@Shelton  Thank you for your advice. As I use the latest version of NiFi and it requires Java 21, I added the following line in bootstrap.conf and confirmed the warning messages disappeared. java.arg.EnableNativeAccess=--enable-native-access=ALL-UNNAMED  I appreciate your help. Thank you, ... View more

@Zifo1  When using Site-to-SIte via Remote Process Groups (RPG) and Remote Input or Output ports between NiFi clusters, it is most efficient to push rather then pull data (FlowFiles).  The NiFi RPG always acts as the client side of the connection.  It will either send FlowFiles to a Remote Input Port or fetch FlowFiles from a Remote Output port. I would avoid fetching from Remote Output ports.  You get better FlowFiles distribution across teh destination cluster when you send FlowFiles from the RPG. If the FlowFiles traverse both directions, you would simply setup a RPG on both NiFi clusters to push FlowFiles to the Remote Input Ports on opposite clusters. Details about Site-To-Site can be found here: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#site-to-site As far as the RPG goes, I recommend using the "RAW" transport protocol over HTTP.  RAW requires that the dedicated RAW port is configured in the server side NiFi's nifi.properties file.  RAW establishes a raw socket connection on the dedicated configured port.  HTTP utilizes the same HTTPS port that all other NiFi interactions use.  You'll need to make sure the network connectivity exists between both your NiFi Clusters on both the HTTP(s) and RAW ports.  HTTP is always used to fetch Site-to-Site Details.  Setting up the client side (Remote Process Group) Documentation is here: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#configure-site-to-site-client-nifi-instance Setting up the sever side (NiFi with Remote Input or Remote Output ports) documentation can be found here: https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#configure-site-to-site-server-nifi-instance Even with Site-To-Site the communications between the two NiFi clusters requires both authentication and authorization.  Authentication is established via a mutual TLS handshake initiated by the RPG.  For Site-to-Site, the keystore and truststore setup en each NiFi's nifi.properties file are used in the MutualTLS exchange. NOTE: The NiFi out-of-box auto generated keystores and truststores are not suitable for negotiating a successful Mutual TLS handshake. There are numerous authorization policies that must be setup on the server side (remote ports NiFi) so that the client side (NiFi with RPG) is able to successfully send FlowFiles over Site-to-Site: 1. Retrieve Site-to-Site Details - This policy authorizes the client NiFi nodes (so all nodes in the client side NiFi cluster must be authorized) to retrieve site-to-site details from the server side NiFi.  This includes details like number of nodes, load on those nodes, authorized remote ports, site-to-site raw port, https port, etc. 2. Receive data via Site-To-Site - This policy is setup on Remote Input ports to authorize the client side NiFi nodes to send FlowFiles to this specific port. 3. Send data via Site-to-Site - This policy is setup on the Remote Output Ports and allows authorized client nodes to fetch FlowFiles from the Remote output port. Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

@sha257  Did you restart your NiFi after modifying the logback.xml? NiFi executes the ldap-user-group-provider during startup, so you should see DEBUG output in the nifi-app.log at that time and each time the sync interval happens. As far as ldap sample, I would need to see a ldap search group output that contains "member" entries for users you expect to see. Thanks, Matt ... View more

@SAMSAL  Hi, sorry that I was not clear enough in my question, was doing my best 😞  @MattWho  This works, thank you very much. I have set a maximum back-off time for 1 minute as this process is quite time-sensitive and set the queue before RouteonAttribute as well as looped relationship to prioritize the oldest fileflow. Thank you both for help! ... View more

It works fine @archie ! Thanks! This is my following snipped docker-compose code: nifi-registry: image: apache/nifi-registry:1.23.2 container_name: nifi-registry hostname: nifi-registry restart: "no" ports: - 18443:18443 volumes: - ./nifi/certs/localhost:/opt/certs environment: TZ: America/Sao_Paulo NIFI_REGISTRY_WEB_HTTPS_PORT: 18443 AUTH: oidc KEYSTORE_PATH: /opt/certs/keystore.jks KEYSTORE_TYPE: JKS KEYSTORE_PASSWORD: changeit TRUSTSTORE_PATH: /opt/certs/truststore.jks TRUSTSTORE_PASSWORD: changeit TRUSTSTORE_TYPE: JKS INITIAL_ADMIN_IDENTITY: test@test.com NIFI_REGISTRY_SECURITY_USER_OIDC_DISCOVERY_URL: http://<LOCAL_KEYCLOAK_IP>:8080/realms/TEST/.well-known/openid-configuration NIFI_REGISTRY_SECURITY_USER_OIDC_CONNECT_TIMEOUT: 10000 NIFI_REGISTRY_SECURITY_USER_OIDC_READ_TIMEOUT: 10000 NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_ID: nifi NIFI_REGISTRY_SECURITY_USER_OIDC_CLIENT_SECRET: <CLIENT_SECRET> NIFI_REGISTRY_SECURITY_USER_OIDC_PREFERRED_JWSALGORITHM: RS256 NIFI_REGISTRY_SECURITY_USER_OIDC_ADDITIONAL_SCOPES: openid,email,profile NIFI_REGISTRY_SECURITY_USER_OIDC_CLAIM_IDENTIFYING_USER: preferred_username networks: - test-net     ... View more

@pankajgaikwad As this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post. Thanks. ... View more

Running the restart shell script inside container did it for me! Thanks for the help @MattWho! ... View more

@Armel316  Since you only have two user group providers (ldap and file), that means that both are returning user "xxx".  If the ldap-user-group-provider is returning user "xxx" you don't want to define that same user through the file-user-group-provider.    What this means is that the users.xml file that the file-user-group-provider is loading users from on startup contains user "xxx".    The file-user-group-provider will ONLY generate a users.xml file if one does not already exist.  If one already exist the file-user-group-provider will NOT make any modifications to an existing users.xml if you modify the provider configuration.  Once a users.xml file exists, the expectation is that all future user/group modification happen via the UI. NOTE: The users.xml does not contain any users or group being loaded by other providers in to NiFi memory. So you have two options here: Rename the current users.xml file so a new one is created on startup with only the 3 defined node-identities.  (this is preferred method) Manually modify the users.xml to remove all users that are being synced by the ldap-user-group-provider. Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

For remote access to login page, just add to c:/windows/system32/drivers/etc/hosts your server IP and hostname same on linux, /etc/hosts   ... View more