Member since
07-30-2019
3470
Posts
1641
Kudos Received
1018
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 256 | 05-06-2026 09:16 AM | |
| 447 | 05-04-2026 05:20 AM | |
| 318 | 05-01-2026 10:15 AM | |
| 512 | 03-23-2026 05:44 AM | |
| 387 | 02-18-2026 09:59 AM |
10-23-2023
07:17 AM
@Barsha It is possible you may be hitting https://issues.apache.org/jira/browse/NIFI-11971 that affects Apache NiFI 1.23.0 and 1.23.1. It has been addressed in Apache NiFi 1.23.2, so please upgrade to that latest version: https://nifi.apache.org/download.html So you will want to upgrade to Apache NiFi 1.23.2+ This bug fix is already included in the CFM 2.1.6 release and was not a bug in earlier CFM releases: https://docs.cloudera.com/cfm/2.1.6/release-notes/topics/cfm-fixed-issues.html If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-20-2023
02:01 PM
@Knowledgeknow I am not clear here: when I enable ingress for it. It’s returning me as 502 bad request NiFi-Registry is secured once configured with an HTTPS hostname, HTTPS port, keystore, and truststore. For more info: security_configuration As soon as HTTPS is enabled, TLS/SSL is used. It is either enabled as "REQUIRED" or "WANT", but can not be set to "NONE". This is controlled by nifi.registry.security.needClientAuth=true (default) With "true" being "Required" and false being "Want" In order for NiFi to be able to successfully negotiate a mutual TLS handshake, the NiFi "registry client" must use the HTTPS nifi-registry "https://<nifi-registry hostname>:<port> url and have either the keystore and truststore configured in nifi.properties or a StandardRestrictedSSLContextService configured with valid keystore and truststore. The NiFi-registry keystore must: - Contain a single PrivateKeyEntry - PrivateKey entry has serverAuth EKU - PrivateKey Entry has SAN entries that include any hostname and IPs that client(s) may use to connect to it. Since you have configured hostname with 0.0.0.0 so that NiFi-Registry binds to all NICs, you'll need to make sure valid network IPs and hostnames are in the SAN. The NiFi-Regsitry truststore must: - Contain the complete trust chain capable of establish trust for the PriavteKey in the NiFi keystore being used by the NiFi Registry Client. The NiFi keystore must: - Contain only one PrivateKey Entry. - PrivateKey DN must not use wildcards - PrivateKey Entry MUST have both clientAuth and ServerAuth EKU - PrivateKey Entry must have SAN entries for NiFi hostname, and IPs clients may use to connect to it. The NiFi truststore must: - Contain the complete trust chain capable of establish trust for the PriavteKey in the NiFi-Registry keystore configured in the nifi-registry.properties file. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-20-2023
01:08 PM
@plapla It sounds like you may be hitting https://issues.apache.org/jira/browse/NIFI-11971 that affects Apache NiFI 1.23.0 and 1.23.1. It has been addressed in Apache NiFi 1.23.2, so please upgrade to that latest version: https://nifi.apache.org/download.html This bug fix is already included in the CFM 2.1.6 release and was not a bug in earlier CFM releases: https://docs.cloudera.com/cfm/2.1.6/release-notes/topics/cfm-fixed-issues.html If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-16-2023
02:19 PM
1 Kudo
@techNerd Clearing a processor components state requires stopping the processor before you can "clear the state". Stopped state is required because the the processor may be writing or updating state when you attempt to clear state which would cause issues. When stopped there is no need to worry about a race condition between writes and deletes. That being said, reseting the sequence number stored in state to 0 can be accomplished using the advanced UI of the UpdateAttribute processor and a special reset-seq flowfile you feed into the processor at 00:00 each day. The advance UI of the UpdateAttribute processor works like if,the,else logic. So you would set up a Rule "reset" and a condition (if), If condition is true the "Actions" are applied. If no Rules's conditions are true, the processor's non advanced UI properties are applied. UpdateAttribute properties (same as you already have): Click on "advanced" in lower left corner of processor configuration UI to open and configure Rules: Now all you need to do is setup a GenerateFlowFile processor that feeds a FlowFile into the updateAttribute processor once a day to reset seq to 0 stored in tat UpdateAttributes processor's local state. Optionally you could add a RouteOnAttribute processor after the UpdateAttribute to route out the sequence file for termination so it does not continue through your dataflow. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-10-2023
12:15 PM
1 Kudo
@arturbrandys2 Policies are defined by the end services utilizing Ranger. Ranger also does not make authorization decisions. Each service runs a client that downloads the latest policy definitions json from Ranger for its specific service. The end service then uses those policy definitions to handle authorizations for the service. Ranger does not offer a method to define an "and" relationship between multiple groups. Even if this was possible, the end services would need to also be modified to handle that association when making access decisions based on the downloaded json. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-10-2023
12:06 PM
@GauthierCLM You should raise a support case with Cloudera through https://my.cloudera.com/support.html. You'll need to login with your Cloudera username and password. You could also contact your Cloudera Account manager who can assist you with your licensing needs. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-06-2023
09:01 AM
@PriyankaMondal 1. Not clear on the question here. Why use Toolkit to create three keystores? I thought you were getting three certificated (one for each node) from your IT team. Use those to create the three unique keystores you will use. 2. It appears your DN has a wildcard in it. NiFi does not support the use of wildcards in the DN of node ClientAuth certificates. This is because NiFi utilizes mutualTLS connections and the clientAuth DN is used to identify the unique connecting clients and is used to setup and configure the authorizations. Now you could ask your IT team to create you one keystore with a non wildcard DN like "cn=nifi-cluster, ou=domainlabs, DC=com" and add all three of your Nifi node's hostnames as SAN entries in that one PrivateKeyEntry. This would allow you to use that same PrivateKey keystore on all three NiFi nodes. This has downsides liek security. If keystore on one node gets compromised, all hosts are compromised because it is reused. All nodes will present as same client identity (since all present same DN) during authorization. So nothing will distinguish one node from the other. The keystore used by NiFi can ONLY contain one privateKey entry. Merging multiple keystores with privateKey entries will result in one keystore with more than one PrivateKeyEntry which is not supported by NiFi. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-05-2023
08:02 AM
@LKB Can you share screenshots of your UpdateAttribute processor configuration? Are you using the advanced UI of the UpdateAttribute processor? The UpdateAttribute processor is fairly simplistic in design. Without configuring the advanced UI, it simply can remove attributes or create/modify existing attributes. Each Attribute is defined by key:value pairs where the property name is the key and property value is the key. The Advanced UI allows for conditionally based attribute additions or modifications. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-05-2023
07:41 AM
@PriyankaMondal You should have a signed certificate for each of your three NiFi nodes. Make sure those certificates meet the minimum requirements for NiFi. Certificate DN can not contain wildcards. Certificate Extended Key Usage (EKU) must include "clientAuth" and "serverAuth" Certifcate must contain SAN entry for server hostname and any alternate DNS names that server may use. The Certificate (PrivateKey) needs to be placed inside a JKS or PKCS12 keystore. There are plenty of resource in the web for creating keystores. But essentially you want to combine your pem and key files to make a p12 file. You can then import that p12 file in to a JKS keystore. A NiFi keystore must contain ONLY one PrivateKeyEntry. So don't create a singel keystore where you import all 3 private keys. You should have three separate Keystores (one for each NiFi node). NiFi uses two keystores (keystore and truststore): Keystore - contains only one PrivateKeyEntry (unique to each NiFi node) Truststore - contains one too many TrustedCertEntries. The same truststore is used on all NiFi nodes. The truststore needs to contain the compete trust chain for your node's private keys. A certificate is signed by an authority. In order for server to trust a certificate presented in a TLS exchange, the authorities that signed that certificate must be trusted. That is where this truststore comes into play. An authority can be of two types, intermediate CA or Root CA. An intermediate CA is one where the issuer and signer are two different entities (DNs don't match). A Root CA is one where the issue and signer are the same (DNs match). Let's say you Private key with DN = "CN=node1, OU=NiFi" was signed by an Intermediate corp CA with "DN = CN=Intermediate1, 0U=company". And that intermediate CA TrustedCert was signed by a Root CA with DN = "CN=RootCA, Ou=company". In order for your truststore to have the complete trust chain, the NiFi truststore would need to contain both a TrustedCertEntry for Intermediate CA and the root CA. For the Truststore you will need to get the public cert(s) from your IT team (who should also be able to help you with your keystore and truststore creation) As far as the setup of NIFi goes, nothing else is different from what you did when using the self-signed certificates when it comes to configuration. Keep in mind that each node's identity is derived from the nodes private certifcate DN. That DN is evaluated against and configured user identity mapping patterns configired in the nifi.properties file. If the java regex pattern matches the certificate DN, the mapping value and mapping transform are applied. That resulting mapped identity is what needs to be authorized in NiFi. So these mapped identities become your node identities when configuring the NiFi authorizer. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
10-04-2023
05:46 AM
@hegdemahendra The autoload capability in NiFi can only auto-load new nars added to the directory. It does not handle unload or reload. The reason for this is because a reload would require the upgrade of existing components using a previously uploaded nar. This process would require the stopping of all components added to canvas from that nar, upgrading all those components to the new nar version, and then starting the components again. You also have the issue with the fact that the flow.json.gz has already been loaded in to memory with a different component version. Then you also have the issue of when someone adds a new nar version and does not remove the old nar version first. You should be able to click on a component on the canvas once multiple version of same class are loaded and switch to the other version. With the way NiFi is designed, NiFi will allow multiple versions of the same components to be loaded (always been that way). So there has never been the capability when multiple versions of the same component are loaded to trigger an upgrade of any components from those duplicate component classes on the canvas. NiFi can only change a component's version on startup and only if only one version of the component class exists on startup. On startup, NiFi loads the NiFi lib nars and any nars found in custom lib folders or autoload directory. These nars get unpacked in to a work directory. NiFi then starts loading the dataflow from the flow.json.gz file. The flow.json.gz contains each components class, version, and configuration. When loading a component where version is not found but ONLY one different version of that same component class is found, NiFi will switch that component that version of the class (could be older version or newer). If any component versions changed on startup a new flow.json.gz is written out to match what is loaded in to memory. If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more