Member since
07-30-2019
3397
Posts
1619
Kudos Received
1001
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 480 | 11-05-2025 11:01 AM | |
| 369 | 11-05-2025 08:01 AM | |
| 589 | 11-04-2025 10:16 AM | |
| 729 | 10-20-2025 06:29 AM | |
| 869 | 10-10-2025 08:03 AM |
02-06-2017
01:07 PM
The "defragment" merge strategy can only be used to Merge files that have very specific attributes assigned to them. That strategy is typically used to reassemble a FlowFile that was previously split apart by NiFi.
... View more
02-02-2017
07:25 PM
9 Kudos
How to access your secured NiFi instance or cluster: So you have secured your NiFi instance (meaning you have configured it for https access) and now you are trying to access the https web UI. Once NiFi is secured, any entity interacting with the UI will need to successfully authenticate and then be authorized to access the particular NiFi resource(s). As of HDF 2.1.1 or Apache NiFi 1.1.0, NiFi supports authentication via user certificates (default - always enabled), Kerberos/Spnego, or username and password based authentication via LDAP, LDAPS, or kerberos. The intent of this article is not to cover the authentication process, but rather to cover the initial admin authorization process. We assume for this article that authentication is successful. How do you know? A quick look in the nifi-user.log will tell you if your users authentication was successful. Following successful authentication comes NiFi Authorization. NiFi authorization can be handled by NiFi's default built in file based authorizer or handled externally via Ranger. This article will cover the default built in file based authorizer. NiFi's built in file based authorization: There are four files in NiFi that contain properties used by NiFi file based authorizer:
nifi.properties authorizers.xml users.xml authorizations.xml We will start by showing what role each of these files plays in NiFi user/server authorization. nifi.properties file (Pattern Mapping): The nifi.properties file a lot of key/value pairs that are used my NiFi's core. This file happens to be where users can define identity mapping patterns. These properties allow normalizing user identities such that identities coming from different identity providers (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. It is the resulting value from a matching pattern that is passed to the configured authorizer (NiFi's file based or Ranger). NiFi includes two examples that are commented out in the nifi.properties file; however, you can add as many unique identity mapping patterns as you need. nifi.security.identity.mapping.pattern.dn=^CN=(.*?),OU=(.*?),O=(.*?),L=(.*?),ST=(.*?),C=(.*?)$
nifi.security.identity.mapping.value.dn=$1@$2
nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
nifi.security.identity.mapping.value.kerb=$1@$2nifi.security.identity.mapping.value.kerb=$1@$2 All mapping patterns use java regular expressions. They are case sensitive and white space matters between elements. for example ^CN=(.*?),OU=(.*?),O=(.*?),L=(.*?),ST=(.*?),C=(.*?)$ would match on: CN=John Doe,O=SME,L=Bmore,ST=MD,C=US but would not match on: cn=John Doe, o=SME, l=Bmore, st=MD, c=US (Note the lowercase and white spaces) Assuming a DN of CN=John Doe,O=SME,L=Bmore,ST=MD,C=US the associated mapping value would return John Doe@SME Additional mapping patterns can be added simply by adding additional properties to the nifi.properties file similar to the above examples except each must have a unique value following nifi.security.identity.mapping.pattern. or nifi.security.identity.mapping.value. . For example: nifi.security.identity.mapping.pattern.dn2=^CN=(.*?), OU=(.*?)$
nifi.security.identity.mapping.value.dn2=$1 While you can create as many mapping patterns as you like, it is important to make sure that you do not have more then one pattern that can match your incoming user/server identity. Those user identities are run against every configured pattern and only the last pattern that matches will be applied. authorizers.xml (Default configuration supports file-provider) This file is where you will setup your NiFi file based authorizer. It is this file in which you will find the "Initial Admin Identity" property. It is very important that you correctly define an "Initial Admin Identity" before starting your secured https NiFi for the first time. (no worries if you have not, I will discuss how to fix issues when you did not or had a typo). If you are securing a NiFi cluster, you will also need to configure a "Node Identity x" for each node in your cluster (where "x" is sequential numbers). *** Don't forget to remove the comment lines "<!---" and "-->" from around these properties. So, what values should I be providing to these properties? That depends on a few factors: Which authentication method did I use?
User/server/node certificates (default) - User certificates will have a DN in the certificate for that user. This full DN is evaluated by any configured identity mapping patterns and the result is passed to the authorizer. NiFi nodes can only use server certificates to authenticate. Each server is issued server certificates and the Full DNs form those certificates are evaluated by any configured identity mapping patterns and the result is passed to the authorizer. Kerberos/Spnego - The users principal is evaluated by any configured identity mapping patterns and the result is passed to the authorizer. LDAP/LDAPS - Users are presented with a login screen. NiFi's LDAP configuration can be setup to pass either the DN returned by LDAP for the user (default) or the username (supplied at login screen). This return is evaluated by any configured identity mapping patterns and the result is passed to the authorizer. Kerberos - Users are presented with a login screen. The user's principal is evaluated by any configured identity mapping patterns and the result is passed to the authorizer. Did I setup identity pattern mappings?
If no identity mapping patterns were defined, the full return from the configured authentication is passed to the authorizer. If the user/server identity fails to match on any of the defined identity mapping patterns, the full return from the configured authentication is passed to the authorizer. What ever the final resulting value will be is what needs to be entered in the "Initial Admin Identity" and " Node Identity x" properties: Let's assume the following user/server DNs and that multiple identity mappings were setup in the nifi.properties file: Sample entity DN: Configured Identity Mapping Pattern: Configured Identity Mapping Value: Resulting value: cn=JohnDoe,ou=SME,dc=work ^cn=(.*?),ou=(.*?),dc=(.*?),dc=(.*?)$ $1 JohnDoe CN=nifi-server1, OU=NIFI ^CN=(.*?), OU=(.*?)$ $1 nifi-server1 CN=nifi-server2, OU=NIFI ^CN=(.*?), OU=(.*?)$ $1 nifi-server2 Your authorizers.xml file would then look like this: The values configured here will be used to seed the users.xml and authorizations.xml files. users.xml The users.xml file is produced the first time and only the first time NiFi is started securely (https). This file will contain your "Initial Admin Identity" and all your "Node Identity x" configured values:
authorizations.xml The Authorizations.xml file is produced the first time and only the first time NiFi is started securely (https). NiFi will assign the access policies needed by your "Initial Admin Identity" and "Node Identity x" users/servers: As you can see, your "Initial Admin Identity" user was granted the following resources/access policies: Resource: NiFi UI Access Policy: Details: /flow (R) view the UI
All users including admin must have this access policy in order to access and view the NiFi UI. /restricted-components (W) access restricted components This access policy allows granted users the ability to add/configure NiFi components tagged as restricted on the canvas. /tenants (R and W) access users/user groups
(view and modify) This access policy allows granted users the ability to add/remove/modify new users and user groups to NiFi for authorization. /policies (R and W) access all policies
(view and modify) This access policy allows granted users the ability to add/remove various access policies for any users and user groups. /controller (R and W) access the controller (view and modify) This access policy allows granted users the ability to view/modify the controller including Reporting Tasks, Controller Services, and Nodes in the Cluster You may notice a few additional access policies were granted to your admin user. This will only happen if the NiFi you have secured already had a an existing flow.xml.gz file. In this case the "Initial Admin Identity" is also granted access to view and modify the dataflow at the NiFi root canvas level. By default all sub NiFi process groups inherit their access policies from the parent process group. This effectively gives the admin user full access to the dataflow. The "Node Identity x" servers are granted the following access policies: Resource: NiFi UI Access Policy: Details: /proxy (R and W) proxy user requests
(view and modify) Allows proxy machines to send requests on the behalf of others.
All nodes in a NiFi cluster must be granted this access policy so
users can make changes to the cluster while logged in to any of
the NiFi Cluster's nodes. What do I do if i messed up my "Initial Admin Identity" or "Node Identity x" values when setting up my authorizers.xml file? Its is common for users to incorrectly configure the value for the either the "Initial Admin Identity" or "Node Identity x" values. Common mistakes include bad mapping patterns, case sensitivity issues (LDAP DNs always have the cn, ou, etc values in lowercase), white space issues between DN sections (cn=JohnDoe, ou=sme versus cn=JohnDoe,ou=sme). You can use the nifi-user.log to identify the actual value being passed to the authorizer and then follow these steps: Correct your authorizers.xml configuration Delete or rename the current users.xml and authorizations.xml files on all of your NiFi nodes. restart all your nifi nodes NiFi will generate new users.xml and authorizations.xml files from the corrected authorizers.xml file. You should only follow this procedure to correct issues when first setting up a secured NiFi. If an Admin was able to previously access your NiFi's canvas and add new users and granted access policies to those users, all those users and access policies will be lost if you delete the users.xml and authorizations.xml files. Thanks, Matt
... View more
Labels:
02-02-2017
05:05 PM
1 Kudo
@Oliver Fletcher Your issue seems more tied to your self-signed server certs. You need to have a keystore and a truststore on each of your nodes. KEYSTORE: The keystore will contain a "PrivateKeyEntry" for the server on which it is being used. This certificate is either self-signed or signed by a CA. For NiFi, this certificate must be created so that it can be used for both ClientAuth and ServerAuth. Nodes in a NiFi cluster can act as both a server or a client at times. (Communicating from node 1 (clientAuth) to node 2 (ServerAuth) for example where node 1 is acting as a client). Often times I see server certificates created for serverAuth only. While that is all that is needed for a user to access the UI, it will cause issues when the node needs to act as a client (Node to Node communication and NiFi's S2S capability). If when communicating from node 1 to node 2 (assuming node 1's cert is server Auth only, the request to node 2 will not contain a server cert since node 1 is acting as the client) node 2 will end up reading the token in the header since the server certificate was not provided. This would explain the behavior you are seeing. TRUSTSTORE: This file is not unique on each node. It will contain 1 or more trustedCertEntries. Those TrustedCertEntries will can be for various CAs or for each self-signed cert it should trust. In you case with a 2 node cluster, the truststore must contain the trustedCertEntry for each of your nodes certificates. The same truststore would then be used on all the nodes. Here is a link to an article that covers creating keystores and truststores for use in a NiFi cluster: https://community.hortonworks.com/articles/17293/how-to-create-user-generated-keys-for-securing-nif.html Thanks, Matt
... View more
02-02-2017
04:01 PM
3 Kudos
@Oliver Fletcher When you login into the UI for a specific node in your cluster a token is returned which can be used to continue access that nodes UI only until the token expires (default is 12 hours). That token cannot be used to access the UI of any other node. Each node would need its own token. With a NiFi cluster any changes you make within the UI are propagated to all nodes in the cluster. So I am not sure i understand the need to use the same token to access the UI on each node. Thanks, Matt
... View more
02-02-2017
01:01 PM
1 Kudo
@Oliver Fletcher Authentication and authorization are two separate processes within NiFi. There is no way currently for NiFi to pull LDAP groups in to its authorizer. While NiFi's file based local authorizer does support groups, those groups are not mapped to any LDAP groups. With NiFi's latest release authentication via LDAP supports only two "Identity Strategies": Identity Strategy
Strategy
to identify users. Possible values are USE_DN and USE_USERNAME. The
default functionality if this property is missing is USE_DN in order to
retain backward
compatibility. USE_DN will use the full DN of the user entry if
possible. USE_USERNAME will use the username the user logged in with.
So either the DN returned by LDAP (USE_DN) or the username enter on the login screen (USE_USERNAME) is passed to the authorizer post any configured pattern mapping. There are currently is no Strategy for passing the user's LDAP group to the authorizer. NiFi has no support for Ranger groups as you are already aware. However, you could create a set of groups in NiFi's local file based authorizers that each provide a distinct set of access policies. You could then use your script idea to conduct ldap searches and map users DNs or usernames to those specific NiFi groups. You scripts could make calls to the nifi-api to automate adding these users to the those groups. Thanks, Matt
... View more
02-01-2017
10:30 PM
@Arun A K Is there a full stack trace that goes along with that in error in the nifi-app.log?
... View more
02-01-2017
07:32 PM
1 Kudo
@Narasimma varman Make sure the user the NiFi process is running as on your server has the necessary permissions to access that directory path and remove files from it.
Matt
... View more
01-31-2017
07:44 PM
1 Kudo
@bhumi limbu NiFi FlowFile attributes/metadata lives in heap. The List based processors return a complete listing from the target and then creates a FlowFile for each File in that returned listing. The FlowFiles being created are not committed to the list processor's success relationship until all have been created. So you end up running out of NiFi JVM heap memory before that can happen because of the size of your listing. As NiFi stands now, the only option is to use multiple list processors with each producing a listing of on a subset of the total files from your source system. You could use the "Remote Path", "Path Filter Regex" and/or "File Filter Regex" properties in the listSFTP to filter what data is selected to help reduce the heap usage.
You could also increase the available heap to your NiFi's JVM in the bootstrap.conf file; however, I find it unlikely considering the number of FlowFiles you are listing that you will not still run out of heap memory. I logged a Jira in Apache NiFi with a suggested change to how these processors produce FlowFiles from the listing returned by these types of processors: https://issues.apache.org/jira/browse/NIFI-3423 Thanks, Matt
... View more
01-31-2017
02:33 PM
1 Kudo
@Raj B Not all NiFi Processors will write attributes to FlowFiles about failures or errors. The documentation for each processor should include what attributes are written by that processor and what information those attributes will contain. There is no global enforcement by the NiFi controller on what attributes a processor must create. This is completely in the control of the developer who wrote each processor. That being said, it is good practice that any processor that has a "Failure" relationship should output an "Error" level log message that dictates the nature of the failure. This Error log message would contain the specific processor that produced the ERROR as well as information on the specific FlowFile that was routed to failure and the nature of the failure. It is possible to build a dataflow that monitors NiFi's nifi-app.log (TailFile processor) for ERROR log messages, parses out the relevant information and pass that along to some monitoring system. Thanks, Matt
... View more
01-31-2017
01:47 PM
@Joshua Adeleke There is obviously something else going on within your system that is affecting leader election. When you start you NiFi, do you see a leader election/Cluster coordinator count down timer running? Is your NiFi having trouble talking to your Zookeeper? Looks like you are having timeout issues talking to your zookeeper. I still don't understand why you are running your NiFi as a 1 node cluster if all you want is a single standalone instance of NiFi. A NiFi configured as a standalone instance does not need zookeeper and also does not perform election of cluster coordinator or primary node.
Setting the following property in your nifi.properties and restarting will make you NiFi a truly standalone instance: nifi.cluster.is.node=false
Matt
... View more