluster, how it could be implemented if users.xml file is not updates after I change authorizers.xml file? I need to delete it every time to NiFi generates it on startup or something? UPDATED I've read next comment from @bbende : https://community.cloudera.com/t5/Support-Questions/Apache-Nifi-Adding-new-slave-nodes/m-p/174533/highlight/true#M136796 So, it turns out I must not touch users.xml anymore and all new users must be set only in NiFi UI?..

asand3r · ‎05-30-2025

Thanks a lot for your answer, @MattWho. 😃

Online	Online
Last Visited	‎09-23-2025 04:04 AM

Member Since	‎05-14-2025 04:43 AM
Last Visited	‎09-23-2025 04:04 AM
Posts	24

Cloudera Community

NiFi UI load balance with HAProxy to CONNECTED nod...

Re: NiFi node offloading and content storage

Re: NiFi node offloading and content storage

NiFi node offloading and content storage

Re: Standard way of giving Hadoop Configuration Re...

Re: How to manage users in Apache NiFi

Re: Unable to add users in Apache NiFi Registry

Unable to add users in Apache NiFi Registry

Re: How to manage users in Apache NiFi

Re: Is it OK to configure Load balance for NiFi UI...