@jai1gupta For Browsers like Chrome that are integrated with Apple Mac Keychain access, you will want to convert that p12 in to a cer and then import the cer. openssl pkcs12 -in CN=admin_OU=lending.p12 -clcerts -nokeys -out CN=admin_OU=lending.cer Then try importing the cer file that above output in to keychain access. If you have Firefox installed on your Apple Mac, then you could launch Firefox ---> preferences --> Privacy & Security (scroll down to "Security" section) --> click "View Certificates" -->  select "Your Certificates" --> then click "Import" (select your p.12 file). If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@plapla  Apache NiFi does not have any automated upgrade capability.  It is a fully manual process. A typical installation involves downloading the NiFi <version> tar.gz and unpacking it.  Unplacking it creates a directory based in that NiFi's version. An upgrade would involve downloading the newer version of NiFi and reading the release notes covering all version between your current version and version you are upgrading to. You'll be looking for anything that may be impactful to your dataflow or installation. I don;t see anything of concern between 1.23.0 and 1.23.2. There are also some old documentation related to upgrades here: https://cwiki.apache.org/confluence/display/NIFI/1.x.0+to+1.x.0+Upgrade But still relevant. Bottom line is you are going to configure the same configuration files found in the NiFi conf file of the new version using the same config files from old version. Make sure that your new NiFi version nifi.properties file configuration related to state, content_repository, provenance_repository, and FlowFile_repository are all pointing to the same directories as the old NiFi version is using.  Default configs point at subdirectories within that versions deployment, so be careful.  Make sure to use same sensitive props key as well.  Somethimes new version introduce new properties in the config files.  If no new properties were added you can continue to use original config file.   You'll also need to copy over your flow.json.gz which holds everything you added/built via the NiFi UI, users.xml and authorizations.xml files (holds all yoru users and groups and their associated authorizations. Then you can stop the old NiFi and start new. In your case you are simply upgrading to a new patch version of 1.23.0 to 1.23.2, so it is very unlikely that any configurations changed.  For you, you could just download the new version 1.23.2, unpack it.  On old version: Stop NiFi rename lib directory to lib_1.23.0 copy lib directory from NiFi 1.23.2 you just unpacked in to your 1.23.0 installation. Make sure all file ownership and permissions are correct. Delete NiFi "work" directory. start you NiFi On startup NiFi will recreate the work directory and unpack the new nar versions there. NiFi will then load your flow.json.gz.  For each component class it finds in the flow.json.gz,  it will upgrade the component to the newer version (only works if only one version for a given component exists, so do not copy new lib inside of old lib directory.).  If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@Barsha  It is possible you may be hitting https://issues.apache.org/jira/browse/NIFI-11971 that affects Apache NiFI 1.23.0 and 1.23.1.  It has been addressed in Apache NiFi 1.23.2, so please upgrade to that latest version: https://nifi.apache.org/download.html So you will want to upgrade to Apache NiFi 1.23.2+ This bug fix is already included in the CFM 2.1.6 release and was not a bug in earlier CFM releases: https://docs.cloudera.com/cfm/2.1.6/release-notes/topics/cfm-fixed-issues.html If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@Knowledgeknow  I am not clear here: when I enable ingress for it. It’s returning me as 502 bad request NiFi-Registry is secured once configured with an HTTPS hostname, HTTPS port, keystore, and truststore.  For more info: security_configuration  As soon as HTTPS is enabled, TLS/SSL is used. It is either enabled as "REQUIRED" or "WANT", but can not be set to "NONE".   This is controlled by  nifi.registry.security.needClientAuth=true (default)  With "true" being "Required" and false being "Want" In order for NiFi to be able to successfully negotiate a mutual TLS handshake, the NiFi "registry client" must use the HTTPS nifi-registry "https://<nifi-registry hostname>:<port> url and have either the keystore and truststore configured in nifi.properties or a  StandardRestrictedSSLContextService configured with valid keystore and truststore. The NiFi-registry keystore must: - Contain a single PrivateKeyEntry - PrivateKey entry has serverAuth EKU - PrivateKey Entry has SAN entries that include any hostname and IPs that client(s) may use to connect to it.  Since you have configured hostname with 0.0.0.0 so that NiFi-Registry binds to all NICs, you'll need to make sure valid network IPs and hostnames are in the SAN. The NiFi-Regsitry truststore must: - Contain the complete trust chain capable of establish trust for the PriavteKey in the NiFi keystore being used by the NiFi Registry Client. The NiFi keystore must: - Contain only one PrivateKey Entry. - PrivateKey DN must not use wildcards - PrivateKey Entry MUST have both clientAuth and ServerAuth EKU - PrivateKey Entry must have SAN entries for NiFi hostname, and IPs clients may use to connect to it. The NiFi truststore must: - Contain the complete trust chain capable of establish trust for the PriavteKey in the NiFi-Registry keystore configured in the nifi-registry.properties file. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@plapla  It sounds like you may be hitting https://issues.apache.org/jira/browse/NIFI-11971 that affects Apache NiFI 1.23.0 and 1.23.1.  It has been addressed in Apache NiFi 1.23.2, so please upgrade to that latest version: https://nifi.apache.org/download.html This bug fix is already included in the CFM 2.1.6 release and was not a bug in earlier CFM releases: https://docs.cloudera.com/cfm/2.1.6/release-notes/topics/cfm-fixed-issues.html If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@arturbrandys2  Policies are defined by the end services utilizing Ranger.  Ranger also does not make authorization decisions.  Each service runs a client that downloads the latest policy definitions json from Ranger for its specific service.  The end service then uses those policy definitions to handle authorizations for the service.   Ranger does not offer a method to define an "and" relationship between multiple groups.  Even if this was possible, the end services would need to also be modified to handle that association when making access decisions based on the downloaded json. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more