Cloudera Community
MattWho
user rank
user rank
Master Mentor

Re: Api Rest JWT return 401 with multiple nodes

by Master Mentor Master Mentor in Support Questions
‎05-14-2025 11:54 AM
‎05-14-2025 11:54 AM
@alan18080  The Single-User-Provider for authentication was not intended for production use. It is a very basic username and password based authenticator that support only a single user identity.  When you access the UI of a NiFi node, you are authenticating with only that node.  The provider generates a client token which your browser holds and a corresponding server side token/key held only by the node you authenticated with.    This is why you need to use sticky sessions (Session Affinity) in your load-balancer so that all subsequent request go to same NiFi server.  There is no option in NiFi that would allow that client JWT token to be accepted by all nodes in a NiFi cluster because of the uniqueness of the JWT generated token to a specific node. Related: NIFI-7246 Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

Re: NiFi — ye olde "destination does not accept fl...

by Contributor in Support Questions
‎05-13-2025 09:47 AM
‎05-13-2025 09:47 AM
This is on an isolated system, so screenshots are, well, not impossible, but very difficult. PostHTTP (if not listed, it has "No value set"): URL = our url/contentListener Max Batch Size = 100 MB SSL Context Service = StandardRestrictedSSLContextService Send a FlowFile = true Compression Level = 0 Connection Timeout = 360 sec Data Timeout = 360 sec User Agent = Apache-HttpClient/4.5.5 (Java/1.8.0_262) Content-Type = ${mime.type} Disable Connection Reuse = true ListenHTTP: Base Path = contentListener Listening Port = 9443 SSL Context Service = StandardRestrictedSSLContextService HTTP Protocols = h2 http/1.1 Client Authentication = WANT Authorized Subject DN Pattern = .* Authorized Issuer DN Pattern = .* Max Unconfirmed Flowfile Time = 300 secs HTTP Headers to receive as Attributes (Regex) = .* Return Code = 200 Multipart Request Max Size = 15GB Multipart Read Buffer Size = 1MB Maximum Threadpool Size = 400 Request Time Out = 30 secs This particular ListenHTTP receives from both PostHTTP processors in the same instance, in other instances we own, and from many external sources. Yes, it gets hammered all day long. Under normal circumstances, there is no back pressure on the ListenHTTP processor. It only occurs if there is some bottleneck downstream because of some condition not handled gracefully that might cause queues to back up, but that has occurred very rarely. Thanks for your input! ... View more

Re: Apache Nifi 2.2.0 version Untrusted proxy erro...

by Master Mentor Master Mentor in Support Questions
‎05-13-2025 07:01 AM
‎05-13-2025 07:01 AM
@melek6199  When you setup an Apache NiFi cluster versus a standalone NiFi instance, the cluster coordinator and zookeeper become part of the setup.  Since a NiFi cluster is a zero master cluster, the UI can be access from any cluster connected node.  So your user authenticates to the specific node you are accessing and then that node proxies the user request (initially that would "access the flow") on behalf of that user to the cluster coordinator that replicates request to all connected nodes.    The exception means that node with node identity derived from certificate DN "CN=vtmrt3anifit04.x.com, OU=NIFI" was not properly authorized to "proxy user requests". All your NiFi node identities must be authorized to "proxy user requests". While it appears that your NiFi authorizers.xml is setup correctly with your 4 node's identities (case sensitivity also correct), I suspect it was only setup correctly after NiFi having already being started before it was configured correctly. The "file-access-policy-provider" will only generate the authorizations.xml during NiFi startup if it does NOT already exist.  It also will not modify an already existing authorizations.xml file. The "file-user-group-provider" will only generate the users.xml during NiFi startup if it does not already exist.  It also will NOT modify an already existing users.xml file. So I would inspect the users.xml to make sure it contains all 4 node identities (case sensitive correctly) and then verify the authorizations.xml has those node's properly authorized. So I would start here to make sure above is correct on all 4 nodes. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

Re: Nifi 2.1 Nifi node continued processing flow f...

by Master Mentor Master Mentor in Support Questions
‎05-02-2025 07:25 AM
‎05-02-2025 07:25 AM
@shiva239  There are numerous things happening when a node is disconnected. A disconnected node is different then a dropped node.  A cluster node must be disconnected before it can be dropped.   A node can become disconnected in two ways: Manually disconnected - User manually disconnects a node via the NiFi Cluster UI.  A manually disconnected node will not attempt to auto-rejoin cluster. A user can manually reconnect the node from another node in the cluster via the same Cluster UI. A node becomes disconnected due to some issue.   A node that is disconnected is still part of the cluster until it is dropped.  Once dropped the cluster no longer considers it part of the cluster.  This distinction matter when it comes to load balanced connections that use a load balance strategy other then Round Robin. Load balance connections use NiFi Site-To-Site protocol to move FlowFiles between nodes.  Only Connected nodes are eligible to have FlowFiles sent over Site-To-Site. Even a disconnected node is still able to load-balance FlowFiles to other nodes still connected in the cluster.   (so when you had 1 node disconnect from cluster, if you went to that nodes UI directly the load balanced connection would appear to processing all FlowFiles normally.  This is because the two nodes where it sends some FlowFiles by attribute are still connected and thus it is allowed to send to them.  The other FlowFiles by attribute destined for disconnected node never leave the node and get processed locally.  Over on the still cluster connected nodes the story is different.  They can only send to connected nodes and any FlowFiles destined for that disconnected node will begin to queue.  Even if you stopped the dataflows on the disconnected node the FlowFiles would continue to queue for that node.  So stopping the dataflow on a node that disconnects would still present same issue. A disconnected node is still aware of what node are part of the cluster and can still communicate with ZK to know which node is the elected cluster coordinator.  Lets say a second node disconnects.  The disconnected node would stop attempting to send to that now disconnected node and queue FlowFiles destined for that node. Only the round robin strategy will attempt to redistribute FlowFile to remaining connected nodes when a node becomes disconnected.  The Partition by attribute and Single Node strategies are used when it is important that "like" FlowFiles end up on the same node for downstream processing (So once a like FlowFile, which in your case are FlowFiles with same value in the orderid FlowFile attribute, is marked for node 3, all FlowFiles with that same orderId will queue for node 3 as long as node three is still a member of the cluster.  A disconnected node is still part of the cluster and will have some "like" FlowFiles already on it, so we would not want NiFi to start sending "Like" data to some other node all of a sudden.  Now if manual user action was taken to drop the disconnected node, then the load-balanced connections would start using a different node for the FlowFiles original being allocated to the disconnected node.  NiFi also offers an off-loading feature. This allows a user with proper authorization to off-load a disconnected node (IMPORTANT: only a reachable and running node can be offloaded successfully. Attempting Offloading of a down or unreachable node will not work).  Once a node is disconnected a user can choose to offload the node this is typical if say a user want to decommission a node in the cluster.  Initiating off-load will send a request to that disconnected node to stop, terminate all running components and then off load the queued FlowFiles to other nodes connected to the cluster.   If cluster nodes where allowed to continue to load-balance to disconnected node(s), this capability would fail as you would end-up with a constant loop of FlowFiles back to disconnected node.  Once offloading completes that disconnected node could be dropped and the FlowFiles that were offload would get load balanced to remaining nodes still members of the cluster. I think I covered all the basic behind the scenes functionality of load-balanced connection with regards to disconnected node behaviors. In your scenario, your node, the node became disconnected due to some issue when changing the version of a version controlled process group.  I would recommend a new community question if you need help with that issue as it has no direct relationship with how load-balance connection function or disconnected nodes still running discussed here. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

Re: Nifi Unzip files

by Explorer in Support Questions
‎04-28-2025 10:40 PM
‎04-28-2025 10:40 PM
@joseomjr  your code could not work at my end.  ChatGPT help me with below code and it is working at my end. import java.util.zip.ZipInputStream import java.util.zip.ZipEntry import java.io.ByteArrayOutputStream def flowFile = session.get() if (!flowFile) return try { session.read(flowFile, { inputStream -> ZipInputStream zipIn = new ZipInputStream(inputStream) ZipEntry entry = zipIn.nextEntry while (entry != null) { if (!entry.isDirectory()) { ByteArrayOutputStream baos = new ByteArrayOutputStream() byte[] buffer = new byte[8192] int len while ((len = zipIn.read(buffer)) > 0) { baos.write(buffer, 0, len) } def contentBytes = baos.toByteArray() def newFlowFile = session.create(flowFile) newFlowFile = session.write(newFlowFile, { outStream -> outStream.write(contentBytes) } as OutputStreamCallback) newFlowFile = session.putAttribute(newFlowFile, 'filename', entry.getName()) session.transfer(newFlowFile, REL_SUCCESS) } zipIn.closeEntry() entry = zipIn.nextEntry } } as InputStreamCallback) session.remove(flowFile) } catch (Exception e) { log.error("Failed to unzip FlowFile due to: ${e.message}", e) session.transfer(flowFile, REL_FAILURE) } I hope there is no security concern with this code! ... View more

Re: Best Practice to Design Data Flows

by Explorer in Support Questions
‎04-28-2025 12:33 AM
‎04-28-2025 12:33 AM
Thank you for this insightful and practical advice. ... View more

Re: Variable registry update is behaving stuck at ...

by Master Collaborator in Support Questions
‎04-27-2025 11:40 PM
‎04-27-2025 11:40 PM
@MattWho  I see below logs in dumps, apart from these I dont see anything like waiting etc   "Variable Registry Update Thread" Id=70591 WAITING on java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject@7f1aa08e at java.base@11.0.22/jdk.internal.misc.Unsafe.park(Native Method) at java.base@11.0.22/java.util.concurrent.locks.LockSupport.park(Unknown Source) at java.base@11.0.22/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(Unknown Source) at java.base@11.0.22/java.util.concurrent.ArrayBlockingQueue.take(Unknown Source) at java.base@11.0.22/java.util.concurrent.ThreadPoolExecutor.getTask(Unknown Source) at java.base@11.0.22/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base@11.0.22/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base@11.0.22/java.lang.Thread.run(Unknown Source)   ------------- "Timer-Driven Process Thread-102" Id=1030 BLOCKED on org.apache.nifi.controller.scheduling.LifecycleState@3ed4243f at org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:147) at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110) at java.base@11.0.22/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.base@11.0.22/java.util.concurrent.FutureTask.runAndReset(Unknown Source) at java.base@11.0.22/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) at java.base@11.0.22/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base@11.0.22/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base@11.0.22/java.lang.Thread.run(Unknown Source) Number of Locked Synchronizers: 1 - java.util.concurrent.ThreadPoolExecutor$Worker@2843111c Thanks mahendra ... View more

Re: UI nifi 1-16-3 not enable with processor. Erro...

by Explorer in Support Questions
‎04-25-2025 02:50 PM
‎04-25-2025 02:50 PM
Ok, to put it in context, we're currently using version 1.11.4, which has worked fairly well for us, but sometimes the nodes become desynchronized and won't reconnect. I restarted the cluster to fix this issue. However, now we're forced to change the version because we're uploading to BigQuery. When we run and activate the extraction processors "ExecuteSQL -> avroToJson" to release the queues, the BQ batch processor gives us this error, "Exceeded rated limit big query: too many table update operations for this table." This is because this NIFI is operating with the old version of the API, which is deprecated. GCP recommended we switch to the new API, and I understand that it's already using it since 1.16.3. Yesterday I tried it this way: OS: Cluster: 3 nodes on EC2 AWS instances, the instances are: Operating System: Amazon Linux 2 CPE OS Name: cpe:2.3:o:amazon:amazon_linux:2 Kernel: Linux 4.14.322-246.539.amzn2.x86_64 Architecture: x86-64 Nifi Productive 1. Current Nifi Version 1.11.4, with Java 1.8.0.382.b05 1.amzn2.0.1.x86_64, Apache-Zookeeper-3.6.3-bin Nifi Tested: 2. First Nifi Tested Version 1.16.3, with Java 1.8.0.382.b05 1.amzn2.0.1.x86_64, Apache-Zookeeper-3.6.3-bin 3. Second Nifi Version 1.28.1, with Java 11 Version java-11-amazon-corretto-headless, apache-zookeeper-3.6.3-bin For points 2 and 3, I created this thread. Now I'm at point 3 and I have the same problem. I inferred that it could be the Java version, but it isn't. However, I had to rollback and go back to 1.11.4, since we don't have a test environment, only a production one, and I couldn't stop the operation. It works without problems. I copied the configurations from my nodes to the others. I tried to solve but the logs did not tell me much, I only cut the most visible org.apache.nifi.web.server.jettyserver loading war ver-nar-1.16.3.nar-unpacked / nar-inf / bundled-dependencies / nifi-web-error-1.16.3.war, I checked the app, the user and the boopstrap, I did a search for error specifically for each log and nothing appeared, yesterday I checked the cluster was running with its 3 nodes and the status of nifi and they were running, also communication of the nodes was seen. To resume the subject I would have to wait for a problem to occur with the nodes to try again:   nifi.properties, nodo 1:   # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Core Properties # nifi.flow.configuration.file=./conf/flow.xml.gz nifi.flow.configuration.json.file=./conf/flow.json.gz nifi.flow.configuration.archive.enabled=true nifi.flow.configuration.archive.dir=./conf/archive/ nifi.flow.configuration.archive.max.time=5 days nifi.flow.configuration.archive.max.storage=500 MB nifi.flow.configuration.archive.max.count= nifi.flowcontroller.autoResumeState=true nifi.flowcontroller.graceful.shutdown.period=10 sec nifi.flowservice.writedelay.interval=500 ms nifi.administrative.yield.duration=60 sec # If a component has no work to do (is "bored"), how long should we wait before checking again for work? nifi.bored.yield.duration=10 millis nifi.queue.backpressure.count=10000 nifi.queue.backpressure.size=1 GB nifi.authorizer.configuration.file=./conf/authorizers.xml nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml nifi.templates.directory=./conf/templates nifi.ui.banner.text= nifi.ui.autorefresh.interval=30 sec nifi.nar.library.directory=./lib nifi.nar.library.autoload.directory=./extensions nifi.nar.working.directory=./work/nar/ nifi.documentation.working.directory=./work/docs/components nifi.nar.unpack.uber.jar=false #################### # State Management # #################### nifi.state.management.configuration.file=./conf/state-management.xml # The ID of the local state provider nifi.state.management.provider.local=local-provider # The ID of the cluster-wide state provider. This will be ignored if NiFi is not clustered but must be populated if running in a cluster. nifi.state.management.provider.cluster=zk-provider # Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server nifi.state.management.embedded.zookeeper.start=false # Properties file that provides the ZooKeeper properties to use if <nifi.state.management.embedded.zookeeper.start> is set to true nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties # Database Settings #nifi.database.directory=./database_repository nifi.database.directory=/data/database_repository # Repository Encryption properties override individual repository implementation properties nifi.repository.encryption.protocol.version= nifi.repository.encryption.key.id= nifi.repository.encryption.key.provider= nifi.repository.encryption.key.provider.keystore.location= nifi.repository.encryption.key.provider.keystore.password= # FlowFile Repository nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository nifi.flowfile.repository.wal.implementation=org.apache.nifi.wali.SequentialAccessWriteAheadLog # nifi.flowfile.repository.directory=./flowfile_repository nifi.flowfile.repository.directory=/data/flowfile_repository nifi.flowfile.repository.checkpoint.interval=2 mins nifi.flowfile.repository.always.sync=false nifi.flowfile.repository.retain.orphaned.flowfiles=true nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager nifi.queue.swap.threshold=20000 # Content Repository nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository nifi.content.claim.max.appendable.size=1 MB #nifi.content.repository.directory.default=./content_repository nifi.content.repository.directory.default=/data/content_repository nifi.content.repository.archive.max.retention.period=12 hours nifi.content.repository.archive.max.usage.percentage=50% nifi.content.repository.archive.enabled=true nifi.content.repository.always.sync=false nifi.content.viewer.url=../nifi-content-viewer/ # Provenance Repository Properties nifi.provenance.repository.implementation=org.apache.nifi.provenance.WriteAheadProvenanceRepository # Persistent Provenance Repository Properties #nifi.provenance.repository.directory.default=./provenance_repository nifi.provenance.repository.directory.default=/data/provenance_repository nifi.provenance.repository.max.storage.time=12 hours nifi.provenance.repository.max.storage.size=50 GB nifi.provenance.repository.rollover.time=10 mins nifi.provenance.repository.rollover.size=100 MB nifi.provenance.repository.query.threads=2 nifi.provenance.repository.index.threads=2 nifi.provenance.repository.compress.on.rollover=true nifi.provenance.repository.always.sync=false # Comma-separated list of fields. Fields that are not indexed will not be searchable. Valid fields are: # EventType, FlowFileUUID, Filename, TransitURI, ProcessorID, AlternateIdentifierURI, Relationship, Details nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, Filename, ProcessorID, Relationship # FlowFile Attributes that should be indexed and made searchable. Some examples to consider are filename, uuid, mime.type nifi.provenance.repository.indexed.attributes= # Large values for the shard size will result in more Java heap usage when searching the Provenance Repository # but should provide better performance nifi.provenance.repository.index.shard.size=500 MB # Indicates the maximum length that a FlowFile attribute can be when retrieving a Provenance Event from # the repository. If the length of any attribute exceeds this value, it will be truncated when the event is retrieved. nifi.provenance.repository.max.attribute.length=65536 nifi.provenance.repository.concurrent.merge.threads=2 # Volatile Provenance Respository Properties nifi.provenance.repository.buffer.size=100000 # Component and Node Status History Repository nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentStatusRepository # Volatile Status History Repository Properties #nifi.components.status.repository.buffer.size=1440 nifi.components.status.repository.buffer.size=2880 nifi.components.status.snapshot.frequency=5 min # QuestDB Status History Repository Properties nifi.status.repository.questdb.persist.node.days=7 nifi.status.repository.questdb.persist.component.days=1 nifi.status.repository.questdb.persist.location=/data/status_repository # Site to Site properties nifi.remote.input.host=node-1 nifi.remote.input.secure=false nifi.remote.input.socket.port=10000 nifi.remote.input.http.enabled=true nifi.remote.input.http.transaction.ttl=30 sec nifi.remote.contents.cache.expiration=30 secs # web properties # ############################################# # For security, NiFi will present the UI on 127.0.0.1 and only be accessible through this loopback interface. # Be aware that changing these properties may affect how your instance can be accessed without any restriction. # We recommend configuring HTTPS instead. The administrators guide provides instructions on how to do this. nifi.web.http.host=node-1 nifi.web.http.port=8080 nifi.web.http.network.interface.default= ############################################# nifi.web.https.host= nifi.web.https.port= nifi.web.https.network.interface.default= nifi.web.https.application.protocols=http/1.1 nifi.web.jetty.working.directory=./work/jetty nifi.web.jetty.threads=200 nifi.web.max.header.size=16 KB nifi.web.proxy.context.path= nifi.web.proxy.host= nifi.web.max.content.size= nifi.web.max.requests.per.second=30000 nifi.web.max.access.token.requests.per.second=25 nifi.web.request.timeout=60 secs nifi.web.request.ip.whitelist= nifi.web.should.send.server.version=true nifi.web.request.log.format=%{client}a - %u %t "%r" %s %O "%{Referer}i" "%{User-Agent}i" # Filter JMX MBeans available through the System Diagnostics REST API nifi.web.jmx.metrics.allowed.filter.pattern= # Include or Exclude TLS Cipher Suites for HTTPS nifi.web.https.ciphersuites.include= nifi.web.https.ciphersuites.exclude= # security properties # nifi.sensitive.props.key=1234567890ab nifi.sensitive.props.key.protected= nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 nifi.sensitive.props.additional.keys= nifi.security.autoreload.enabled=false nifi.security.autoreload.interval=10 secs nifi.security.keystore= nifi.security.keystoreType= nifi.security.keystorePasswd= nifi.security.keyPasswd= nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd= nifi.security.user.authorizer=single-user-authorizer nifi.security.allow.anonymous.authentication=false nifi.security.user.login.identity.provider=single-user-provider nifi.security.user.jws.key.rotation.period=PT1H nifi.security.ocsp.responder.url= nifi.security.ocsp.responder.certificate= # OpenId Connect SSO Properties # nifi.security.user.oidc.discovery.url= nifi.security.user.oidc.connect.timeout=5 secs nifi.security.user.oidc.read.timeout=5 secs nifi.security.user.oidc.client.id= nifi.security.user.oidc.client.secret= nifi.security.user.oidc.preferred.jwsalgorithm= nifi.security.user.oidc.additional.scopes= nifi.security.user.oidc.claim.identifying.user= nifi.security.user.oidc.fallback.claims.identifying.user= nifi.security.user.oidc.claim.groups=groups nifi.security.user.oidc.truststore.strategy=JDK nifi.security.user.oidc.token.refresh.window=60 secs # Apache Knox SSO Properties # nifi.security.user.knox.url= nifi.security.user.knox.publicKey= nifi.security.user.knox.cookieName=hadoop-jwt nifi.security.user.knox.audiences= # SAML Properties # nifi.security.user.saml.idp.metadata.url= nifi.security.user.saml.sp.entity.id= nifi.security.user.saml.identity.attribute.name= nifi.security.user.saml.group.attribute.name= nifi.security.user.saml.request.signing.enabled=false nifi.security.user.saml.want.assertions.signed=true nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 nifi.security.user.saml.authentication.expiration=12 hours nifi.security.user.saml.single.logout.enabled=false nifi.security.user.saml.http.client.truststore.strategy=JDK nifi.security.user.saml.http.client.connect.timeout=30 secs nifi.security.user.saml.http.client.read.timeout=30 secs # Identity Mapping Properties # # These properties allow normalizing user identities such that identities coming from different identity providers # (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing # DNs from certificates and principals from Kerberos into a common identity string: # # nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ # nifi.security.identity.mapping.value.dn=$1@$2 # nifi.security.identity.mapping.transform.dn=NONE # nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ # nifi.security.identity.mapping.value.kerb=$1@$2 # nifi.security.identity.mapping.transform.kerb=UPPER # Group Mapping Properties # # These properties allow normalizing group names coming from external sources like LDAP. The following example # lowercases any group name. # # nifi.security.group.mapping.pattern.anygroup=^(.*)$ # nifi.security.group.mapping.value.anygroup=$1 # nifi.security.group.mapping.transform.anygroup=LOWER # Listener Bootstrap properties # # This property defines the port used to listen for communications from NiFi Bootstrap. If this property # is missing, empty, or 0, a random ephemeral port is used. nifi.listener.bootstrap.port=0 # cluster common properties (all nodes must have same values) # nifi.cluster.protocol.heartbeat.interval=20 sec nifi.cluster.protocol.heartbeat.missable.max=8 nifi.cluster.protocol.is.secure=false # cluster node properties (only configure for cluster nodes) # nifi.cluster.is.node=true nifi.cluster.node.address=node-1 nifi.cluster.node.protocol.port=9089 nifi.cluster.node.protocol.max.threads=150 nifi.cluster.node.event.history.size=25 nifi.cluster.node.connection.timeout=90 sec nifi.cluster.node.read.timeout=90 sec nifi.cluster.node.max.concurrent.requests=100 nifi.cluster.firewall.file= nifi.cluster.flow.election.max.wait.time=5 mins nifi.cluster.flow.election.max.candidates= # cluster load balancing properties # nifi.cluster.load.balance.host=node-1 nifi.cluster.load.balance.port=6342 nifi.cluster.load.balance.connections.per.node=4 nifi.cluster.load.balance.max.thread.count=8 nifi.cluster.load.balance.comms.timeout=30 sec # zookeeper properties, used for cluster management # nifi.zookeeper.connect.string=node-1:2181,node-2:2181,node-3:2181 nifi.zookeeper.connect.timeout=60 secs nifi.zookeeper.session.timeout=60 secs nifi.zookeeper.root.node=/nifi nifi.zookeeper.client.secure=false nifi.zookeeper.security.keystore= nifi.zookeeper.security.keystoreType= nifi.zookeeper.security.keystorePasswd= nifi.zookeeper.security.truststore= nifi.zookeeper.security.truststoreType= nifi.zookeeper.security.truststorePasswd= nifi.zookeeper.jute.maxbuffer= # Zookeeper properties for the authentication scheme used when creating acls on znodes used for cluster management # Values supported for nifi.zookeeper.auth.type are "default", which will apply world/anyone rights on znodes # and "sasl" which will give rights to the sasl/kerberos identity used to authenticate the nifi node # The identity is determined using the value in nifi.kerberos.service.principal and the removeHostFromPrincipal # and removeRealmFromPrincipal values (which should align with the kerberos.removeHostFromPrincipal and kerberos.removeRealmFromPrincipal # values configured on the zookeeper server). nifi.zookeeper.auth.type= nifi.zookeeper.kerberos.removeHostFromPrincipal= nifi.zookeeper.kerberos.removeRealmFromPrincipal= # kerberos # nifi.kerberos.krb5.file= # kerberos service principal # nifi.kerberos.service.principal= nifi.kerberos.service.keytab.location= # kerberos spnego principal # nifi.kerberos.spnego.principal= nifi.kerberos.spnego.keytab.location= nifi.kerberos.spnego.authentication.expiration=12 hours # external properties files for variable registry # supports a comma delimited list of file locations nifi.variable.registry.properties= # analytics properties # nifi.analytics.predict.enabled=false nifi.analytics.predict.interval=3 mins nifi.analytics.query.interval=5 mins nifi.analytics.connection.model.implementation=org.apache.nifi.controller.status.analytics.models.OrdinaryLeastSquares nifi.analytics.connection.model.score.name=rSquared nifi.analytics.connection.model.score.threshold=.90 # runtime monitoring properties nifi.monitor.long.running.task.schedule= nifi.monitor.long.running.task.threshold= # Enable automatic diagnostic at shutdown. nifi.diagnostics.on.shutdown.enabled=false # Include verbose diagnostic information. nifi.diagnostics.on.shutdown.verbose=false # The location of the diagnostics folder. nifi.diagnostics.on.shutdown.directory=./diagnostics # The maximum number of files permitted in the directory. If the limit is exceeded, the oldest files are deleted. nifi.diagnostics.on.shutdown.max.filecount=10 # The diagnostics folder's maximum permitted size in bytes. If the limit is exceeded, the oldest files are deleted. nifi.diagnostics.on.shutdown.max.directory.size=10 MB # Performance tracking properties ## Specifies what percentage of the time we should track the amount of time processors are using CPU, reading from/writing to content repo, etc. ## This can be useful to understand which components are the most expensive and to understand where system bottlenecks may be occurring. ## The value must be in the range of 0 (inclusive) to 100 (inclusive). A larger value will produce more accurate results, while a smaller value may be ## less expensive to compute. ## Results can be obtained by running "nifi.sh diagnostics <filename>" and then inspecting the produced file. nifi.performance.tracking.percentage=0 # NAR Provider Properties # # These properties allow configuring one or more NAR providers. A NAR provider retrieves NARs from an external source # and copies them to the directory specified by nifi.nar.library.autoload.directory. # # Each NAR provider property follows the format: # nifi.nar.library.provider.<identifier>.<property-name> # # Each NAR provider must have at least one property named "implementation". # # Example HDFS NAR Provider: # nifi.nar.library.provider.hdfs.implementation=org.apache.nifi.flow.resource.hadoop.HDFSExternalResourceProvider # nifi.nar.library.provider.hdfs.resources=/path/to/core-site.xml,/path/to/hdfs-site.xml # nifi.nar.library.provider.hdfs.storage.location=hdfs://hdfs-location # nifi.nar.library.provider.hdfs.source.directory=/nars # nifi.nar.library.provider.hdfs.kerberos.principal=nifi@NIFI.COM # nifi.nar.library.provider.hdfs.kerberos.keytab=/path/to/nifi.keytab # nifi.nar.library.provider.hdfs.kerberos.password= # # Example NiFi Registry NAR Provider: # nifi.nar.library.provider.nifi-registry.implementation=org.apache.nifi.registry.extension.NiFiRegistryNarProvider # nifi.nar.library.provider.nifi-registry.url=http://localhost:18080 ... View more

Re: how to use StandardOauth2AccessTokenProvider 2...

by Master Mentor Master Mentor in Support Questions
‎04-25-2025 06:47 AM
‎04-25-2025 06:47 AM
@Shrink  So I see you are trying to start a Process Group (which starts all the NiFi components within that process group).   You are not setup with a production ready certificate nor production ready authentication and authorization configuration which makes setting up the necessary authorizations not possible.  You would need to switch to using the managed authorizer which allow you to use the file-user-group-provider.  This provider will allow you to define your NiFi node certificate DN as a user which you can then authorize as needed to make the rest-api call you want to make. Have you looked at using FlowFile Concurrency and Outbound Policy options available within the process group configuration to control the input and output of FlowFiles in and out of each process group?  These settings would allow you to control the movement of FlowFiles from one PG to another and achieve I believe what you are trying to do with needing to programmatically start and stop Process groups via rest-api calls.  Configuring a Process Group FlowFile Concurrency OutBound Policy Using rest-api calls first requires you to constantly check to make sure one PG is done processing all FlowFiles before you start the next.  Not efficient design.  You should try to design your dataflows so they are always running. Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped. Thank you, Matt ... View more

Re: nifi toolkit merge-param-context help

by Explorer in Support Questions
‎04-25-2025 06:45 AM
‎04-25-2025 06:45 AM
Thanks for the reminder regarding the semantic of merge-param-context. I overlooked the contents of the help and my initial posting. Regards ... View more
Contact Me
Online
Offline
Last Visited
‎06-20-2025 06:23 AM
Community Statistics
Member Since ‎07-30-2019 10:41 AM
Last Visited ‎06-20-2025 06:23 AM
Posts 3,283
Kudos received 1596