Thanks @SAMSAL  for recommending @MattWho  ... View more

@I_Mesh01 Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.  Thanks. ... View more

@MattWho  Its very clear now, thank you so much ! ... View more

@shamika  NiFi based authorization is case sensitive. 2023-07-12 10:46:40,800 INFO [NiFi Web Server-19] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[myuser], groups[bigG, bigdGer] does not have permission to access the requested resource. No applicable policies could be found. Returning Forbidden response the nifi-user.log is telling you that your successfully authenticated user "myuser" is known by NiFi to belong to groups "bigG" and "bigdGer".  In Ranger you'll need to make sure that yoru user "myuser" or one of these groups "bigG" and/or "bigdGer" has been authorized for "READ" on the "/flow" NiFi resource Identifier.  If Ranger has the group as "bigg" or "BIGG", "bigDGER", etc it will not work because NiFi is case sensitive. You could also share your authorizers.xml if you'd like use to verify your configuration there. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more

@MWM  Your description is not super clear to me. FlowFile Attributes are in format of <attribute name>=<attribute value> example key=value FlowFile attributes: Attribute name = Attribute value name=toyota type=car Here is how I interpret what you have provided: - You have a FlowFile that has a custom FlowFile "Attribute Name" on it "name". - That "name" Attribute has no value associated to it. (name = ) The UpdateAttribute processor allows you to add new key=value (attribute name = attribute value) attribute pairs to an existing FlowFile or modify the value of an existing FlowFile Attribute Name. You can NOT create a new attribute and then modify or use that new attribute within the same processor in which it was created. Lets say you have a FlowFile with the example FlowFile attributes and values I shared above. Then you use the UpdateAttribute processor to change the value on the Attribute "name" to all uppercase. The NiFi Expression Language (NEL) statement you created: ${name:toUpper()} will take the subject "name" and return it's value "toyota".  That returned value is passed to the toUpper() NEL function which converts the it to Uppercase "TOYOTA".  The resulting value is then written to the FlowFile attribute defined in the UpdateAttribute processor. Assuming an UpdateAttribute processor configured as below: The NEL expression resulting a new value of "TOYOTA" would be written to the FlowFile Attribute "name" since "name" already exists as an attribute on the FlowFile, its current attribute value of "toyota" would be replaced with new value "TOYOTA". Hope this helps clarify how NiFi FlowFile Attributes and the UpdateAttribute processor is used. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more

@mbraunerde  When you authenticate to NiFi, a client token is issued for your user. That token is then presented by your browser with all subsequent requests since every action performed in NiFi must be both authenticated and authorized.   When the token expires, a new one must be obtained. While you have configured the OIDC properties to support authentication via an external AD, you are still using the Single-user-authorizer which allows full access to only the user created by the Single-user-provider.   I suggest you modify your nifi.properties file to use: nifi.security.user.authorizer=managed-authorizer This provider will utilize the the file-access-policy-provider (authorizations.xml file) for user authorizations. With your configuration above it will set admin level authorizations for user: admin@login-domain.com This user would be then allowed to access the NiFi and manage additional user authorizations via the UI. As far as access to the NiFi rest-api, I'd recommend using a certificate instead of your AD. 1. No need to obtain a user token - Include the clientAuth certificate in all your rest-api calls. 2. Will work for as long as the client certificate is valid.  Certificate can be configured with long validity dates (often 2 years or more) 3. Token are only valid for the NiFi node on which they were issued.  meaning if you accessed a different NiFi node in a NiFi cluster or a different instance of NiFi, you would need to get a new token each time. 4. Using a token requires you then to store that token somewhere for reuse by your individual rest-api calls. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more

@MattWho Thank you so much for this awesome detailed solution ! It worked. ... View more