Member since
07-30-2019
3421
Posts
1624
Kudos Received
1010
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 58 | 01-13-2026 11:14 AM | |
| 193 | 01-09-2026 06:58 AM | |
| 518 | 12-17-2025 05:55 AM | |
| 579 | 12-15-2025 01:29 PM | |
| 563 | 12-15-2025 06:50 AM |
04-24-2025
07:38 AM
@Alf015 The merge-param-context command will merge an exported parameter context's parameters into another existing parameter context. As simple exported parameter context with three parameters defined in it looks like this: {
"name" : "test-param",
"description" : "",
"parameters" : [ {
"parameter" : {
"name" : "test1",
"description" : "",
"sensitive" : false,
"value" : "test1",
"provided" : false,
"inherited" : false
}
}, {
"parameter" : {
"name" : "test2",
"description" : "",
"sensitive" : false,
"value" : "test2",
"provided" : false,
"inherited" : false
}
}, {
"parameter" : {
"name" : "test3",
"description" : "",
"sensitive" : false,
"value" : "test3",
"provided" : false,
"inherited" : false
}
} ],
"inheritedParameterContexts" : [ ]
} You can then use the merge-param-context command to merge the exported parameter context with another parameter context that already exists in the target NiFi: ./cli.sh nifi merge-param-context -i /tmp/test-param.json -p /opt/nifi-toolkit/conf/mytarget.properties -pcid b47a13ab-0195-1000-cc06-dc7779729310 --verbose "test-param.json" contains above shared json "mytarget.properties" contains the connection info for target NiFi. "b47a13ab-0195-1000-cc06-dc7779729310" is the id for the destination parameter context in which I am merging the input parameters There is a sample .properties file (../conf/cli.properties.example) in the toolkit conf directory. Contents of mine looks like this: baseUrl=https://nifihostname:8443
keystore=/opt/nifi/conf/keystore.p12
keystoreType=PKCS12
keystorePasswd=<password>
keyPasswd=<password>
truststore=/opt/nifi/conf/truststore.p12
truststoreType=PKCS12
truststorePasswd=<password>
proxiedEntity=<nifiadmin> You can get the values for above from your nifi.properties file of the target/destination NiFi. The proxiedEntity is my NiFi user identity that has permissions to edit the destination parameter context I am importing the new parameters into. NOTE: Your NiFi node must be authorized to /proxy user requests with Access Policies in destination NiFi. If you choose not to use a proxiedEntity, your NiFi node will need to be directly authorized to edit the target parameter context. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
04-24-2025
06:36 AM
@0tto Using child process groups is a matter of your own personal preference. Using child Process Groups allows you create a more manageable NiFi canvas by placing unique dataflows in different Process Groups. When it comes to one continuous dataflow, you may choose to put portions of it in to child process groups. For example, you might do this if portions of the dataflow can be reusable. You can right click on a process group and download a flow definition or you can choose to version control a process group to NiFi-Registry. These becomes snippets of your overall end-to-end dataflow. So let's your "transform" sub dataflow is reusable with just a few modifications, others could easily reuse it by importing from NIFi-Registry or deploying a shared flow definition. Typically users of NiFi will create a process group per unique end-to-end datflow or will create a unique process group per team to separate dataflows and control access per process group so team 1 can't mess with team 2's process group. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
04-23-2025
07:02 AM
@Shrink Once your certificate has expired, you'll need to generate a new certificate. Form your image, it appears you are using the NiFi auto-generated out-of-the-box self signed certificate? There are multiple options: (Recommended) The auto-generated certificate is intended to be used for product evaluation. For extended use and specially for production use, you should be using certificates signed by an internal company Certificate Authority (CA) or an external CA. You can manually create new self signed keystore and truststore as well. https://nifi.apache.org/nifi-docs/walkthroughs.html#manual-keystore To make life easier, I'd use the existing keystore.p12 and trustore.p12 filename instead of the nifi1.p12 and trust.p12 used in above documentation. I would also use the same password used already for the expired keystore.p12 and truststore.p12 files set in your nifi.properties file. That way if you are using these keystore and truststoe file in any NiFi dataflow controller services, you will not need to edit them. You could delete or rename the existing expired keystore.p12 and truststore.p12 files. Then edit the nifi.properies file to clear the keystore and truststore password values: nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststorePasswd= With the passwords cleared and the keystore.p12 file and truststore.p12 files removed/renamed, NiFi will generate a new keystore.p12 and truststore.p12 using new randomly generated passwords. Down side here is if you use the keystore and truststore anywher in your dataflow, you'll need to update the password. Or you can use the javak keytool command to change the passwords to the password used previously. If you do this, you'll need to restart NiFi afterwards for NiFi to start using the new passwords you update in the nifi.properties file. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
04-22-2025
05:34 AM
@ajaykumardev32 I would try to redesign your dataflow to avoid splitting the FlowFiles produced by tailFile processor. NiFi FlowFile content is immutable (can not be modified once created). Anytime the content of a FlowFile is modified, the new modified content is written to a new NiFi content claim. If the processor has an "Original" relationship, an entirely new FlowFile is created (both metadata and content). Those without "original" relationship that modify FlowFile content will simply update the existing FlowFile's metadata to point to new content claim. So your SplitText processor is producing a lot of new FlowFiles. You then have inefficient thread usage downstream where processor are now executing against many small FlowFiles. As far as Provenance repository goes, you can configure the max amount of storage it can use before purging older provenance events. Content and FlowFile repositories should not be on same disk since it is possible for content repository to fill the disk to 100%. You want to protect yoru FlowFile repository from filling to 100% by having it on a different physical or logical drive. Try utilizing the available "Record" based processors instead to avoid splitting FlowFiles and to do the record conversion/transform/modification. In your case take a look at these record processors to see if they can be used in your use case: UpdateRecord 1.28.0 ConvertRecord 1.28.0 JoltTransformRecord 1.28.0 ScriptedTransformRecord 1.28.0 You are already using a "record" based processor to write to your destination DB. Other strategies involve adjusting the "Max Timer Driven Thread" and processor "concurrent tasks" settings. You'll need to carefully monitor cpu load average as you make incremental adjustments. If you max out your cpu, there is no gain from adjusting higher anymore. Setting "Concurrent tasks" too high on any one processor can actually lead to worse performance overall in your dataflow. So small increments and monitor is the proper path to optimization in this area. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
04-21-2025
06:01 AM
@Shrink Not sure why you would want to "control processors" within dataflows in NiFi. This is not typically a good design choice. From the image shared, I see the NiFi URL is "http" and not "https". If your have you NiFi setup unsecured (HTTP), no NiFi authentication is going to be used even if setup in the NiFi core configuration files. If your NiFi was secured (HTTPS), you would still need a StandardRestrictedSSLContextService to at least provide a truststore that contained the complete trust chain for the ServerAuth certificate used in the NiFi nifi.properties keystore to establish the 1-way TLS connection before you would be able to redirect to the oauth2 endpoint to get a token. The other issue is you are not fetching a token from your oauth2 provider, but rather trying to fetch a token from whichever NiFi login provider you have configured. That is because the "rest-api/access/token" endpoint is used for the NiFi login providers (ldap-provider or kerberos-provider). When I use InvokeHTTP processor to access NiFI's rest-api, i always use MutualTLS authentication. I find it the easiest because you don't need to worry about managing tokens or fetching new tokens each time the expire. To support mutualTLS authentication, a StandardRestrictedSSLContextService would need to be used in the InvokeHTTP processor and Your NiFi would need to be secured (HTTPS). Your secured NiFi will have a keystore and truststore setup in nifi.properties file. NiFi out-of-the-box will generate generic self-signed keystore and truststore files for you. I strongly encourage you to use properly signed certificates in production. Simplest approach to set this up is to simply use the same keystore and truststore from the nifi.properties in the StandardRestrictedSSLContextService you'll use with the invokeHTTP processor. You'll need to make sure that the NiFi ClientAuth certificate DN from the keytsore is properly authorized for the NiFi rest-api endpoints you want to use (this of course also means you are NOT using the out-of-the-box single-user-authorizer and instead using an authorizer that allows you manage user authorizations manually like the StandardManagedAuthorizer.) NOTE: the Apache NiFi 2.0.0 releases where tech preview. NiFi 2.1+ are the official releases of the new 2.x line. 2.0.0-M4was last TP release, so it is going to be pretty close to the first GA release. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
04-15-2025
12:52 PM
@nifier Not much insight I can offer here without you sharing the full nifi-api request being made. Are you using curl? How are you passing your user authentication in the rest-api call? (The exception you shared points at an authentication issue) Thank you, Matt
... View more
04-11-2025
07:03 AM
@nifier NiFi is flow based programming, so tuning is directly related to the dataflows you build and the volumes of data you process. Optimal values come from testing your "program" dataflow. Aside from NiFi settings in NiFi you have to consider any other program running on the same server as NiFi as they will also consume CPU resources. "Max Timer Driven Thread Count": This is the thread pool for all your timer driven/cron driven components you add to your NiFi canvas. The general guidance here is start with 4 X the number of cores. So for you that would be 16. Then you'll need to test/monitor your server CPU load average while your dataflow(s) aer running under expected loads. If your load average is very close to or exceeds your core count, you'll need to back off on the size of your thread pool. "Concurrent task" Configurable setting on processor components that allow multiple concurrent executions of the processor. This works in conjunction with the runs schedule set on the processor. When a a processor is "scheduled" the processor will need a thread from the thread pool. Assuming concurrent task more then default 1, If there is still "work" to do at next scheduled run time and the previous concurrent task is still executing or pending execution, the additional concurrent task will allow another concurrent execution to get scheduled. Scheduled i s different from execution. You can have a bunch of scheduled tasks waiting for an available thread from the thread pool to execute. With most processors, execution is milliseconds, so working through the pool of scheduled processors is fast and efficient. The general guidance with "concurrent tasks" is start with default of 1 concurrent task, monitor your dataflows and adjust in increments of 1 only where is needed. Dataflow developers tend to make the mistake of setting some larger value from the start which is a bad idea. You'll want to look at your dataflows under load and see at which processor furthest down your dataflow path is developing an ever increasing backlog of FlowFiles on its inbound connection. A growing backlog on a connection will eventually trigger backpressure controls to kick in (connection turns red). Once back pressure kicks in the upstream processor feeding that connection will no longer we allowed to schedule until the downstream connection backpressure is lifted. So this a processor that is blocked will start queuing FlowFile upstream from it. This can lead to backpressure all the way to start of the dataflow. So do NOT simply adjust concurrent task on all these processors, instead only increase concurrent task on the one furthest down the dataflow to unblock back pressure there which will naturally allow upstream to get scheduled again. The dangers of of setting large concurrent task values is you end up with a lot more scheduled tasks all waiting for CPU time. If you set concurrent task high on CPU intensive processor, those processor may take all your CPU preventing other processors from getting an opportunity to execute for long periods of time. NOTE: The embedded documentation for each NiFi processor has a resource consideration section that will highlight if the processor has MEMORY or CPU resource considerations. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
04-11-2025
05:53 AM
@nifier I am not seeing the same behavior as you have reported which make me think your extracted.path is not not really 0 bytes. I suggest adding another dynamic property to your update Attribute processor to output the calculated length to verify. Here is what i see after my UpdateAttribute processor (newdir is set using your shared NiFi Expression Language (NEL) statement). So I created extracted.path with a single white space and then see what you describe, but that whitespace is a byte, so expected output: If it turns out your problem is because you have white space in the Extracted.path attribute, you could modify your NEL statement as follows: ${extracted.path:trim():length():gt(0):ifElse(${extracted.path:append('/'):append(${filename})},${filename})} You use the trim() NEL function to remove leading or trialing whitespace from the extracted.path before calculating length. This includes trimming of a line return. So in below you will see desired output even though extracted.path length is not 0 because I trimmed white space or line return. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
04-10-2025
07:09 AM
@sha257 Reviewing all your configuration files is not the first step here. I suspect your MutualTLS exchange between your NiFi and NiFi-Registry is not successful resulting in that connection resulting as "anonymous" user. (the user you see in the NIFi-Registry UI in upper right corner before you click login to access as a different authenticated user. Put the following class in DEBUG on your NiFi-Registry via the logback.xml:org.apache.nifi.registry.web.security.authentication Start tailing the nifi-registry-app.log You'll start seeing some DEBUG log lines (will be noisy) Then attempt to start version control on some process group in NiFi which will open the version control UI n NiFi. In the nifi-registry-app.log at that moment in time you will see one of two things: 2025-04-10 13:54:53,360 DEBUG org.apache.nifi.registry.web.security.authentication.IdentityFilter: Attempting to extract user credentials using X509IdentityProvider
2025-04-10 13:54:53,361 DEBUG org.apache.nifi.registry.web.security.authentication.IdentityFilter: Adding credentials claim to SecurityContext to be authenticated. Credentials extracted by X509IdentityProvider: AuthenticationRequest{username='<NIFI certificate DN>', credentials=[PROTECTED], details=org.apache.nifi.registry.web.security.authentication.x509.X509AuthenticationRequestDetails@713e0007} above tells you NiFi presented a trusted and clientAuth certificate at you will see that certificate's DN. In this case make sure that DN exists as a user in NiFi-Registry (case sensitive) and give that user read on "Can manage Buckets" and read, write, delete on "Can proxy user requests". or you'll see.... 2025-04-10 14:01:24,162 DEBUG org.apache.nifi.registry.web.security.authentication.IdentityFilter: Attempting to extract user credentials using X509IdentityProvider
2025-04-10 14:01:24,162 DEBUG org.apache.nifi.registry.web.security.authentication.x509.X509CertificateExtractor: No client certificate found in request.
2025-04-10 14:01:24,162 DEBUG org.apache.nifi.registry.web.security.authentication.IdentityFilter: Attempting to extract user credentials using JwtIdentityProvider
2025-04-10 14:01:24,163 DEBUG org.apache.nifi.registry.web.security.authentication.AnonymousIdentityFilter: Set SecurityContextHolder to anonymous SecurityContext Above tells you the mutualTLS exchange was not successful and the connection was established as the "anonymous" user. In this case you need to address your certificate issue so that mutualTLS can be successful. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
04-09-2025
06:21 AM
@sha257 You already shared your authorizations.xml file which shows where you are lacking the needed NiFi node certificate authorization for proxy user requests. NiFi will attempt connect to NiFi-Registry using the NifiRegistryFlowRegistryClient setup in NiFi. The NifiRegistryFlowRegistryClient has two configuration properties: The URL is set to "https://<NiFi-Registry Hostname>:<NiFi-Registry-port>/" The SSL Context Service if NOT set will use the keystore and truststore setup in the nifi.properties file. The keystore and truststore used (whethere defined via an SSL Context Service or using those from nifi.properties file MUST be capable of successfully negotiating a MutualTLS exchange between the NifiRegistryFlowRegistryClient and NiFi-Registry. This means the ClientAuth Private key in the keystore must be trusted by the truststore configured in NiFi-Registry.properties file. This also means the ClientAuth PrivateKey entry in the NiFi-Registtry keystore file must be trusted by the truststore in the NifiRegistryFlowRegistryClient. If this mutualTS exchange is not successful, the connection with your NiFi-Registry will be as the "anonymous" user identity. You could use the output from openssl to see if mutualTLS connection would be possible by looking at output from both below: openssl s_client -connect <nifi-registry-hostname>:<nifi-regsitry-port> -showcerts
openssl s_client -connect <nifi-hostname>:<nifi-port> -showcerts Above assume your NifiRegistryFlowRegistryClient is using the same keystore and truststored used in the nifi.properties file. Alternatively, you could get the verbose listing from your NifiRegistryFlowRegistryClient configured keystore and trustore and compare those with the openssl output from NiFi-Registry to validate if a mutualTLS connection is possible. ------------------------------ Assuming above is all good, then you need to verify proper authorizations are setup to allow the NifiRegistryFlowRegistryClient client identity (derived from the privateKeyEntry DN from the NifiRegistryFlowRegistryClient keystore) has the proper authorizations setup in NiFi-Registry. The NifiRegistryFlowRegistryClient keystore PrivateKey DN must eb authorized in NiFi-Registry for the following policies: "Can Manage buckets" (Read) "Can proxy user requests" (Read, Write, Delete) Above allows the NifiRegistryFlowRegistryClient to be able to see all the NiFi-Registry buckets and to make Read, Write, or Delete request on behalf of the user identity (user string shown in upper right corner of NiFi Ui) authenticated in NiFi. Once above is all good, we move on to what permissions the NiFi user that is being proxied needs in NiFi-Registry. The user identity need to be authorized on each bucket from which or two which flow definitions will be read or written. Here is a Sample public bucket ("Make publicly Visible" is checked): Since this bucket as "Make publicly Visible" checked, any user identity and anonymous users can read all flow definitions added to this bucket (This is what allowed you to import a flow definition from your public bucket to your NiFi canvas). You'll also notice that I have authorized by "nifiadmin" user identity read, write, delete on this bucket. This allows my "nifiadmin" user identity to add or update (write) flow definitions into this bucket and delete flow definitions from this bucket. From what you shared via the authorizations.xml, you have authorized "abc123" user identity read, write, delete on your public bucket. So only thing to verify here is that "abc123" user identity is the exact same case sensitive user identity being displayed in the upper right corner of your NiFi UI when you are authenticated into your NiFi. If they don't match then they are treated as different users. It is the user identity shown in your NiFi that is being proxied and needs to be properly authorized in NiFi-Registry as above example. (I know "abc123" is an example, but you get the idea here). Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more