Member since
07-30-2019
3406
Posts
1622
Kudos Received
1008
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 169 | 12-17-2025 05:55 AM | |
| 230 | 12-15-2025 01:29 PM | |
| 168 | 12-15-2025 06:50 AM | |
| 275 | 12-05-2025 08:25 AM | |
| 454 | 12-03-2025 10:21 AM |
07-09-2020
01:32 PM
@johannes_meixne The only place you would use "{0}" would be in the ldap-provider used for user authentication. The {0} gets replaced with the username entered in the login UI. The LdapUserGroupProvider however is used by the nifi authorizer to assemble a list of users and group strings (along with the association/membership between those user and groups) which can be used to assign authorizations against. The LdapUserGroupProvider executes on NiFi startup and then on a configured schedule to refresh the synced users and groups. Since it takes no input you can not use "{0}" in the search filter.
... View more
07-09-2020
05:42 AM
@Ben37 The GetHDFSFileInfo processor still only produced one single output FlowFile after making the change? I'd expect to see a separate FlowFile for each sub-directory found as well as each file found within those directories. This is where the RouteOnAttribute processor i mentioned would be used to drop any of the FlowFiles specific to just the "directory" and not a specific "file". Then only the FlowFiles specific to "files" would be sent on to your FetchHDFS for content ingestion. Matt
... View more
07-09-2020
05:24 AM
@JohnA The latest versions of NiFi-Registry introduced public buckets. When accessing the NiFi-Registry's https URL without presenting either a client certificate or responding to a spnego auth challenge (provide spnego properties are configured), the user will access to the public buckets as the anonymous user. If there are no anonymous buckets the user will simply see the NiFi-Registry Ui with nothing displayed they can use. To access the non public buckets and any other capability requiring authorization, the user/client would need to authenticate. In the case where a login provider is setup, the login option will be available in upper right corner which a user can click on to "login". When it comes to NiFi interacting with NiFi-Registry a successful mutual TLS handshake must be successful; otherwise, the connection will happen as anonymous since no user authentication occurred. You should not be authorizing the anonymous user, but instead fixing the mutual TLS handshake between your NiFi and NIFi-Registry. The keystore and truststore configured in both the nifi.properties and nifi-registry.properties files are what are used in facilitating that successful handshake. Since NiFi is acting as the client in this handshake, its PrivateKeyEntry in its keystore must support clientAuth EKU and its truststore must be contain the complete trust chain for the server certificate being present by NiFi-Registry. The truststore used in NiFi-Registry must contain the complete trust chain for the certificate being presented by the client (NiFi). The NiFi certificate authenticated string must then be authorized to read ll buckets and proxy within NiFi-Registry. Additionally any user initiating version control actions from within NiFi must also be authorized within NiFi-Registry for any buckets they will need access to. Hope this helps, Matt
... View more
07-08-2020
06:09 AM
@sgk The error you are seeing has nothing to do with authorization at this point. It is throwing an error during authentication of your user. So your focus at this point is on your ldap-provider configuration since it is handling the authentication of your user. "The Supplied Username or Password are not valid" indicates that the LDAP search resulted in no returns or the password used was wrong. Observations: 1. Are you using ldap or Active Directory (AD). I see you have set "User Search Filter" to "sAMAccountName={0}". sAMAccountName is more commonly seen in AD and not LDAP. Did you try using the ldapsearch command from a terminal window on your NiFI server to make sure you can return a listing for your user using this search filter? ldapsearch -x -H ldap://<ldap-hostname/IP>:<ldap-port> -D "<Manager DN>" -w "<Manager password>" -b "<user search base>" "sAMAccountName=<username>" 2. Not that this has anything to do with successful authentication, but I see you have set "Identity Strategy" to "USE_DN" which then uses the users full DN from ldap to identify that user during authorization actions following successful authorization. If you set this to "USE_USERNAME", the user string type at login will be used. 3. Also has nothing to do with authentication, but I see you are using "CN=localhost, OU=NiFi" as your "node identity 1" value. Using localhost in your node certificates is not advisable. This should be set to unique value. Also keep in mind that the keystore used by NiFi must meet the following minimum requirements: - Contain only 1 "PrivateKeyEntry" - The "PrivateKeyEntry" must support both clientAuth and serverAuth ExtendedKeyUsage (EKU). - The "PrivateKeyEntry" must contain at least 1 SubjectAlternativeName (SAN) that matches the hostname of the server on which the certificate is being used. Hope this information helps you progress with your authentication and then authorization setup in NiFi. Matt
... View more
07-08-2020
05:32 AM
1 Kudo
@Ben37 The GetHDFSFileInfo processor will produce one output FlowFile containing a complete listing of all files/directories found based upon the configured "Full path" and "Recurse Subdirectories" properties settings when the property "Group Results" is set to "All". Since you want a single FlowFile for each object listed from HDFS, you will want to set the "Group Results" property to "None". You should then see a separate FlowFile produced fro each object found. Then in your FetchHDFS processor you would need to set the property "HDFS Filename" to "${hdfs.path}/${hdfs.objectName}". You may also find that you need to insert a RouteOnAttribute processor between your GetHDFSFileInfo and FetchHDFS processors to route out any FlowFIles produced by the GetHDFSFileInfo processor that are for directory objects only (not a file). You simply add a dynamic property to route any FlowFile produced from GetHDFSFileInfo processor that has the attribute "hdfs.type" set to "file" on to the fetchHDFSprocessor and send all other FlowFiles to the unmatched relationship which you can just auto-terminate. Other things to consider: 1. Keep in mind that the GetHDFSFileInfo processor does not maintain any state, so every time it executes it will list all files/directories from the target regardless of whether they were listed before or not. The ListHDFS processor uses state. 2. If you are running your dataflow in a NIFi multi-node cluster, every node in your cluster will be performing the same listing (which may not be what you want). If you only want the list of target files/directories listed by one node, you should configure the GetHDFSFileInfo processor to "execute" on "Primary node" only (configured from processors "scheduling" tab). You can use load balancing configuration on the connection out of the GetHDFSFileInfo processor to redistribute the produced FlowFiles across all nodes in your cluster before they are processed by the FetchHDFS processor. Hope this helps, Matt
... View more
07-07-2020
05:31 AM
1 Kudo
@venkii What version of NiFi are you running? There are a set of bugs identified here that are likely related to the issue you described: https://issues.apache.org/jira/browse/NIFI-5948 https://issues.apache.org/jira/browse/NIFI-6020 https://issues.apache.org/jira/browse/NIFI-6027 The good news is that these have all since been resolved. I would recommend upgrading your NiFi to a version 1.10 or newer. Or HDF 3.4.1.1 or newer Or CFM 1.0.1 or newer As a workaround, you could shutdown you NiFi and search the users.xml and authorizations.xml file for uuid "938eb61e-bbc4-383a-8475-aee80541b5a5" and remove all references to it. You would then need to make the exact same changes to the users.xml and authorizations.xml file on every other node in your NiFi cluster or copy the corrected files from one node to the other nodes. Hope this helps, Matt
... View more
07-06-2020
05:56 AM
@Alexandros As soon as you retrieve the json from which you later extract the sensitive values, those sensitive values are available/readable by anyone who has access to view the content of a FlowFile. Even if you restrict user access so they can not view the FlowFile content, once you extract those sensitive values to FlowFile attributes they become exposed further. There is currently no methods within NiFi for encrypting FlowFile attributes. Doing so would also require any downstream processor in which you would want use those encrypted attributes to be able to understand that it is a sensitive value and decrypt it for use. Bottom line here, is that the capability you are looking for does not exist within NiFi right now. This sounds like a new development opportunity/contribution maybe. Perhaps a new NiFi controller service that handles pulling the credentials from the AWS Secret Manager and obtaining the JWT token without writing anything to the FlowFIle's attributes or content. Then any processor you would want to use this new CS in would need to be extended to support the new capability. I am not a developer myself, but this sound like non-trivial work. @alopresto might have some thoughts to add here. Thanks, Matt
... View more
06-05-2020
11:27 AM
@i_love_burger I am not sure what configuration step you need help with. What is not "working"? What errors are you seeing when processor tries to execute? NiFi configured method for user authentication has nothing to do with how processors authenticate with external servers/resources. Your user authentication and subsequent authorization simply controls what you as a NiFi user can see and do within the NiFi UI. NiFi components like processors you add via the NiFi UI are not running/executing as your user. All components are executed by the NiFi JVM service user. Any authentication required is configured via the component itself. If your endpoint httphandler running on port 8060 required mutual TLS authenctication via the TLS handshake, you will need to configure a SSLContextService that has both a keystore and a truststore. The keystore must contain a single "PrivateKeyEntry" that supports clientAuth and is capable of beig trusted by the target endpoint. The Truststore used must contain the complete TLS trust chain for the target endpoint presented server certificate in the TLS hanshake. If only one-way TLS is required, all that is need is an SSLContextService with the above mentioned truststore. Using command: "openssl s_client -connect <servername>:<port> --showcerts" is a good way to observe the server side handshake and obtain all the public certificates needed for a complete trusts chain in your truststore. Hope this helps, Matt
... View more
06-05-2020
11:17 AM
@LearnerAdmin It is not clear to me what you are asking when you say "add NIFI CA in authorities". Instructions on using the NiFi TLS toolkit can be found here: https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#tls_toolkit Using the Client/Server Tls Toolkit operational mode covered here: https://nifi.apache.org/docs/nifi-docs/html/toolkit-guide.html#client-server Will give you the ability to create a running NiFi CA authority "server" which will sign your NiFi node certificates created using the "client" mode. Thanks, Matt
... View more
05-27-2020
05:50 AM
@louis_allen NiFi node certificates must meet the following minimum criteria: 1. Extended Key usage (EKU) must support both "clientAuth" and "serverAuth". Since yours only support "serverAuth" the certificate can not be used in a mutual TLS handshake where the NiFi node is acting as a client, such as when the NiFi instance/node is communicating with NiFi-Registry or another node in a multi-node NiFi cluster. 2. The NiFi and NiFi-Registry keystore can ONLY contain ONE "PrivateKeyEntry". There is no property to tell NiFi or NiFi-Registry which PrivateKeyEntry to use when multiples exists in the keystore. 3. SubjectAlternativeName (SAN) - At least one SAN entry is required that matches the hostname of the server on which the certificate is being used. 4. NiFi and NiFi-Registry do not support wildcards used in certificate DNs. Once you have gotten new certificates for your NiFi instances that support "clientAuth", you'll need to make sure the DN from those certificates is properly authorized in NiFi-Registry to the two policies I outlined in my previous response (Read - buckets and proxy). This will resolve your issue. Hope this helps, Matt
... View more