Cloudera Community
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement
MattWho
user rank
user rank
Master Mentor

Re: Enabling SSL in NIFI Cluster

by Master Mentor Master Mentor in Support Questions
‎05-04-2018 03:46 PM
‎05-04-2018 03:46 PM
@Veerendra Nath Jasthi Your latest two screenshots confirm what is suspected above. You did not have the correct/full DN configured as your "Initial Admin Identity". The corrective actions I provided in previous response should get you squared away here. ... View more

Re: Enabling SSL in NIFI Cluster

by Master Mentor Master Mentor in Support Questions
‎05-04-2018 03:30 PM
‎05-04-2018 03:30 PM
@Veerendra Nath Jasthi You can see in your users.xml file that the usr identity does not match exactly with what is in your nifi-user.log. They must match exactly. <user identifier="49527e2e-41db-3e98-9926-49021fd68a56" identity="CN=nifiadmin,OU="/> while user.log has: CN=nifiadmin, OU=NIFI Assuming you had above set as your Initial Admin Identity in Ambari NiFi configs and you deleted the users.xml and authorizations.xml files on all nodes before staring NIFi via Ambari, new users.xml and authorizations.xml files should have been generated correctly. - So you have two options here: 1. Stop NiFi and manually edit the users.xml file on every node so that the identity matches exactly and restart NiFi on all nodes. or 2. Stop NiFi via Ambari, verify "Initial Admin Identity" NIFi property is set correctly, delete the users.xml and authorizations.xml on all nodes, and teh start NiFi via Ambari. Lates configs will be written to NiFi config files and NiFi will create new users.xml and authorizations.xml files on each node on startup. - Thanks, Matt ... View more

Re: Enabling SSL in NIFI Cluster

by Master Mentor Master Mentor in Support Questions
‎05-04-2018 02:57 PM
‎05-04-2018 02:57 PM
@Veerendra Nath Jasthi So nifi-user.log shows that authentication was successful for your user "CN=nifiadmin, OU=NIFI". This puts the issue squarely on the authorization side of things. Authorization configurations are in the authorizers.xml file. - Since it sounds like you are using the default file based authorization provider, you will want to inspect what is in your users.xml and authorizations.xml files NiFi generated. - What do you have in your users.xml? You should find an entry for "CN=nifiadmin, OU=NIFI" in there associated to a unique UUID. That UUID is then used to associate that user to various access policies in the authorizations.xml file. Be mindful that NiFi is case sensitive and blank spaces are valid characters including leading and trailing whitespace. "CN=nifiadmin, OU=NIFI" is not equal to "CN=nifiadmin, OU=NIFI " (trailing white space) to NiFi. - Also confirm what URL you are trying to access? (https://<nifinode-hostname>:9091/nifi ) - Thanks, Matt ... View more

Re: ambari show nifi as down but nifi is up

by Master Mentor Master Mentor in Support Questions
‎05-04-2018 12:36 PM
‎05-04-2018 12:36 PM
@vincent yernaux *** Forum tip: Try to avoid responding to an answer by starting a new answer. This makes following a single threaded discussion hard. Instead use the "add comment" on the answer you want to have open dialog. - Not really sure how you ended up in this state... Permission denied tells me the user you are currently logged in as does not own the NiFi process, have execute permissions on the nifi.sh file, or it could be some bogus output simply because the pid file is missing. - I know there was a bug in the HDF 3.1 nifi service install that failed to properly set ownership on a number of NiFi files/directories to the nifi user. So you may want to go to /usr/hdf/3.1.1.0-35 directory and performa recursive ownership change on the nifi directory ( chown -R nifi.nifi nifi ). - You can use the "ps -ef|grep nifi" command to get the process ID for the two java processes associated to NiFi. You can then manually kill those two processes. - Then try starting NiFi again from Ambari UI. - Thanks, Matt - If you found this answer addressed your question, please take a moment to login to the forum and click "accept" on the answer. ... View more

Re: Duplicate of flowfile after NiFi primary node ...

by Master Mentor Master Mentor in Support Questions
‎05-04-2018 12:17 PM
‎05-04-2018 12:17 PM
@Benjamin Bouret - It is common for the cluster Coordinator and Primary Node to change from time to time in a NiFi cluster, so you need to careful when designing your flows that utilize processors running "Primary node" only to make sure processing can still continue when a switch occurs. - I am going to assume since you got duplicates here that the local directory you have your GetFile processor pointing at is mounted across all your NiFi nodes. In order to avoid duplicates you will need to use processors that support state. The GetFile processor is one of our original processors that was developed before state management was put in place. It has been deprecated in favor of the newer listFile and FetchFile processors. The ListFile processor has the ability to store state either local to each node (not shared for cases where each node is pulling from its own non shared directory) or cluster state (state is stored in zookeeper where same processor on every node has access to it). Cluster state here would allow you to run this processor against a shared mount to all you nodes in "Primary node" only setup. If primary node changes the new primary node will start this processor and pull the last known recorded cluster state before performing a new listing. This should greatly reduce the likelihood of seeing duplicates. - NiFi will favor duplicate data over lost data. So there will still exist a small window of opportunity where duplication could occur. For example original primary node ingested data but some network issue for example prevented last state to be written to zookeeper. The new node would then not get the most current state which may result in duplication. - The list/fetch processor model also allows you to spread the workload across your cluster more easily. A flow would consist of: listFile (Scheduled primary node only) --> Remote Process group (configured to point back at cluster to redistributed listed files) ---> fetchFile ( running on all nodes to retrieve content of listed files) --> rest of flow... - Thanks, Matt - If you found this answer addressed your question, please take a moment to login to the forum and click "accept" on the answer. ... View more

Re: Running NiFi process as a job on linux machine

by Master Mentor Master Mentor in Support Questions
‎05-04-2018 12:02 PM
‎05-04-2018 12:02 PM
@Naeem Ullah Khan *** Forum tip: Try to avoid responding to an answer by starting a new answer. This makes following a single threaded discussion hard. Instead use the "add comment" on the answer you want to have open dialog. - NiFi will always have a GUI available no matter where you install it. The dataflows you build are not platform/OS specific so they can easily be moved from one NiFi to another. - The typical use case here is having a development environment where users develop and test their dataflows. These tested flows are then promoted to another Nifi that is secured to control access to the GUI by a very select number of users who are in charge of porting over tested flows form your test environments. The easiest way to do that is by using the NIFi Registry and version controlled flows. - https://nifi.apache.org/registry.html - Multiple NiFi installation (platform/OS) independent can be configured to talk to the same NiFi registry installation. You can then create your dataflows in the test environment and start version control on them. The version controlled flow is then written to the nifi registry where other authorized NiFi installation an see it. Those NiFi installations (production) can then import that versioned flow. - Nice part here is that if some future changes are made to that same version controlled flow in development, a new version can be version controlled. The production environment would then see that a newer version of a flow they are using is available and teh user can choose to upgrade to that latest version from the registry. - This allows you to continue your development work while a specific version state of that flow is actively running over in another NiFi installation. - Hope this addresses your question better. - Thank you, Matt - If you found this answer addressed your question, please take a moment to login to the forum and click "accept" on the answer. ... View more

Re: Enabling SSL in NIFI Cluster

by Master Mentor Master Mentor in Support Questions
‎05-03-2018 09:03 PM
‎05-03-2018 09:03 PM
@Veerendra Nath Jasthi You are almost there. It sounds like you may have all the certificates in place fo the NiFi cluster itself to work correctly. Any user wishing to access a secured NiFi must successfully be authenticated and authorized for the specific NiFi resources they need/want access to. - The DN you provided as the "Initial Admin Identity" needs to mach the DN exactly that is coming from the user/client. By default NiFi expects that users present a TLS certificate by which authentication is verified. NiFi can also be configured to support kerberos and LDAP authentication methods (see login-identity-providers.xml file). - Check the nifi-user.log to get more specific details on the permission denied you are seeing. I also see that appears to match exactly with what you had configured as your Initial Admin Identity in the attached screenshot, so make sure it is correct in your user.xml file (I am assuming you did delete these files on all nodes before you restarted with new configurations in Ambari). - If you want to share what is in your nifi-user.log when you try to access the URL, that may help determine what is still not correct. Thanks, Matt ... View more

Re: Enabling SSL in NIFI Cluster

by Master Mentor Master Mentor in Support Questions
‎05-03-2018 04:25 PM
‎05-03-2018 04:25 PM
@Veerendra Nath Jasthi The "Owner" DN typically has a CN that matches the hostname of the server on which the certificate is being used. In this case it looks like you create a "nifiadmin" certificate on each node. If your CN in the "owner" DN does not match your servers hostname, you will need to have a SubjectAlternativeName (SAN) in your certificate that does. - Bottom line you will likely need new certificates here. - Then make sure that each of those server DNs match what you provided as DNs for the "Node Identity 1=, Node Identity 2=, Node Identity 3=". - Also, do not forget to delete the users.xml and authorizations.xml files so they get re-created with correct entries. - Thanks, Matt ... View more

Re: Enabling SSL in NIFI Cluster

by Master Mentor Master Mentor in Support Questions
‎05-03-2018 03:02 PM
‎05-03-2018 03:02 PM
@Veerendra Nath Jasthi *** Forum tip: Try to avoid responding to an existing "answer" by starting a new answer. It makes following the conversation very hard. Instead use "Add comment" on the existing answer. - When running the keytool command, juts try hitting enter when prompted for password without entering anything. - Did you use the include NIFi CA to create your keystore and truststore? Did you use the NiFi TLS-toolkit to generate your user certificate? - Thanks, Matt ... View more

Re: Running NiFi process as a job on linux machine

by Master Mentor Master Mentor in Support Questions
‎05-03-2018 02:56 PM
‎05-03-2018 02:56 PM
@Naeem Ullah Khan I am not sure that i am completely clear on what you are trying to do... - "run this process as a cron job on a linux machine independent of NiFi" - Are you asking how to run these processors outside of a NiFi installation? If so, that is not possible. The NiFi core (Controller) handles the scheduling and management of the resources (CPU, heap, repositories, etc...) NiFi flows can not be exported to independent running processes. - You can install NiFi on your linux server(s) and even configure the run schedule as a cron. You can also create a template of yoru flow on one NiFi, download it, and then import it in to another NiFi installation. - Thanks, Matt - If you found this answer addressed your question, please take a moment to login to the forum and click "accept" on the answer. ... View more
Contact Me
Online
Offline
Last Visited
‎12-20-2025 04:14 AM
Community Statistics
Member Since ‎07-30-2019 10:41 AM
Last Visited ‎12-20-2025 04:14 AM
Posts 3,406
Kudos received 1617