Member since
07-30-2019
3472
Posts
1642
Kudos Received
1020
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 270 | 06-03-2026 06:06 PM | |
| 543 | 05-06-2026 09:16 AM | |
| 1077 | 05-04-2026 05:20 AM | |
| 604 | 05-01-2026 10:15 AM | |
| 714 | 03-23-2026 05:44 AM |
08-17-2023
10:19 AM
@abdullahvvs What exceptions are you seeing in the nifi-app.log when this processor gets scheduled to execute? Does your NiFi service user have ability to execute python3? Does your NiFi service user have ability to travers the directory tree and read /opt/nifi/nifi-current/Testxx.py? If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-17-2023
10:14 AM
1 Kudo
@sinRudra I recommend reading through the comments, suggestions, and troubleshooting done within the following Apache NiFi Jira to see if you are encountering similar observations. https://issues.apache.org/jira/browse/NIFI-10143 If so, it may be best to create a new Apache JIra for your specific character set issues to see what the committer community can do for you. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-17-2023
09:37 AM
1 Kudo
@edim2525 Just to add to what @cotopaul already shared: Out-of-the-box NiFi install sets users up with a single user authorizer and single user login provider. These provider are not designed for production use, but where designed to allow for an easy out-of-the-box secure install of NiFi. This default provider allows for only a single user with full unmanaged access to NiFi. See links provided by @cotopaul for more info there. Reconfiguring your out-of-the-box NiFi configuration to instead use a managed authorizer would then give you the ability to create various levels of authorization for different authenticated users. The managed authorizer used a file-access-policy-provider and file-user-group-provider to create and seed the users.xml and authorizations.xml files upon first startup. After these files exist, those two providers will not modify them via any config changes you make within the providers. The initial user identity and initial admin defined in those providers will seed those files with the required authorization policies for that authenticated user to perform admin type actions (such as authorizing additional authenticated users against various NiFi policies. NiFi does NOT have the ability to managed local users, this means that user authentication must be handled via an external method. The most commonly used method for user authentication are Mutual TLS using clientAuth certificate, ldap-provider (allowing user authentication via. uses ldap username and password), and kerberos based authentication (via Spnego or Kerberos-provider login provider). Once your NiFi is setup to support multi-user authentication and authorization, your "initial admin" will have ability to define additional user authorizations including those authorization your initial admin was pre-configured with. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-16-2023
06:00 AM
@edim2525 It would be very difficult to tell you exactly what is wrong without seeing your AD entries. The User Search Base should be set to what ever base level is needed to be able to search on all user DNs that are members of your nifi-admins group. This may require you to change the "User Search Scope" to " SUBTREE", but again I can't say for sure for your AD. I see you set up an or in your "User Search Filter" even though you only have one filter, but that should not be an issue. Are you also trying to return only that one group "nifi-admins"? If so, you could also add the following "Group Search Filter" to limit your returned groups to just one. (cn=nifi-admins) The ldap-user-group-provider also does not require that your setup both "user" sync and "group" sync as it is often possible to make user to group associations with only setting up one or the other. for example: <property name="User Search Base"></property>
<property name="User Object Class"></property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">XXX</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(|(cn=nifi-admins)(cn=nifi-team1))</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property> What above config will do is initiate a group sync only execution returning a member user DNs from the "member" attributes found on the groups "nifi-admins" and "nifi-team1". For each of those returned Member DNs, the provider will search those users in AD to retrieve thee user Identity string from the sAMAccountName attribute of each users AD entry. Those sAMAccountName user strings then get associated with the appropriate group. There are many ways to set this up, but they all depend on an individuals LDAP/AD entries, so all I can make are suggestions and examples based on commonly seen structures. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-15-2023
06:59 AM
2 Kudos
@learner-loading The Site-To-Site functionality in NiFi has not evolved a whole lot since it was first introduced. You have an initial client server connection over http(s) followed by FlowFile transfer via either the same HTTP(s) connection or via a dedicated Raw socket connection depending on the configuration on the server side of the connection. To use a mutual TLS HTTPS connection for initial connection, the following property must be set tp true: nifi.remote.input.secure=true In order to set this to true, NiFi must be configured with a keystore and truststore in the nifi.properties file as well. To support HTTP(s) FlowFile transfer the following property must be set to "true": nifi.remote.input.http.enabled=true To support RAW socket connection for FlowFile transfer, the following property must be configured with a port not in use by all nodes in yoru NiFi cluster: nifi.remote.input.socket.port=10443 The Remote Process Group is always the "client" in the site-to-site connection. The Remote Input and Remote output ports are then the "server" side of the connection. So when the Remote Process Group (RPG) has been configured with a URL(s) (If target NiFi is a cluster setup, you can optionally provide a comma separated list of URLs for the hosts in the same target cluster to offer some redundancy in case one of the target nodes is down), the RPG will start automatically connecting to first URL to try to fetch Site-To-Site (S2S) details about the server side of this connection. Those server details include if the server side is configured secure or unsecured, if it supports HTTP, RAW, or both, the URLs for all connected nodes in target cluster, NiFi HTTTP port for all connected nodes, RAW port for all connected nodes, total amount of queued FlowFiles on each connected node, Available Remote Input and Output ports on target NiFi cluster. With an HTTPS enabled Site-To-Site, the keystore and truststore files configured on both source/client Nifi and target/server NiFi will be used in the mutual TLS handshake connection made (The client certificate DN is used as the client identity passed to the server that needs to be properly authorized on the target Remote Input and Output ports. If authorization is successful and the ROPG has "enabled transmission" FlowFiles will be able to transfer from RPG to Remote Input Port or From a Remote Output Port to the RPG. Better load-balancing is achieved with RPG pushing to Remote Input Ports. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-15-2023
06:23 AM
@Tenda Since you are saying you can freely navigate the NiFi UI when in this "stuck" state, NiFi is not stuck as both the UI and processor components all operate within the same JVM. What you circled indicates that at the exact moment (last time browser refreshed) there were 24 active threads out of the 32 configured in the Max Timer Driven Thread pool settings. Milliseconds later that could still be 24 active threads but consumed by different components. The NiFi processors will all show small a small number in the upper right corner if they have an active threads, so step one is determining which processors are holding these 24 threads for a long time. Then looking at those processors and the thread dumps to figure out why those threads are long running. Typically we would see this when external service connections are made which are unstable, network issues, local NiFi repo I/O, NiFi CPU utilization, or long or very frequent GC pauses, or even OOMs. So you have ruled out a few of these so far it sounds. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-15-2023
06:10 AM
1 Kudo
@edim2525 You have a configuration issue in your ldap-user-group-provider within the authorizers.xml. The following filter will not work in this provider. <property name="User Search Filter">(sAMAccountName={0})</property> "{0}" can only be used in the ldap-provider within the login-identity-providers.xml configuration file. That string gets replaced with the username entered at the NiFi login window. The ldap-user-group-provider executes independent of any input every 30 mins to sync current users and groups. So here is is literally looking for a user with that sAMAccountName which does not exist, so no users are be synced. All you are getting back is groups. A more common User Search Filter would be an "or" of select groups that you will be using to authorize various levels of access to your NiFi. Leaving blank would sync all users at ONE_LEVEL of your configured User Search Base. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-14-2023
08:10 AM
@tej_s @jakese There are some recently discovered issues seen as more individuals start using the encrypted repository capability that have been addressed in Apache NiFi 1.23. I encourage you to see if you can reproduce your issue with release 1.23 or newer. Some specific related fix that are part of 1.23: https://issues.apache.org/jira/browse/NIFI-10235 https://issues.apache.org/jira/browse/NIFI-11670 11670 fixed some offset tracking issues and content handling issues that could very likely be causing your issue. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-14-2023
07:25 AM
1 Kudo
@Tenda What processor become unresponsive? You mean that the processor indicates that it is currently executing a thread (small number shown in upper right corner); however, all the stats on the processor for in, out, tasks show 0 for last 5 minutes? If tasks show numbers updating, then tasks/threads are executing and completing. If tasks is showing 0 for last 5 minutes or very low for last 5 minutes and you see an active thread number in upper right corner of processor, it may be caused by a few reasons: Your CPU load average is how due to cpu intensive processors executing at same time. (would expect lag in UI if CPU was saturated) You have a processors configured with too many concurrent tasks leading to other processors not getting allocated a thread often enough. (If core load average is consistently low, you could increase the size of your max timer driven thread pool higher than 32. Java heap garbage collection (GC). GC happens when your JVM heap usage reaches ~80% utilization. If your heap is too small, you could be experiencing lots of back to back GC. All GC whether partial or full GC are stop-the-world events weaning JVM will do nothing while GC is happening. If you heap is set to large, the GC stop-the-world may take much longer to complete. You have processors that have long running tasks or hung threads consuming threads from your available max timer driven thread pool thus limiting available threads for other components. Only the examination of a series of multiple NiFi JVM thread dumps collected minutes apart will tell you if you have a long running task (thread dump shows change to thread indicating slow progress being made) or potentially hung thread (thread dumps all show same consistent output for thread. When you have a processor that is in this state and "terminate" the thread on the processor, does the terminated thread (shown as small number with parenthesis "(1)") ever go away? if not, that terminated thread never completed. While "terminate" release FlowFile associated to that thread back to inbound connection queue and give user back full control of the processor. The only way to "kill" a truly hung thread is by restarting the entire NiFi JVM. Which you said you do once in awhile. Hope you find this information helps you drill deeper in to your issue and identify what is impacting you. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-11-2023
08:27 AM
@tej_s I recommend against switching to encrypted repositories while you still have content in your flowfile_repository, content_repository, and provenance_repository. What version of Apache NiFi are you using? If you stop NiFi and delete the contents of these encrypted repositories and startup clean, do you encounter and issues like above with all new data being processed through your dataflows? If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more