Member since
07-30-2019
3392
Posts
1618
Kudos Received
1001
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 418 | 11-05-2025 11:01 AM | |
| 309 | 11-05-2025 08:01 AM | |
| 448 | 11-04-2025 10:16 AM | |
| 666 | 10-20-2025 06:29 AM | |
| 806 | 10-10-2025 08:03 AM |
05-29-2025
12:36 PM
@asand3r It is very common to use a load balancer in front of NiFi's UI, but it is necessary to configured Session Affinity (sticky sessions) in the load balancer to make sure all subsequent requests are directed to same node in same session. When you login to a NiFi node using ldap auth, that specific node issues you a user token and stores a corresponding server side token. That server side token is only present on the one node that handled the user authentication. So without session affinity configured redirects within the same session are likely to end up going to other nodes which will reject the client token. The server token is how NiFi controls access expiration since it is not possible to guarantee a client expires and stops using the client token issued. The NiFi node will remove the server side token at expiration or when user clicks logout. You'll also want to make sure that your NiFi node certificates also include a SAN entry for: nifi-service.company.com Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-29-2025
12:21 PM
@lynott I see some issues in your configurations. And have some questions in order to address some other potential issues. Authorizers.xml: File-user-group-provider <identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">employee</property>
</userGroupProvider> Here you are defining manually a "user identity" of "employee". Is this "employee" a user that is authenticating into your NiFi via ldap authentication. If so, I'd expect this user identity to be returned by the ldap-user-group-provider instead of the file-user-group-provider. You can NOT have two user-group-provider return the same user identity. So if "employee" is going to be returned by ldap-user-group-provider, it needs to be removed from file-user-group-provider. NOTE: The file-user-group-provider will only generate the users.xml if it does not already exist. So modifications to the configuration in the file-user-group-provider will NOT result in any changes to an already existing users.xml. the users.xml file will only contain manually added user and group identities. user and group identities returned by other user-group-provider will not get added to the users.xml. ldap-user-group-provider I assume you ldap connection is good, so I'll just focus on the user sync and group sync areas: <property name="User Search Base"></property>
<property name="User Object Class"></property>
<property name="User Search Scope">SUBTREE</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute">cn</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">OU=COMPANYGroups,DC=corp,DC=company,DC=com</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">((cn=nifi-admins))</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property> As configured you are performing a group sync that will return all the "member" attribute values from the "nifi-admins" group. 1. Are the member attribute values full user DNs? Because you have "cn" configured in the user sync section "user Identity Attribute". each returned "member" is going to be looked up in order to get the cn value. Since NiFi and NiFi-registry user and group identities are case sensitive, it is important that the user identities authorized match exactly with the user identity returned by user authentication in to NiFi-Registry. I see from the nifi-registry.properties file that you are using the ldap-provider for user authentication. Assuming you a re logging in using the user's "cn" as the username, you need to make sure that "USE_USERNAME" is being used and not "USE_DN" in that ldap-provider. Composite-provider: <userGroupProvider>
<identifier>composite-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.CompositeUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider> Here you are using the "composite-user-group-provider", but are trying to use a configurable provider with it. Instead you should be using: <userGroupProvider>
<identifier>composite-configurable-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.CompositeConfigurableUserGroupProvider</class>
<property name="Configurable User Group Provider">file-user-group-provider</property>
<property name="User Group Provider 1">ldap-user-group-provider</property>
</userGroupProvider> You'll notice the "class" is different between these two providers. The "identifier" is not important, but must match the identifier set in your file-access-policy-provider. file-access-policy-prpovider <identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group Provider">composite-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">employee</property>
<property name="NiFi Group Name"></property>
<!--<property name="NiFi Identity 1"></property>-->
</accessPolicyProvider The file-access-policy provider uses the authorizations.xml file to store all configured authorizations. It will only generate a authorizations.xml file if one does not already exist. It can be configured with an "initial Admin Identity". This configured Initial Admin Identity must be returned by one of yoru user-group-providers. In your case "employee" is being used here. The "NiFi Identity 1", "NiFi Identity 2", "NiFi Identity <xyz>" can be added to define your NiFi node certificate Identities which would allow this provider to seed the proxy policies needed by the NiFi hosts. But keep in mind that the file-user-group-provider would also need to generate these identities for this to work. ------------------- users.xml and authorizations.xml files: Your users.xml only contains one entry for "employee" which corresponds with your authorizers configuration. That user is assigned a UUID. I can then see that UUID properly authorized as and admin user in the authorizations.xml file. What I do not see in the users.xml file is any group defined with uuid: 8c295cae-a773-4d6a-98cd-eef47d0b8189 2. I assume this is the uuid for your ldap-user-group-provider returned "nifi-admins" group? 3. I assume you manually added this group to the authorizations.xml file since you mentioned you have been unable to manually configure user and policies from within the NiFi-Registry UI yet? ---------------------- NiFi-Registry UI: 4. When you login to the NiFi-Registry using user "employee" do you not see "employee" displayed in upper right corner of UI along with the wrench icon? Remember that only case sensitive "employee" and what ever group happens to be "8c295cae-a773-4d6a-98cd-eef47d0b8189" are currently authorized as an admins. 5. I assume you obtained "8c295cae-a773-4d6a-98cd-eef47d0b8189" by enabling debug in the logback.xml for the ldap-user-group-provider class? Or is this the uuid for the NiFi node certificate derived user identity? Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-28-2025
01:37 PM
@lynott When trying to start version control, the NiFi instance will authenticate with NiFi-registry via a MutualTLS exchange. The DN from NiFi's keytore clientAuth privateKey entry is used as the user identity (post NiFi-Registry applying any matching identity.mapping patterns to it). In the request for list of buckets will be the "user identity" displayed in teh upper right corner of NiFi when the request was made. The NiFi node is proxying the request on behalf of that user identity. So If you are not seeing any buckets, either there is a proxy issue for one of your NiFi nodes or the NiFi user identity is not properly authorized in NiFi-Registry for any buckets. Without seeing your NiFi-registry configurations, it would be difficult to say exactly what your issue is. This includes looking at: NiFi-Registry.properties authorizers.xml users.xml authorizations.xml Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-28-2025
07:47 AM
@s198 I am happy to report that I have reviewed CountText with Cloudera's engineering team and Cloudera will officially support the CountText processor effective with CFM 2.1.7 SP2 and CFM 4.10 releases. The documentation has been updated to reflect this change: https://docs.cloudera.com/cfm/2.1.7/release-notes/topics/cfm-supported-processors.html https://docs.cloudera.com/cfm/4.10.0/release-notes/topics/cfm-supported-processors.html Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-28-2025
06:23 AM
@sydney- The exception you shared: "Unable to obtain listing of buckets: javax.net.ssl.SSLHandshakeException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" Indicates a TLS trust issue within the mutualTLS handshake between your NiFi and NiFi-Registry. Perhaps the complete trust chain is missing in the truststores. Looking at the output from OpenSSL may be able to help you see what is missing. openssl s_client -connect <nifi-regsitry-hostname>:<nifi-registry-port> -showcerts
openssl s_client -connect <nifi-hostname>:<nifi-port> -showcerts Need to get past this issue before dealing with and proxied user identity issues. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-28-2025
05:58 AM
@nifier Apache NiFi does not have any AS2 protocol specific processors. This may require building a new processor to handle this protocol. As far as the EDI file format, NiFi is built to be data agnostic so it can handle data of any format. NiFi can do this because it generates a FlowFile that consists of FlowFile content (physical content bytes) and FlowFile attributes/metadata (attributes and metadata about the content on the FlowFile. In this way NiFi can move A FlowFile from NiFi processor to processor with no dependency on content format. Only processors components that need to interact with the content of a FlowFile will need to understand the content's format. This is where the custom processor components may need to created depending on what you are trying to accomplish as part of yoru use case. If you have no need to read or modify your EDI formatted content within your NiFi dataflow(s), then the only custom processor you would need is one that can handle the AS2 file transfer protocol. You could raise a Jiras within the Apache NiFi jira project (https://issues.apache.org/jira/browse/NIFI) with details and request help from that community in developing AS2 protocol processors. If there is enough interest, someone may assist there or you can contribute to the Apache NiFi project yourself. You'll need to create an account before you can create a a new jira in that project. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-21-2025
06:53 AM
1 Kudo
@TyTheNiFiGuy On first startup of NiFi the flow.json.gz does not yet exist when the authorizers.xml is executed, so the root process group is not yet known to the file-access-policy-provider in order to create the initial policies for that root process group generated ID. This is why you see all the icons greyed out above the NiFi canvas. When you tried to construct the authorizations.xml manually you are using that root process group ID manually created in a different startup. If the flow.json.gz does not exist during that startup, when created it will not have that same ID and thus greyed out icons again above the canvas in the NiFi UI. So you can only use this constructed authorizations.xml if you are also using the initial generated flow.json.gz along with it that uses that ID for the root Process group. This is really not a blocker. Your initial Admin user can access NiFi and does have full permissions on "/policies" which gives that user ability to set new policies, including for itself. Simply right clicking within the generated canvas (root Process group) and click "manage access policies" will allow hat user to set authorizations (view the component, modify the component, etc) on the root process group needed to make icons all appear. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-21-2025
06:32 AM
@melek6199 Let me try to address each of your statements as there appears to be some misunderstanding of how authentication and authorization works between NiFi and NiFi-Registry. I have a 3-node NiFi cluster, and I want to manage it using NiFi Registry. I configured both NiFi and NiFi Registry with a single certificate using the TLS Toolkit. I also set up LDAP integration. I can successfully connect to both NiFi and NiFi Registry individually using my LDAP users. NiFi-Registry does not manage your NiFi cluster. These are two different services. NiFi-Registry is used by NiFi to version control process groups created and managed in NiFi. It is not a security best practice to use one certificate for all your servers. You should have one certificate per server. If you have two services (A NiFi node and NiFi-Registry on the same server, they would both use the same certificate). In production I would recommend using certificates signed by actual legitimate signing authorities versus TLS toolkit generated certificates and truststore) Your keystores must meet the following requirements: Contain only one PrivateKey Entry That PrivateKey entry supports both ClientAuth and ServerAuth ExtendedKeyUsage (EKU). (Note: NiFi-Registry does not require ClientAuth, but no harm in having it) Contains at least one SAN entry that matches the server's hostname on which the certificate is being used. Your NiFi/NiFi-Registry Truststore must meet following requirements: Contain a TrustedCertEntry for every signer/issuer of the certificates passed in a mutualTLS handshake (The compete trustchain for every certificate that will be used to communicate between NiFi node and with NiFi-Registry). You can use the NiFi TLS toolkit to generate 4 keystores and 1 truststore you can use with your NiFi and NiFi-Registry services, but make sure you are running with the "--subjectAlternativeNames" option. Those SAN should include the hostnames of the servers on which the services will run. (Now technically you could create one certificate with SANs for all the hosts and then use that one cert on all hosts, but as I said, not a security best practice). However, the LDAP user that I added and authorized in the Registry does not appear in NiFi. With the certificate user, I can view the bucket in NiFi Registry from NiFi and perform flow version control. But I cannot do this with my LDAP user. The user that authenticates into NiFi-Registry does not need to exist in NiFi; however, any authenticated user identity authenticated into NiFi must exist and have proper authorization in NiFi-Registry in order to conduct version control operation within NiFi. When you ldap-user authenticates into NiFi you will see that user's "user identity" displayed in the upper right corner (Keep in mind that your user is only authenticated into the NiFi node you access the cluster from and not all the NiFi nodes). When that user attempts to start version control on a process group, NiFi connects and authenticates with NiFi-Registry via a MutualTLS exchange/handshake. In that connection it will proxy the request on behalf of that "user identity" (case sensitive). This means that not only do the NiFi node clientAuth certificates need to be authorized in NiFi-Registry to read on "Can Manage Buckets " and read,write,delete on "Can Proxy Requests", the NiFi "user identity" need to be authorized on any bucket you want that "user identity" to be able to use for version control. (let me know if you need help with how a mutualTLS handshake works) Since your NiFi authenticated ldap "user-identity" has not been added and authorized in NiFi-Registry on any buckets, nothing will appear in the list of available buckets for that "user-identity" in NiFi. NOTE: Even if I generate separate certificates for NiFi and NiFi Registry and trust each certificate independently, the certificate user does not have permission to view the bucket. This is because the certificate user from the Registry is also not created in NiFi. For this reason, I generated both from the same certificate. From what i shared in response to two section above, you can see that the certificates used by the NiFi host are only used to proxy requests to NiFi-Registry on behalf of the "user identity" authenticated with NiFi. There are few things that don't make sense to me in your shared NiFi-Registry configuration: NiFi-Registry identity-providers.xml: I see you set " <property name="Authentication Strategy">SIMPLE</property>", yet your ldap URL is "ldaps". This should then also be set to "LDAPS". NiFi-Registry authorizers.xml: You are using the file-user-group-provider which allows you to manually define an initial set of "user identities" on first startup (node edits after to this config will happen if the users.xml already exists during startup). This provider also allows for the adding of additional "user identities" later via the NiFi-Registry UI directly. NOTE: There is also an available ldap-user-group-provider that can be used to sync select users "user identity" and groups "group-identity" from ldap into your NiFi-Registry list of identities. This is helpful if you don;t want to manage your ldap user and group identities manually within NiFi and NIFi-Registry. You are the file-access-policy provider which only created the authorizations.xml file if it does not already exist on startup. In it I can see "Initial Admin Identity">CN=nifi_amadeus_admin is set; however, in your ldap-provider you have configured "Identity Strategy">USE_USERNAME. I can only assume you did similar in your NiFi setup? It is unlikely that when you are logging into your NiFi you are typing the username as "CN=nifi_amadeua_admin" since this would not be the expected value in the "sAMAccountName" ldap field/attribute. That means your initial admin "user identity" does not match the identity of your authenticated user (unless you have this set because you are using the a certificate to auth in to the services with the above). In the end, there are the following key things that need to know: user-identities must match and are case sensitive. ("Bob" and "bob" would be treated as two unique user identities. So the user identity as displayed in upper right corner in NiFi UI must be authorized on specific bucket(s) in NiFi-Registry in order to successfully use version control in NIFi. This you do not have setup correctly yet. NiFi nodes also need to be properly authorized in NiFi-Registry for mange buckets and all proxy permissions. The node's user identity is comes from the NiFi node's clientAuth certificate full DN. That full DN can be modified through the use of the identity.mapping properties in the NiFi-Registry.properties file. Note: In your shared NiFi-Registry.properties file the identity.mapping properties are commented out are not in use, so full DN of NiFi node would be used as node's user identity and need to be authorized which corresponds to with full DN used in the file-access-policy provider you have configured. I know above is a lot of information, but wanted you to fully understand how the authentication and authorization between NiFi and NiFi-Registry works. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-20-2025
12:50 PM
@AndreyDE Glad I could help. Using just controlRate by itself has its limitation as well because it does not optimize for performance/throughput. You are setting some rate at which batches of FlowFiles will be passed downstream. Doing just this means multiple things can happen: 1. Rate is to short resulting in additional batches being passed downstream before previous batch completed processing. This could potentially lead to large backlogs in flows affecting downstream processing just as you were experiencing previously. 2. Rate is set to long resulting in downstream processing of a batch completing well before ControlRate releases next batch. Results in slower overall throughput. 3. If some exception occurs in downstream processing, nothing would prevent additional batches from being released into that downstream processing creating a huge backlog. The above are handled by the slightly more complex option C. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
05-20-2025
10:16 AM
@BobKing ListFile only creates 0 byte (no content) FlowFiles that must be sent to a FetchFile processor to retrieve and add the content to the FlowFile. The List<abcC> and Fetch<abc> type processors should be used instead of Get<abc> type processor when working In a multi-node NiFi cluster setup. These processor allow you to run list<abc> on primary node only, load-balance the listed FlowFiles across all nodes in the NIFi cluster, and then fetch<abc> the content. Spread the workload across the cluster for ingest types that don't support cluster setups (ListFile, ListSFTP, ListFTP, etc). TIP: Your attached image was so small I could not read the processor types. When you add an image to a new post you can click on it and expand it size to make it larger by dragging form the corner of the image before hitting "Reply". Thanks, Matt
... View more