The identity mappings in NiFi use regular expressions with capture groups, so you could do: nifi.security.identity.mapping.pattern.kerb=^(.*?)@(.*?)$ nifi.security.identity.mapping.value.kerb=$1 That pattern should match hadoopadmin@FIELD.HORTONWORKS.COM where group 1 would be hadoopadmin and group 2 would be FIELD.HORTONWORKS.COM. Then the value property says use group 1 as the actual identity. The NiFi admin guide has a description: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#identity-mapping-properties ... View more

Any jars directly in the NiFI lib directory are available on the system classpath, and are thus available to all NARs, and the class loading is done parent first, so if foo.jar is in lib and foo.jar is also bundled in a NAR, it will find the one from lib first. Generally it is not recommended to put additional JARs into the NiFi lib directory since it can impact every NAR, and the point of the NARs is for each of them to have isolated class loading. However, in your case if the JAR is just an additional logback JAR to reference classes in logback.xml then you should be ok to put in the lib directory, just be aware that it is now on the classpath for all NARs as well. ... View more

There is a JIRA to improve AttributesToJson to support types besides strings: https://issues.apache.org/jira/browse/NIFI-2359 Currently all flow file attributes are stored as strings so there needs to be a way for the user to indicate the type for each attribute. For example, if attribute "foo" has a value of "true" we don't really know if the user wants true as a boolean or true as a string. A convention could be created where each attribute could have a corresponding type attribute so something like: attr1 = true attr1.type = boolean attr2 = true attr2.type = string ... View more

The value in your Node Identity is just a hostname, it needs to be the full DN like "CN=xxx.field.hortonworks.com, OU=NIFI", it is also case and white-space sensitive so needs to be exactly how the DN would be listed from your cert. If you update the node identities you need to blow away users.xml and authorizations.xml again. ... View more

There is no such thing as "roles" in Apache NiFi 1.x, I would expect that to fail start-up with those role elements. When you receive the insufficient privileges message, what is shown in nifi-user.log? There should be a message with a user identity that was denied and we need to compare that identity to what you entered as your initial admin. ... View more