Member since
07-30-2019
3417
Posts
1623
Kudos Received
1008
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 424 | 12-17-2025 05:55 AM | |
| 485 | 12-15-2025 01:29 PM | |
| 515 | 12-15-2025 06:50 AM | |
| 396 | 12-05-2025 08:25 AM | |
| 657 | 12-03-2025 10:21 AM |
09-27-2023
06:24 AM
@techNerd I don't see a question in your post. I can only assume you are talking about missing "key" policy icon on your NiFi Flow root process group? This indicates your authenticated user is not authorized to view or modify all policies. What is also interesting from your screenshot is that the user identity displayed in upper right corner is a UUID and not "CN=sys_admin, OU=NIFI" from your user certificate. So I think you have multiple issues here with your configuration. Inspect your nifi.properties, login-identity-providers.xml, and authorizations.xml files for configuration issues. Also take note that the file-user-group-provider ONLY creates the users.xml file if it does not already exist during startup. It does not modify an already existing file. The file-access-policy-provider generates the authorizations.xml (different file from authorizers.xml) ONLY if it does not already exist at startup. It will not modify an already existing file. What version of Apache NiFi is being used? Did you maybe leave remnants of the single-user-provider or single-user-authorizer configured? If so remove these two providers from your configuration. Below is more info about the "initial admin": The intent of the "Initial Admin" is to give that user just enough authority to function as a NiFi Admin (access the UI, access to view and modify tenants/user, create new users and groups identities (assumes file based authorization configured), access to assign or remove access policies to users/groups, access the NiFi controller settings and give view modify to root process group (if first start up with no pre-existing flow.xml.gz/flow.json.gz in place.). It is not meant to grant the admin to all policies, but admin has ability to add themselves to all policies. There are often clear devisions of responsibility between admins and dataflow designers/engineers. An admin not involved with creating flows would have no need to be able to build flow, access component configurations, view content, view data provenance, etc. So policies of this nature are not assigned as part of initial admin setup. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
09-27-2023
05:54 AM
@manishg The first thing that comes to mind is JVM heap. You may want to collect and look at garbage collection data with large files versus small files. Second would be identifying which processor(s) the largest FlowFiles spend the most time at. For this I would suggest looking at the provenance lineage for the large FlowFiles. There is a slide bar at bottom of that lineage graph that you can scroll to see progression of FlowFile through the lineage tree. What processor follow did the FlowFile spend longest at and how are they configured? Hope this helps, Matt
... View more
09-26-2023
07:19 AM
@lafi_oussama Have you tried upgrading to the latest version of Apache NiFi? You have not shared the specific ERROR you are encountering with the UnpackContent processor. You have not shared specific around what you tried using the ExecuteStreamCommand and Python scripts. Any additional details you can provide about your zip files? Thanks, Matt
... View more
09-22-2023
08:56 AM
@Kiranq The NiFi rest-api endpoint for obtaining token is not rest-api/access. It is rest-api/access/token https://<nifi-hostname>:<nifi-port>/nifi-api/access/token and data passed like: --data-raw 'username=<username>&password=<user password>' Then the token needs to be passed with every subsequent rest-api request. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
09-22-2023
07:33 AM
@sid_21m Within NiFi, authentication and authorization are handled as separate processes. Upon successful authentication, NiFi has a user identity (In your case that user identity is your Azure AD username. That user identity is passed to the authorizer to make determination as to what NiFi authorization that user has been granted. At this point nothing more is known about the authenticated user other than the user identity. The Authorizer is configured in the authorizers.xml NiFi configuration file. In here you have multiple choices available to you, but none of them are capable of collecting App Roles from Azure. You can use the ldap-user-group-provider to collect ldap user to group associations from Azure AD. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
09-21-2023
01:14 PM
@edim2525 You can't have NiFi nodes in a cluster configured for different methods of authentication and authorization. User requests made on any node are proxied to the Cluster coordinator and then replicated to all nodes. It is unlikely that your user identity will remain the same once you change to using ldap for user authentication. Then you be setting up authorization based on those new user identities. Assuming you are currently using a managed-authorizer which uses the file-user-group-provider and file-access-policy-provider in your NiFi authorizers.xml? The ldap-provider can be configured to use the LDAP/AD DN (USE_DN) or the username entered at the login prompt (USE_USERNAME) as the user identity (case sensitive). Before making any changes to authentication, you could add the the new ldap based user identity in to your NiFi and authorize that user to all policies granted your current certificate based user already has. Then make a copy of the the login-identity-providers.xml file and Edit to add the the ldap-provider. Copy modified login-identity-providers.xml to all nodes. Then modify nifi.properties file on all nodes by changing following line: nifi.security.user.login.identity.provider=ldap-provider ***Theoretically (never done this) with authorization setup for your new ldap user identity setup across all nodes, you could probably restart one node at a time understanding that the only node that redirect to the new ldap-provider based login window would be a node that has been restarted. This way wok since your new ldap user identity will get proxied to the other nodes which will have authorization in place. On restart of your NiFi cluster these modified configuration files will be read. Keep in mind that when no other methods of authentication are enabled, NiFi will "REQUIRE" a client certificate for authentication through a mutualTLS exchange. Once additional methods of user authentication is added, mutualTLS auth is always enabled and attempted first, but instead of "REQUIRE", NiFI will "WANT" a client certificate. Only when no client certificate is presented during the MutualTLS exchange will NiFi move on to next configured method of authentication (ldap in your case). MutualTLS can NOT be disabled because it is only method of authentication for node to node communications. Now a caveat to above is that I have no idea about your current configuration, current user(s), how you plan to configure your ldap-provider, if you are using LDAP or AD, etc..., so guidance is very high level here. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
09-21-2023
12:22 PM
@Sivagopal What version of Apache NiFi are you using? There are some bugs that could lead to this. I recommend you are using Apache NiFi version 1.21 or newer. Is it always the same node that is disconnecting or appear random? Was the ERROR in the nifi-app.log followed by a full stack trace? - Make sure all nodes in your NiFi cluster are running with the same version of Apache NiFi. - Make sure that any custom or add-on nars and jars where added to all every node and have proper ownership and permissions. - Make sure all nodes use the same configured sensitive.props key and algorithm. Depending on your version of Apache NiFi, you may have a flow.xml.gz or both a flow.xml.gz and flow.json.gz files. On the node that is disconnecting, stop the node, and then rename the existing flow.xml.gz and flow.json.gz (if exists). If you restart NiFi, it will inherit the flow from the cluster when it joins and write new flow.xml.gz and flow.json.gz files to disk. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
09-20-2023
01:12 PM
@pacman NiFi has never supported security zones. There is no concept of zones in NiFi. NiFi's established policies are extremely granular all the way to the individual low level components (processors, controller services, etc) level. You have that level of individual user and group control within NiFi. NiFi also does not support "deny" ranger policies. A user is denied all except what they are authorized for directly or through inheritance. As far as to why /flow was working within a security zone... I have no idea. Would need to see that downloaded policy json and maybe I could figure out why??? Glad I was able to help you get going with your Ranger integration with NiFi. Matt
... View more
09-20-2023
12:50 PM
@pacman Are you sure NiFi is still successfully downloading the policy json when you make changes in Ranger? Within the ranger-nifi-security.xml file there is a configured "ranger.plugin.nifi.policy.cache" directory. Within that directory you will find the NiFi service .json policy file downloaded on the NiFi node. What is found in this file is what NiFi uses. Can you share that json file? Have you configured any security zones in Ranger (NiFi does not support this)? Have you unchecked the "delegate admin" check box on the policies in Ranger? Matt
... View more
09-20-2023
11:57 AM
Hello @pacman Thank s for sharing your authorizers.xml configuration. While you have both the file-user-group-provider and file-access-policy-provider configured in your authorizers.xml, your configured Ranger-provider does not use them. So these do nothing for you. When it comes to NiFi Resource Identifiers, they are very granular. The /flow NiFi Resource Identifier simply grants the authorized user access to the UI. It does not grant user ability to view (so you see no processor details or ability to open processor configuration to view it, modify, add, or delete any components. This is why everything on the canvas is ghosted (All users will always see ghosted components, it helps prevent different teams from building dataflows on top of one another). NiFi does not fully support wildcard in all NiFi Resource Identifiers, "/*" should work, but I would not recommend it. The intent here is to correctly and securely control these granular access controls. When you access NiFi's UI, you land in the root Process Group (NiFi builds this root process group for you when NiFi is first launched). Just like any other component a PG is assigned uuid. With nothing selected you will see the root PG uuid displayed in the operate panel to the left side of the canvas. Go ahead and copy that uuid. Go over to the Ranger and create a new policy in your NiFi Ranger service. In the NiFi Resource Identifier box paste that uuid. You should then be presented with available NiFi Resource Identifiers associated that PG. NiFi components inherit permissions from PGs. If grant user against a policy on that PG, all components created within that PG will inherit that same level of permissions unless you explicitly set a different policy on the sub component(s) or child process group(s). So if you give grant your user READ and Write on "/process-groups/<root PG uuid>", your user will be able to view and modify this process groups configuration and configuration of all components within this PG. Granting your user READ and WRITE on "/data/process-groups/<root pg uuid>" with allow you user to view content of FlowFile passed through components within this PG. The NiFi /resources endpoint returns all the available policies even those that would not be applicable when Ranger is managing authorization. So adding any authorizations related to NiFi Resource Identifiers that contain "policies" make no sense and are not necessary for example. I created community articles that maps the /NiFi Resource Identifiers used in Ranger to the NiFi user interface human readable policies you would have seen prior to switching to to Ranger as your authorizer (also describes what each grants the user). https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/246586 https://community.hortonworks.com/articles/226382/nifi-restricted-components-policy-descriptions.html These should help you with your journey here. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more