@theKiteRunner  NiFi token based OIDC authentication generates a token that is only valid for the NiFi instance on which the token was obtained. There are really tow tokens in play here, the client token issued for the authenticating user stored with the browser and a corresponding server side token stored in NiFi.  If you have a NiFi cluster setup with a load balancer in front of your cluster'sNiFi nodes, you'll need to make sure you have sticky sessions (also known as session persistence) setup in your load balancer.  So when you authenticate with NiFi node A and get a Client Token, the sticky sessions will make sure all follow-on request continue to route to node A instead of other nodes in the NiFi cluster. It sounds like you obtained a user token directly from Azure AD without going through NiFi's URL or you don't have sticky sessions setup resulting in the subsequent request post Azure AD auth routing to a different NiFi node. This would result in the "no matching key(s) found" exception when client JWT token is sent to a NiFi node that does not have the corresponding server token.  If the OIDC properties are configured correctly in NiFi, when you try to access the NiFi URL without a client token, it should redirect you to the the configured OIDC discovery URL. Once you authenticate, your browser obtains a client token and the NiFi node that redirected to your Azure AD OIDC URL will store the corresponding server side token. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more

@Fabricio you area using a very old version of JDK 1.8.0.  I suggest you try upgrading your JDK version to the latest release and try again. I believe the latest JDK is 1.8.0_381.   Is you found this answered sister you, please take a moment to login in and accept it as a solution.  Thanks, Matt ... View more

@shamika  NiFi based authorization is case sensitive. 2023-07-12 10:46:40,800 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[bigG, bigdGer] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response the nifi-user.log is telling you that your successfully authenticated user "myuser" is known by NiFi to belong to groups "bigG" and "bigdGer".  In Ranger you'll need to make sure that yoru user "myuser" or one of these groups "bigG" and/or "bigdGer" has been authorized for "READ" on the "/flow" NiFi resource Identifier.  If Ranger has the group as "bigg" or "BIGG", "bigDGER", etc it will not work because NiFi is case sensitive. You could also share your authorizers.xml if you'd like use to verify your configuration there. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more

@shamika  You need to check the nifi-user.log to see your exact user identity string which is being denied when trying to view the user interface.   That exact user identity string (case sensitive) must then exist as a user in Ranger service and be authorized fro Read on the "/flow" NiFi Resource identifier under the NIFI service in service manager. You can find a full list of NiFi Resource Identifier descriptions in the following Cloudera Community article and how they relate to the policies within the NiFi service: https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/246586 If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt     ... View more

@shamika  When you log in to NiFi, you'll want to inspect the nifi-user.log to see the exact exception and NiFi policy that the authenticated user is missing authorization for.  The screenshot you shared above that appears right after successful authentication implies that your authenticated user's identity string (you see this in nifi-user.log) is not authorized on the "view the user interface" NiFi Policy (/flow NiFi resource Identifier in Ranger). If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more

@MWM  Your description is not super clear to me. FlowFile Attributes are in format of <attribute name>=<attribute value> example key=value FlowFile attributes: Attribute name = Attribute value name=toyota type=car Here is how I interpret what you have provided: - You have a FlowFile that has a custom FlowFile "Attribute Name" on it "name". - That "name" Attribute has no value associated to it. (name = ) The UpdateAttribute processor allows you to add new key=value (attribute name = attribute value) attribute pairs to an existing FlowFile or modify the value of an existing FlowFile Attribute Name. You can NOT create a new attribute and then modify or use that new attribute within the same processor in which it was created. Lets say you have a FlowFile with the example FlowFile attributes and values I shared above. Then you use the UpdateAttribute processor to change the value on the Attribute "name" to all uppercase. The NiFi Expression Language (NEL) statement you created: ${name:toUpper()} will take the subject "name" and return it's value "toyota".  That returned value is passed to the toUpper() NEL function which converts the it to Uppercase "TOYOTA".  The resulting value is then written to the FlowFile attribute defined in the UpdateAttribute processor. Assuming an UpdateAttribute processor configured as below: The NEL expression resulting a new value of "TOYOTA" would be written to the FlowFile Attribute "name" since "name" already exists as an attribute on the FlowFile, its current attribute value of "toyota" would be replaced with new value "TOYOTA". Hope this helps clarify how NiFi FlowFile Attributes and the UpdateAttribute processor is used. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more