Member since
07-30-2019
3421
Posts
1628
Kudos Received
1010
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 184 | 01-13-2026 11:14 AM | |
| 327 | 01-09-2026 06:58 AM | |
| 580 | 12-17-2025 05:55 AM | |
| 641 | 12-15-2025 01:29 PM | |
| 583 | 12-15-2025 06:50 AM |
01-07-2026
06:43 AM
@pnac03 1). The keystore configured in NiFi (nifi.properies and in SSL Context Service controller services) and NiFi-Registry (nifi-registry.properties) must contain only 1 PrivateKeyEntry since there is no way to control which is used when multiple exist. The verbose output you shared for your keystore shows it containing only 1 PrivateKeyEntry. 2) TLS will negotiate the highest mutually supported version between client and server in the mTLS exchange. 3) You did not share the verbose output for the keystore used in the SSL Context Service you configured your NiFiFlowRegistry client to use. Would also need to see the nifi-registry.properties file to inspect all the identity mapping properties set to see how the DNs might be manipulated. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
01-06-2026
09:47 AM
@PepeVo Without the nifi-app.log output it would be impossible for us to guess where it is failing in the startup process. The NiFi bootstrap process simply starts the main NiFi process and monitors that child process id to make sure it still exists (NiFI has not died). Apache NiFi should start securely out of the box without needing to make any configuration modifications to the nifi.properties file. All you need to do is make sure Java 21 is the default java version installed on the NiFi server host first. So my guess is issue is with some configuration you have modified from the defualt in your nifi.properties file. Or perhaps an issue with a manual configuration you made in some other nifi configuration file within the conf directory. Thank you, Matt
... View more
01-06-2026
09:19 AM
1 Kudo
@Green_ When you deploy a Dataflow (that has a parameter context assign to it) from NiFi A via NiFi-Registry to another NiFi B, the parameter context will be added to NiFi 2 if a parameter context of the same exact name does NOT already exist in NiFI 2. If the Parameter Context with same name already exists, that local parameter context will be used. Additionally, if the parameter context of the same name present in the original flow from NiFi has a new parameter name not present in same named pre-existing parameter context on NiFi B, that additional name/value will be added to the existing same named parameter context on NiFi B. So NiFi / NIFi-Registry was designed with the intent to handle different parameter values per NiFi deployment. Now the first time you deploy a flow from NiFi A to NiFi B, you end up with the parameter context from NIFi A being added to NiFi B. You'll need to update values as needed in NiFi B before starting the dataflow(s) in that Process group. But new version after that will not be an issue (unless additional new parameter name/value pairs are added. Those would need to be updated or you could add the new params manually in NiFi 2 before updating version. I think above solution is better since you'll have the all the parameter name/value pairs when you import the new dataflow from NiFi-Registry, you'll just need to update some values before starting the new dataflow. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
01-06-2026
05:55 AM
@pnac03 Some clarification: The NiFi Registry Client (NifiRegistryFlowRegistryClient) will use the configured keystore and truststore in the defined SLS ContextService if configured to authenticate with the target NiFi Registry URL. This Client Auth certificate will proxy the request on behalf of the user identity displayed in the upper right corner of the NiFi UI where this NiFi Registry client is being used. If an SSL Context Service is not defined in the Registry client, the Registry client will use the keystore and truststore configured in the NiFi node's nifi.properties files. Now it is common in a Nifi cluster setup that every node has its own unique keystore. As such you would need to make sure that all the clientAuth certificates are properly authorized to proxy user requests in the target NiFi (this applies no matter which NiFi node you are logged into when making the call to NiFi-Registry since the request gets replicated by all nodes.). That brings into question your statement below: I have verified the same even from Registry using tcpdump in my setup and I do see that the incoming CN name from nifi is CN=node-0-nifikop instead of what is referenced in the SSL Context. Can you share the verbose output for your PrivateKeyEntry? Does it contain only 1 PrivateKey Entry or multiple? (Must contain only one since NiFi Registry client does not provide a configuration option to specify a specific certificate by alias name. ----- Public bucket clarification: A public bucket allows any user to import a flow from that bucket to the Canvas of a NiFi. It does not allow any user to write (start version control) of a new dataflow or commit new version of an existing version controlled dataflow to the public bucket. Writing a new flow to a bucket will require proper write permission on the bucket regardless of whether the bucket is public or not. ------- User Identities: The user identities coming from the ssl context services and proxied are case sensitive "User 2" and "user 2" would be treated as to different users in both NiFi and NiFi-Registry. The User identities are evaluated against any identity mappings that may be configured in the nifi-registry.properties file, so you'll want to take a look at these to make sure they are not manipulating the user identity string or clientAuth certificate DN. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
01-06-2026
05:25 AM
@MuruganFinastra Since you are getting a 403 response, the first thing you should do is see what user identity this 403 is being returned for. For this you'll want to be tailing the nifi-user.log while you attempt to make this rest-api call. You will see the denied related log lines in the nifi-user.log. That logging will provide the user identity string and which NiFi authorization policy required for which that user identity did not have the required permissions. Using this output, we can determine the next steps required here. Is the expected user identity being logged? What is the logged authorization policy resulting in the 403 response? Also which user authentication and authorization configuration options are you using in your setup? Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
12-17-2025
05:55 AM
@Bern You just need to follow same steps you used in your original post question. You drag the add process group icon to the canvas.: In the pop-up window select the "browse" icon to far right instead of entering a "Name": Navigate to and select your downloaded flow definition you created in Apache NiFi 1.13 (I would strongly encourage you to be using Apache NiFi 1.28). There have been many changes a fixes and you'll want to make sure your Apache NiFi 1.x dataflows are valid on the latest 1.28 before attempting to move them to Apache NiFi 2.x). Apache NiFi 1.28 will also have deprecation logging that will help make user aware if they are using components that no longer exist in Apache NiFi 2.x. You'll need to make modification to your flows so you are no longer using those components before moving your flow definitions over to NiFi 2.x. Also be aware that NiFi 2.x no longer support NiFi Variables. These were deprecated and removed. The replacement is NiFi Parameters. So if you are using Variables in your NiFi 1 dataflows, you' need to modify your dataflows to use paramters before moving your flow definitons over to NiFi 2. After you have selected your flow definition json file, you have option to change name that is displays from json and click "Add": Remember that Apache NiFi 2.x is a major release change and the expectation is that you are on the latest NiFi 1.28 release before attempting to move to NiFi 2. NOTE: Cloudera Flow Management (CFM) licensed users have access to Cloudera specific automation tools that can auto transform templates into valid flow definitions and automated migration of CFM 2.1.7 SP2 (Apache NiFi 1.x based) flow.json.gz files into CFM 4.1x (Apache NiFi 2.x based) compatible version. This automation handles deprecated components, converting NiFi variables (deprecated) into NiFi parameters (replacement), etc. https://docs.cloudera.com/cfm/4.11.0/cfm-migration-tool/topics/cfm-mt-overview.html#concept_wlv_sl3_... Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
12-17-2025
05:34 AM
@fy-test Apache NiFi is only going to be able to address CVEs found in the NiFi-Registry package lib directory files included with the distribution. Any OS/System-level CVEs would need to be addressed by the owner of the platform on which the NIFi-Registry services is being used. You can find the Apache NiFi Security Reporting here: https://nifi.apache.org/documentation/security/ You'll find CVEs already addressed in NiFi and NiFi-Registry on the above page. You'll also see how to report any new security vulnerabilities you may discover. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
12-15-2025
01:44 PM
@Bern Is your external Zookeeper installed on the same host as your NiFi? If so, the load your NiFi is putting on those nodes may contribute to the performance of your ZK. The last Apache NiFi 1.x major release version if NiFi 1.28. I recommend upgrading to this version. You'll potentially need to make significant changes and updated to your Apache NiFi 1.x versions dataflows before they can be used in Apache NiFi 2.x. Apache NiFi 1.28 is also new enough that it will produce the flow.json.gz format that is also used by Apache NiFi 2.x. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
12-15-2025
01:37 PM
@Bern The single-user-provider authentication login provider and Single-User-Authorizer are extremely basic and only intended for out-of-the-box Apache NiFi product evaluation. Apache NiFi also generates simple self-signed certificates to support the secured connection over HTTPS. For more robust security you should be using a different multi-user authentication provider like ldap-provider and a multi-user authorizer like the managed-authorizer. You should also generate signed certificates. The Self-signed certificates generated by NiFi will eventually expire. Reference: User Authentication Multi-Tenant Authorization Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more
12-15-2025
01:29 PM
@Bern NiFi templates were deprecated in Apache NiFi 1.x and removed completely in Apache NiFi 2.x major release. Around Apache NiFi 1.12 the xml format was deprecated, but remained as a part or NiFi 1.x major release versions. This impacted for both templates and the flow.xml.gz file that held everything you see on the canvas. NiFi introduced Flow Definitions (template replacement which is in json format) and the flow.json.gz to replace the flow.xml.gz for persisting the entire NiFi canvas's dataflows. When you upgrade to a version of NiFi greater then 1.12, NiFi will still load from a flow.xml.gz file and will then convert and write back out the newer flow.json.gz format. Flow Definitions can be created by right clicking in a process group on the NiFi canvas and selecting option to download a flow definition for that specific process group. The screenshot you shared show you attempting to import a flow definition in Apache NiFi 2 but providing a NiFi template instead of a Flow Definition. That is why you encountered the exception about it not being a valid json. Unfortunately, Apache NiFi does not have utility for converting NiFi templates into Flow Definitions. So you will need to have a NiFi 1.13+ version of Apache NiFi where you can still load your templates and then download them as flow definitions )some templates will require manual modification before they can be downloaded as a flow definition. There are numerous breaking changes in Apache NiFi 2.x major release so I suggest reading through the Apache NiFi migration guide to understand what those changes are any the manual actions you may need to make to your NiFi 1.x release flows before they can be used in NiFi 2.x. https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance NOTE: Cloudera Flow Management (CFM) licensed users have access to Cloudera specific automation tools that can auto transform templates into valid flow definitions and automated migration of CFM 2.1.7 SP2 (Apache NiFi 1.x based) flow.json.gz files into CFM 4.1x (Apache NiFi 2.x based) compatible version. This automation handles deprecated components, converting NiFi variables (deprecated) into NiFi parameters (replacement), etc. https://docs.cloudera.com/cfm/4.11.0/cfm-migration-tool/topics/cfm-mt-overview.html#concept_wlv_sl3_5gb Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt
... View more