Member since
07-30-2019
3369
Posts
1615
Kudos Received
996
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 97 | 10-08-2025 10:52 AM | |
| 70 | 10-08-2025 10:36 AM | |
| 154 | 10-03-2025 06:04 AM | |
| 119 | 10-02-2025 07:44 AM | |
| 286 | 09-23-2025 10:09 AM |
08-27-2025
07:23 AM
@Virt_Apatt Where is the "custom date" originating from. I see you are creating a FlowFile with a "Custom_Date" attribute which you then modify later, but is this custom date changing often? If so, where are you getting it from? Any dataflow that requires constant user updating is not going to be ideal. A more thorough and detailed use case might get you more responses in the community, especially when asking "is there a better way". Screenshot of your current dataflow? From what you shared, I don't see the need for the Update Attribute since you can manipulate the custom date directly in the GenerateFlowFile or ExecuteSQL processors by simply using the NiFi Expression Language (NEL) statement directly in during creation or during SQL query creation. Thanks, Matt
... View more
08-27-2025
06:00 AM
@vafs You shared two different authorizers.xml configurations (one that uses file-user-group-provider and another that uses the ldap-user-group-provider). Which one are you using when you experience your error? What version of Apache NiFi are you using? Is this a multi-node NiFi cluster or Single NiFi instance? Do you have an external load balance in front of your NiFi or are you accessing your NiFi instance(s) directly using the NiFi hosts assigned IP? While the configuration of the "ldap-provider" in the login-identity-providers.xml looks valid, the configuration in your "ldap-user-group-provider" in the authorizers.xml is not valid and is not going to return any user identities. The ldap-user-group-provider executes every 30 mins to resync users and maybe groups (depending on configuration). It executes independent of any outside input. So the following configuration line is not valid: <property name="User Search Filter">(uid={0})</property> The above is only valid in the "ldap-provider". The ldap-provider is triggered when a user supplies their username and password in the NiFi login prompt. "{0}" is then replaced with the username supplied at login. No such external input is passed to the ldap-user-group-provider, thus treating this search string as a literal value. In the ldap-user-group-provider you can leave the "User Search Filter" blank if your goal is to sync all users at ONE_LEVEL from your user search base: ou=users,dc=nifi,dc=local While the app.log does reveal some unauthorized request to the endpoint: https://10.29.144.56:8443/nifi-api/controller/nar-manager/nars, it it does not show the user identity that made the request. The nifi-user.log should include that information. The snippet you shared from both the nifi-app.log and nifi-user.log are not from the same time window. Additionally the snippet shared from the nifi-user.log is incomplete (often the very last "Caused by:" section in the full stack trace tells you what they initial failure was. keep in mind that the file-access-policy-provider is responsible for creating the authorizations.xml file ONLY when it does not already exist. When it needs to be created, it uses the file-access-policy-provider configuration to seed authorizations for an Initial Admin user identity and for your node identities (commonly retrieved from the file-user-group-provider, if a NiFi cluster setup is being used). Post existence of the authorizations.xml file, modifications are made to this file via admin user actions from directly in the NiFi UI. In a NiFi cluster setup the authorizer would common include the following providers: file-user-group-provider (contains only node identities derived from node certificates) ldap-user-group-provider (sync users and possibly groups) composite-configurable-user-group-provider (used to call both above providers) file-access-policy-provider (configured to use composite-configurable-user-group-provider) managed-authorizer There is not much other insights I can provide from the information provided. Hopefully this guidance will lead you to the useful log output and help you correct you configuration issue. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
08-26-2025
06:00 AM
@AlokKumar The out-of-the-box Single user setup is only intended to be used for ease of NiFi evaluation. For a multi user production NiFi setup you need to be using another form of multi user authentication and the managed authorizer for authorization. For authentication since you have only 5 developers you could go as simple as generated a unique user certificate for each of your 5 developers. These developers could load their certificate in to their browser and use that to authenticate their user during the mutual TKLS handshake between their browser and the NiFi instance. There are plenty of detailed how-tos via a google search on how to generate certificates and even some free services that will do it for you. You'll need to make sure the public certs are added to NiFi's truststore or NiFi will not trust the private certificates you create for your users. Another common option is using LDAP or Active Directory to authenticate your users. Again, there are many resource and examples on the web for setting up a LDAP server. LDAP is not a NiFi specific service. You can then follow the the NiFi guide links i shared in my previous post that show you what needs to be configured in NiFi to use LDAP. Client certificates are supported by any secured NiFi even if you have enabled additional form of authentication like LDAP. Client certificates are the only way NiFi nodes in a multi-node NIFi cluster setup authenticate with one another. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
08-26-2025
05:45 AM
@asand3r The question is how many partitions does he target Kafka topic have? If it only has 1 partition, then only one node in the consumeKafka consumer group is going to consume all the messages. Since you are saying that when LB on connection is disabled and queue shows all FlowFiles on one node, that tells me you have just one partition. For optimal throughput you would want some multiple of the number of nodes as the partition count. With 3 NiFi nodes, you would want 3, 6, 9, etc partitions. With 3 partitions and 1 concurrent task set on your consumeKafka, you will have 3 consumers in the consumer group. Each node will consume from one of those partitions. If you have 6 partitions, and 2 concurrent tasks set on the consumeKafka processor, you will have 6 consumers (3 nodes x 2 concurrent tasks) in your consumer group. So each node's consumeKafka will be able to concurrently pull from 2 partitions. So while your LB allows for redistribution of FlowFiles being consumed by one node, it is not the optimal setup here. LB connection will not change how the processor functions, it only operates against the FlowFiles output from the feeding processor. LB connection setting are most commonly used on downstream connection of processors that are typically scheduled on primary node only (listFile, ListSFTP, etc). Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
08-25-2025
12:57 PM
@GKHN_ As I described in my first response, Authentication and Authorization are two different processes. So it sounds like from your comment that authentication is working fine for both your users and authorization is failing for your non admin user. So issue is within the authorization phase. I assume both of your users are authenticating via ldap? In your ldap-provider in the login-identity-providers.xml you have the "Identity Strategy" set to "USE_DN". With this setting you the users full ldap DN will be used as the user identity string after successful authentication. This means that entire DN is being passed to the authorizer to lookup if that full dn has been authorized to the requested end-point NiFi policy. I see you have your initial admin identity manually defined in the file-user-group-provider and the file-access-policy provider: CN=NIFIUSER,OU=Userpro,OU=CUsers,OU=Company,DC=company,DC=entp So when you login via ldap with this user's ldap username and ldap password, the user's entire DN is being passed to the authorizer and the file-access-policy provider has setup all admin related NiFi policies for this initial admin user identity. I also see from the shared authorizers.xml that the only user-group-provider the "file-access-policy provider" is configured to use is the "file-user-group-provider". The file-user-group-provider requires the admin user to manually add additional user identities manually from the with the NiFi UI (Remember that with your current ldap-provider login provider, all your ldap user identities are going to be full DNs). As the admin user, go to the NiFi global menu and select "USERS": From the NiFi Users UI, select the "+" to add a new user: Then enter the full DN for your second user (Case sensitive). unless you have added any groups, your list of groups will be blank. Now that you have added this second user identity, you'll need to start authorizing that user identities for the various policy they need. In order to access the NiFi UI, all users must be authorized to "view the user interface". From the same NiFi Global menu mentioned above, select "Policies" this time. Then from the "Access Policies" UI that appears, select "view the user interface" from the policy list pull-down. Then click on the icon to the right that looks like a person with a "+". Find the user identity you just added and check the box and click the "Add" button. Now this user can access the NIFi UI. There are other policies this user will need before they can start building dataflows on the UI. NiFi allows for very granular authorizations. But at the minimum the user will need to be authorized on the process group in which they will build their dataflows. Not all policies are defined from the "Access Policies" UI in the global menu. the component level policies are define directly via the individual component (keep an eye out for the "key" icon) From the "Operation" panel directly on the NiFi canvas you can set policies on the currently selected component: Above I have selected my root Process Group (PG). If you click the key icon you will see all the access policies that users can be authorized for. You'll need to select each one by one your user will need and add the user to them. Above will allow you to setup access for your additional users using the file-user-group-provider you have configured in your authorizers.xml. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
08-25-2025
08:21 AM
1 Kudo
@Amry The "clear state" option only appears if ListSFTP is configured to use "tracking timestamps" and there is state available to be cleared. Since you are using "tracking entities", entities are being tracked in a NiFi MapCacheServer. If your MapCacheServer has been configured with a "persistence Directory", you'll need to stop the cache server, delete the contents of the persistence directory and then restart the cache server to clear the data. If your MapCacheServer has NOT been configured with a "persistence Directory", you'll need to stop the cache server and then restart the cache server to clear the data. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
08-25-2025
05:20 AM
@HoangNguyen Keep in mind that the Apache NiFi Variable Registry no longer exist in Apache NiFi 2.x releases and there is no more development of the Apache NIFi 1.x versions. NiFi Parameter Contexts, which were introduced in later versions of Apache NiFi 1.x, provides similar capability going forward and should be used instead of the variable registry. You'll be forced to transition to Parameter Contexts in order to move to Apache NiFi 2.x. versions. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
08-12-2025
05:29 AM
@asand3r Here are my observations from what you have shared: You appear to be having a load balancing issue. The LB icon on the connection indicates it is trying to actively load balance FlowFiles in that connection. If load balancing is complete the icon will look like this: . The shared queue counts show that 1 node has reached queue threshold which would prevent it from receiving any more FlowFiles which includes from other nodes. So I assume that the ~4,600 FlowFiles on first 2 nodes are destined for that third node but can not be sent because of queue threshold. Considering the observation above, i would focus you attention on the node with the queue threshold. Maybe disconnect it from cluster via the cluster UI and inspect the flow on that node directly. Check the logs on that third node for any reported error or warn issues. Perhaps EvaluateJson processor only on node 3 is having issues? Maybe connectivity between first two nodes and and third node is having issues. Node 3 can't distribute any FlowFiles to nodes 1 or 2. And nodes 1 and 2 can't distribute to node 3. Maybe some sync issue happened node 3 for some reason has processor stopped. This may explain the stop and start of canvas getting things moving again. If you just disconnect node 3 (one with queue threshold exceeded) only and then reconnect it back to cluster, do FlowFiles start moving? At reconnection, node 3 will compare its local flow with cluster flow. If you remove the LB connection configuration, do FlowFiles get processed? I am curious why in this flow design you have setup a LB connection after the ConsumeKafka processor. This processor creates a consumer group and should be configured according the number of partitions on the target topic to maximize throughput and preventing rebalancing. Let's say your topic has 15 partitions for example. Your consumeKafka processor would then be configured with 5 concurrent tasks. 3 nodes X 5 tasks = 15 consumers in the consumer group. each consumer is assigned to a partition. This spread the consumption across all your nodes removing the need for the load balanced connection configuration. You are using a rather old version of Apache NiFi (~4 years old). I'd encourage you to upgrade to take advantage of many bug, improvements, and security fixes. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
08-11-2025
10:26 AM
@AlokKumar User authentication using OpenID Connect: OpenID Connect If you found that any of the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-11-2025
10:22 AM
1 Kudo
@AlokKumar Apache NiFi out-of-the-box configuration utilizes the Single-User-provider for user authentication and the Single-User-Authorizer for authorization. When using the Single-user-authorizer provider, you can not manage authorizations for additional users. So with this out-of-the-box setup you will not see either the Users or Policies options in NiFi since only the single user generated by NiFi an authenticate and that user has full access. These providers were created so that NiFi would be secured (HTTPS) on startup and would be accessible with modern browsers that now all redirect any http request to https. Prior to Apache NiFi 1.14 these single-user providers did not exist. The out-of-the-box setup of NiFi was unsecured. Users were required to create their own certificates, setup an external mechanism for user authentication, and setup an authorizer that could manage authorization policies for multiple user identities. CFM 2.0.4 referenced in the doc link you shared is based off Apache NiFi 1.11.4. Also worth noting is that Cloudera Flow Management (CFM) has never used the single user providers. CFM is designed to deploy/install enterprise ready secured managed Apache NiFi clusters. So before i can help here, I need to understand more about your setup. Which login provider and which authorizer are you using? If you are utilizing the out-of-the-box single user providers, that is the first thing you will need to change. Understand that Apache NiFi does not provide a multi-user login provider. So for multi-user access you'll need to use an external provider or utilize unique clientAuth certificates for each if your users. You can see what options for user authentication exist in the Apache NiFi Admin Guide under the User Authentication section. Lightweight Directory Access Protocol (LDAP) is probably the most commonly used. Now these unique user will require unique authorizations (Multi-Tenant Authorization), which the responsibility falls on the NiFi authorizers.xml configuration file. The most common setup for Apache NiFi will use the StandardManagedAuthorizer. This authorizer would then be configured to reference the FileAccessPolicyProvider which will enable the Policies option in the NiFi UI global menu. In order to set policies against multiple "user identities", this provider must be made aware of all the possible user identities and if you want to authorize by groups, will also need to know what users belong to what groups. So the file-access-policy-provider will require being configured with a user group provider. There are several options, but here are the most common: FileUserGroupProvider - This enables the "users" option in the global menu and allows you to define your user identities and group identities manually. Reminder: This has nothing to do with authentication. LdapUserGroupProvider- This syncs users and groups from an external ldap Composite Implementations - providers that allows multiple user-group-providers to be used at same time. It is common to configure the file-access-policy provider to use the composite-configurable-user-group-provider and then configure the composite-configurable-user-group-provider to obtain users and groups from both the file-user-group-provider and the ldap-user-group-provider. Where the file-user-group-provider is used to manage the user identities derived from your individual NiFi cluster node identities (yes, even your individual nodes in a NiFi cluster require some authorizations). An example authorizers.xml setup utilizing the common setup i described above can be seen here in the NIFi admin guide: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#composite-file-and-ldap-based-usersgroups Hope above helps you get your setup configured to manage multiple unique users. -------------------- Once you have multi-user authentication and authorization setup, you'll need to authorize your users. All users will access the same root Process Group (PG) which is the top level canvas. It is then common for a unique child PG to be created for each unique user or group. You can not hide components on the canvas, this is done to prevent one user/group from building their dataflows on top of other user's dataflows. However, if a user/group is not authorized on a PG, they will only see a dashed outlined PG box and no details. Same goes for processor and other components. And if they try to view the configuration they will not be able to see that either: Keep in mind that processor components will inherit their permissions/authorizations from the parent Process Group. So once you authorize a user or group to child single PG, they will be able to add processors, deeper child PGs, etc within that authorized child PG without needing to set explicit policies on every sub-component. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more