Member since
07-30-2019
3472
Posts
1642
Kudos Received
1020
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 261 | 06-03-2026 06:06 PM | |
| 529 | 05-06-2026 09:16 AM | |
| 1045 | 05-04-2026 05:20 AM | |
| 586 | 05-01-2026 10:15 AM | |
| 703 | 03-23-2026 05:44 AM |
07-12-2023
11:44 AM
@shamika You need to check the nifi-user.log to see your exact user identity string which is being denied when trying to view the user interface. That exact user identity string (case sensitive) must then exist as a user in Ranger service and be authorized fro Read on the "/flow" NiFi Resource identifier under the NIFI service in service manager. You can find a full list of NiFi Resource Identifier descriptions in the following Cloudera Community article and how they relate to the policies within the NiFi service: https://community.cloudera.com/t5/Community-Articles/NiFi-Ranger-based-policy-descriptions/ta-p/246586 If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-12-2023
06:44 AM
@shamika When you log in to NiFi, you'll want to inspect the nifi-user.log to see the exact exception and NiFi policy that the authenticated user is missing authorization for. The screenshot you shared above that appears right after successful authentication implies that your authenticated user's identity string (you see this in nifi-user.log) is not authorized on the "view the user interface" NiFi Policy (/flow NiFi resource Identifier in Ranger). If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-12-2023
06:30 AM
@MWM Your description is not super clear to me. FlowFile Attributes are in format of <attribute name>=<attribute value> example key=value FlowFile attributes: Attribute name = Attribute value
name=toyota
type=car Here is how I interpret what you have provided: - You have a FlowFile that has a custom FlowFile "Attribute Name" on it "name". - That "name" Attribute has no value associated to it. (name = ) The UpdateAttribute processor allows you to add new key=value (attribute name = attribute value) attribute pairs to an existing FlowFile or modify the value of an existing FlowFile Attribute Name. You can NOT create a new attribute and then modify or use that new attribute within the same processor in which it was created. Lets say you have a FlowFile with the example FlowFile attributes and values I shared above. Then you use the UpdateAttribute processor to change the value on the Attribute "name" to all uppercase. The NiFi Expression Language (NEL) statement you created: ${name:toUpper()} will take the subject "name" and return it's value "toyota". That returned value is passed to the toUpper() NEL function which converts the it to Uppercase "TOYOTA". The resulting value is then written to the FlowFile attribute defined in the UpdateAttribute processor. Assuming an UpdateAttribute processor configured as below: The NEL expression resulting a new value of "TOYOTA" would be written to the FlowFile Attribute "name" since "name" already exists as an attribute on the FlowFile, its current attribute value of "toyota" would be replaced with new value "TOYOTA". Hope this helps clarify how NiFi FlowFile Attributes and the UpdateAttribute processor is used. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-11-2023
06:22 AM
@MWM For good security reasons, NiFi does not support passwordless keystore and truststore files. The password fields can not be blank. Also keep in mind that the default "nifi.web.https.host=127.0.0.1" is localhost on the machine were you installed NiFi. So you will not be able to access this IP from any other machine. You'll need to use a browser installed on the same machine. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-11-2023
06:12 AM
@mbraunerde When you authenticate to NiFi, a client token is issued for your user. That token is then presented by your browser with all subsequent requests since every action performed in NiFi must be both authenticated and authorized. When the token expires, a new one must be obtained. While you have configured the OIDC properties to support authentication via an external AD, you are still using the Single-user-authorizer which allows full access to only the user created by the Single-user-provider. I suggest you modify your nifi.properties file to use: nifi.security.user.authorizer=managed-authorizer This provider will utilize the the file-access-policy-provider (authorizations.xml file) for user authorizations. With your configuration above it will set admin level authorizations for user: admin@login-domain.com This user would be then allowed to access the NiFi and manage additional user authorizations via the UI. As far as access to the NiFi rest-api, I'd recommend using a certificate instead of your AD. 1. No need to obtain a user token - Include the clientAuth certificate in all your rest-api calls. 2. Will work for as long as the client certificate is valid. Certificate can be configured with long validity dates (often 2 years or more) 3. Token are only valid for the NiFi node on which they were issued. meaning if you accessed a different NiFi node in a NiFi cluster or a different instance of NiFi, you would need to get a new token each time. 4. Using a token requires you then to store that token somewhere for reuse by your individual rest-api calls. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-11-2023
05:55 AM
@sarithe That looks pretty health to me. GC Young Gen is a normal activity to see as the JVM will not free up memory until heap memory utilization reaches around the 80% point. Old Gen is full garabage collection and takes a lot longer and is triggered when Young Gen does not clean-up enough heap space. I see that is at 0. Have adjusted the concurrent tasks on the processors where you see a bottleneck or lower then expected throughput, consumption, etc? If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-11-2023
05:50 AM
1 Kudo
@hegdemahendra The ConsumeAzureEventHub processor utilizes the AzureSDK library. The AzureSDK manages an internal thread pool for consuming events outside of the control of the NiFi processor. When the processor is started the single concurrent task thread is used to give a handle to the AzureSDK Session Factory. At that point all thread control pertaining to the consumption of events is outside the bounds of the NiFi framework. There are unfortunate side effects caused by using the AzureSDK in this processor. Since thread handling is moved out of the NiFi framework control, backpressure on the outbound connection(s) of this processor are not going to be honored. NiFi Framework handles backpressure as a soft limit and once the threshold on the connection is met or exceeded, the framework stops scheduling the source component. Since the ConsumeAzureEventHub processor on startup only gets "scheduled" once (hands off thread to AzureSDK to handle thread pool and consumption, the processor never needs to be scheduled again (always on). Only stopping the processor will stop the underlying AzureSDK from consuming more events. Risk here is that if a downstream issue happens, the connection(s) outbound from the ConsumeAzureEventHub processor will continue to grow until you run out of disk space on the FlowFile or content repository disks. The following Jira covers this limitation: https://issues.apache.org/jira/browse/NIFI-10353 If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-10-2023
01:01 PM
@hegdemahendra There currently are no NiFi processors for ingesting from Delta Lake. There is an existing Apache Jira for creating such list/fetch processors for Delta Lake, but it is still open and does not look to be actively being worked on: https://issues.apache.org/jira/browse/NIFI-7093 I am not aware of any open source 3rd party options here as well. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-10-2023
09:47 AM
@MWM The stack trace you provided from the logs indicates and issue with the truststore properties. The truststore properties are not valid You'll want to inspect the keystore and truststore properties in the nifi.properties configuration file. Make sure none are blank or incorrect. I have seen this happen when the keystoreType and/or TruststoreType properties are blank (should be set to JKS or PKCS12 depending on your keystore format). If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
07-07-2023
06:31 AM
2 Kudos
@SandyClouds What i am saying is that rest-api call response you got via command line is probably not the exact same request made by NiFi. What that response json tells you is that the user that made the request only has READ to all three buckets. You did not share the complete rest-api call you made, so I am guessing you did not pass any user authentication token or clientAuth certificate in yoru rest-api request and this that request was treated as bing made by an anonymous user. Since your bucket(s) have the "make publicly visible" checked, anonymous user will have only READ access to the buckets. In NiFi you are trying to start version control on a Process group. That means that the NiFi node certificate needs to be authorized on all buckets and authorized to proxy the NiFi authenticated user (who also needs to have read, write on the specific bucket to start version control. If the response received back to NiFi during the request is that nodes or user on has READ, then no buckets would be shown in that UI since the action that UI is performing would be a WRITE. You should use the "developer tools" in your web browser to capture the actual full request being made by NiFi when you try to start version control on a process group. Most developer tolls even give you and option to "copy as curl" which you can then just paste in a cmd window and execute manually yourself outside of NiFi to see the same response NiFi is getting. My guess here is that you are having a TLS handshake issue resulting in yoru requests to NiFi-Registry being anonymous requests. The NiFi logs are not going to show you details on what authorization was on the NiFi-Registry side (you'll need to check the nifi-registry-app.log for that). All the NiFi log you shared shows is that your "new_admin" was authorized to execute the NiFi rest-api endpoint. This triggering the connection attempt with NiFi-Registry which also appeared successful (likely as anonymous). If you look at the verbose output for the NiFi keystore, NiFi truststore, NiFi-Registry keystore, and NiFi-Registry truststore, you'll be able to determine if a mutual TLS exchange would even be possible between the two services using the keystore and truststores you have in place. These versbose outputs which you can get using the keytool command will also show you the EKUs and SANs present on your certificates. <path to JDK>/keytool -v -list -keystore <keystore or truststore file> When prompted for password, you can just hit enter without providing password. The screenshots you shared showing the authorizations configured in NiFi-Registry are sufficient. I was simply pointing out that you gave too much authorization to your NiFi node in the global policy section. This is why i am leaning more to a TLS handshake issue resulting in an anonymous user authentication rather then an authorization issue. You'll also want to inspect your nifi-registry-app.log for the authorization request coming from NiFi to see if is authorizing "anonymous" or some other string. Perhaps you have some identity mapping pattern configured on NiFi-Registry side that is trimming out the CN from your certificate DNs? In that case you could also see this behavior because your NiFi-Registry would be looking up authorization on different identity string (instead of "CN=new_admin, OU=Nifi, i maybe looking for just "new_admin"). NiFi and NiFi-Registry authorizations are exact string matches (case sensitive); otherwise, treated as different users. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more