Cloudera Community
spiker
user rank
Explorer
My Accepted Solutions
Show All

Re: Untrusted proxy error Authentication Failed o....

by Explorer in Support Questions
‎01-06-2025 08:15 AM
‎01-06-2025 08:15 AM
@Shelton / @MattWho , My NIFI is behind corporate proxy, because of that In production, NIFI is not able to hit the azure OIDC discovery url. could you please help me on it ? Thanks, spiker ... View more

Re: Untrusted proxy error Authentication Failed o....

by Explorer in Support Questions
‎01-06-2025 08:06 AM
‎01-06-2025 08:06 AM
After extensive research on OIDC with NIFI and Azure, I have successfully implemented the solution. I hope this guide can help anyone facing similar challenges. This guide assumes that you already have the nifi_keystore.p12 and nifi_truststore.p12 files generated. First, enable NiFi with the SSL certificate and start NiFi in Cluster mode. you need to make NiFi aware of the each Node Identity. Hear is a step-by-step guide on how to obtain the identity of a particular node. step 1:-       cat /path/to/nifi.properties | grep nifi.security.keystorePasswd       output -      nifi.security.keystorePasswd=065ad6b41cf772b6a47f96cff82698f6   step2:-     keytool -list -v -keystore /path/to/nifi_keystore.p12 -storepass <storepassword>     output:     Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry Alias name: nifi Creation date: Jan 6, 2025 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=172.18.0.3, OU=NIFI, O=NIFI, L=HYD, ST=Some-State, C=IN Issuer: CN=abc, O=Internet Widgits Pty Ltd, ST=Some-State, C=IN Serial number: 18333f71cd8846ca98c118c6347784a2275bc72a Valid from: Mon Jan 06 17:53:52 IST 2025 until: Thu May 21 17:53:52 IST 2026 Certificate fingerprints: SHA1: 9F:49:45:B5:B7:22:7E:FB:0C:E0:83:C2:B3:C3:CD:72:72:0A:6E:F9 SHA256: 65:B6:BE:2B:7D:A9:79:12:E1:02:05:F3:52:04:08:14:79:76:13:96:C0:27:9E:33:C1:2D:6D:91:5F:2A:DD:70 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key     check the owner of the above output.  you node identity is :- CN=172.18.0.3, OU=NIFI, O=NIFI, L=HYD, ST=Some-State, C=IN It should be exactly same as the above. Know It's time to configure authorizers.xml. In the authorizers.xml file, we will configure node identity awareness within the userGroupProvider and accessPolicyProvider.     <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=172.18.0.3, OU=NIFI, O=NIFI, L=HYD, ST=Some-State, C=IN</property> </userGroupProvider> <userGroupProvider> <identifier>aad-user-group-provider</identifier> <class>org.apache.nifi.authorization.azure.AzureGraphUserGroupProvider</class> <property name="Refresh Delay">5 mins</property> <property name="Authority Endpoint">${MICROSOFT_LOGIN_IDENTITY_PROVIDER_URL}</property> <property name="Directory ID">${MICROSOFT_TENENT_ID}</property> <property name="Application ID">${MICROSOFT_APP_REGISTRATION_OBJECT_ID}</property> <property name="Client Secret">${MICROSOFT_APP_CLIENT_SECRET}</property> <property name="Group Filter Prefix">${MICROSOFT_GROUP_FILTER}</property> <property name="Page Size">100</property> </userGroupProvider> <userGroupProvider> <identifier>composite-configurable-user-group-provider</identifier> <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class> <property name="Configurable User Group Provider">file-user-group-provider</property> <property name="User Group Provider 1">aad-user-group-provider</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-configurable-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">${INITIAL_ADMIN_IDENTITY_EMAIL}</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=172.18.0.3, OU=NIFI, O=NIFI, L=HYD, ST=Some-State, C=IN</property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers>     userGroupProvider:- Add you Node Identity in  the property  "Initial User Identity 1 ". similarly , you can add multiple Node Identity by adding "Initial User Identity 2", "Initial User Identity 3" ...     <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=172.18.0.3, OU=NIFI, O=NIFI, L=HYD, ST=Some-State, C=IN</property> </userGroupProvider>     accessPolicyProvider:- Similar to the above we are going to fill the same details in the property "Node Identity 1", "Node Identity 2", "Node Identity 3" ...     <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">composite-configurable-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">${INITIAL_ADMIN_IDENTITY_EMAIL}</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1">CN=172.18.0.3, OU=NIFI, O=NIFI, L=HYD, ST=Some-State, C=IN</property> </accessPolicyProvider>     state-management.xml     <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <stateManagement> <local-provider> <id>local-provider</id> <class>org.apache.nifi.controller.state.providers.local.WriteAheadLocalStateProvider</class> <property name="Directory">./state/local</property> <property name="Always Sync">false</property> <property name="Partitions">16</property> <property name="Checkpoint Interval">2 mins</property> </local-provider> <cluster-provider> <id>zk-provider</id> <class>org.apache.nifi.controller.state.providers.zookeeper.ZooKeeperStateProvider</class> <property name="Connect String">${ZOOKEEPER_CONNECTION_STRING}</property> <property name="Root Node">/nifi</property> <property name="Session Timeout">${ZOOKEEPER_SESSION_TIMEOUT}</property> <property name="Access Control">Open</property> </cluster-provider> <cluster-provider> <id>kubernetes-provider</id> <class>org.apache.nifi.kubernetes.state.provider.KubernetesConfigMapStateProvider</class> <property name="ConfigMap Name Prefix"></property> </cluster-provider> </stateManagement>     nifi.properties :- Important Properties that need to set in the nifi.properties file ( OIDC ) :-     nifi.security.keystore=/path-to/nifi_keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd=<keystore-password> nifi.security.keyPasswd=<keystore-password> nifi.security.truststore=/path-to/nifi_truststore.p12 nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd=<truststore-password> nifi.security.user.authorizer=managed-authorizer nifi.security.allow.anonymous.authentication=false nifi.security.user.login.identity.provider=oidc-provider nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration nifi.security.user.oidc.connect.timeout=10 secs nifi.security.user.oidc.read.timeout=10 secs nifi.security.user.oidc.client.id=<client-id> nifi.security.user.oidc.client.secret=<client-secret> nifi.security.user.oidc.preferred.jwsalgorithm= nifi.security.user.oidc.additional.scopes=profile nifi.security.user.oidc.claim.identifying.user=email nifi.security.user.oidc.fallback.claims.identifying.user=upn nifi.security.user.oidc.claim.groups=groups nifi.security.user.oidc.truststore.strategy=JDK nifi.security.user.oidc.token.refresh.window=60 secs nifi.security.identity.mapping.pattern.dn=<node-identity-pattern-regx> # example nifi.security.identity.mapping.pattern.dn=CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ nifi.security.identity.mapping.value.dn=$1     At the end, I would like to thank @Shelton  and @MattWho  for helping me resolve this issue. cheers! spiker ... View more

Re: Untrusted proxy error Authentication Failed o....

by Explorer in Support Questions
‎01-05-2025 08:21 PM
‎01-05-2025 08:21 PM
@Shelton, The solution you are proposed is not working. Their is no error in the nifi-app.log, but the same error  I posted previously is appearing in the nifi-user.log. However, I started the NiFi in standalone mode, the OIDC authentication works perfectly fine. The problem arises when I start NiFi in cluster mode by connecting to zookeeper and modifying different properties in the nifi.properties file. The nifi-user.log error :-   2025-01-03 20:30:36,418 INFO [NiFi Web Server-164] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 172.24.0.3 [<oncloudtemuser@sossourabh7687gmail.onmicrosoft.com><CN=172.24.0.3, OU=NIFI, O=NIFI, L=HYDRABAD, ST=TELANGANA, C=IN>] GET https://172.24.0.3:8443/nifi-api/flow/current-user 2025-01-03 20:30:36,419 WARN [NiFi Web Server-164] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 172.24.0.3 GET https://172.24.0.3:8443/nifi-api/flow/current-user [Untrusted proxy CN=172.24.0.3, OU=NIFI, O=NIFI, L=HYDRABAD, ST=TELANGANA, C=IN] 2025-01-03 20:30:36,423 ERROR [NiFi Web Server-51] o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred: java.io.UncheckedIOException: Read Current User Entity failed. Returning Internal Server Error response. java.io.UncheckedIOException: Read Current User Entity failed at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:453) at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:428) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) at java.base/java.lang.reflect.Method.invoke(Method.java:565) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:274) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) at org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379) at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736) at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1619) at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365) at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:101) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.oidc.client.web.OidcBearerTokenRefreshFilter.doFilterInternal(OidcBearerTokenRefreshFilter.java:135) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:198) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter.doFilterInternal(OAuth2AuthorizationCodeGrantFilter.java:183) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:145) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94) at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.csrf.CsrfCookieFilter.doFilterInternal(CsrfCookieFilter.java:43) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:44) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilterChain(DoSFilter.java:462) at org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51) at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:317) at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:282) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1552) at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:819) at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436) at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:469) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575) at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717) at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181) at org.eclipse.jetty.server.Server.handle(Server.java:182) at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662) at org.eclipse.jetty.util.thread.Invocable$ReadyTask.run(Invocable.java:175) at org.eclipse.jetty.http2.server.internal.HttpStreamOverHTTP2$1.run(HttpStreamOverHTTP2.java:135) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.produce(AdaptiveExecutionStrategy.java:195) at org.eclipse.jetty.http2.HTTP2Connection.produce(HTTP2Connection.java:209) at org.eclipse.jetty.http2.HTTP2Connection.onFillable(HTTP2Connection.java:156) at org.eclipse.jetty.http2.HTTP2Connection$FillableCallback.succeeded(HTTP2Connection.java:442) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.ssl.SslConnection$SslEndPoint.onFillable(SslConnection.java:575) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:390) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:150) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164) at java.base/java.lang.Thread.run(Thread.java:1447) Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 16] at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2584) at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2610) at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2618) at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:825) at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3662) at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2749) at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:867) at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:753) at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:5004) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4910) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3921) at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:451) ... 132 common frames omitted   nifi.properties file:- # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Core Properties # nifi.flow.configuration.file=./conf/flow.json.gz nifi.flow.configuration.archive.enabled=true nifi.flow.configuration.archive.dir=./conf/archive/ nifi.flow.configuration.archive.max.time=10 days nifi.flow.configuration.archive.max.storage=500 MB nifi.flow.configuration.archive.max.count= nifi.flowcontroller.autoResumeState=true nifi.flowcontroller.graceful.shutdown.period=20 secs nifi.flowservice.writedelay.interval=500 ms nifi.administrative.yield.duration=30 sec # If a component has no work to do (is "bored"), how long should we wait before checking again for work? nifi.bored.yield.duration=10 millis nifi.queue.backpressure.count=10000 nifi.queue.backpressure.size=1 GB nifi.authorizer.configuration.file=./conf/authorizers.xml nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml nifi.ui.banner.text= nifi.nar.library.directory=./lib nifi.nar.library.autoload.directory=./extensions nifi.nar.working.directory=./work/nar/ nifi.nar.unpack.uber.jar=false nifi.upload.working.directory=./work/uploads ##################### # Python Extensions # ##################### # Uncomment in order to enable Python Extensions. #nifi.python.command=python3 nifi.python.framework.source.directory=./python/framework nifi.python.extensions.source.directory.default=./python/extensions nifi.python.working.directory=./work/python nifi.python.max.processes=100 nifi.python.max.processes.per.extension.type=10 #################### # State Management # #################### nifi.state.management.configuration.file=./conf/state-management.xml # The ID of the local state provider nifi.state.management.provider.local=local-provider # The ID of the cluster-wide state provider. This will be ignored if NiFi is not clustered but must be populated if running in a cluster. nifi.state.management.provider.cluster=zk-provider # The Previous Cluster State Provider from which the framework will load Cluster State when the current Cluster Provider has no entries nifi.state.management.provider.cluster.previous= # Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server nifi.state.management.embedded.zookeeper.start=false # Properties file that provides the ZooKeeper properties to use if <nifi.state.management.embedded.zookeeper.start> is set to true nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties # Database Settings nifi.database.directory=./database_repository # FlowFile Repository nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository nifi.flowfile.repository.wal.implementation=org.apache.nifi.wali.SequentialAccessWriteAheadLog nifi.flowfile.repository.directory=./flowfile_repository nifi.flowfile.repository.checkpoint.interval=20 secs nifi.flowfile.repository.always.sync=false nifi.flowfile.repository.retain.orphaned.flowfiles=false nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager nifi.queue.swap.threshold=20000 # Content Repository nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository nifi.content.claim.max.appendable.size=50 KB nifi.content.repository.directory.default=./content_repository nifi.content.repository.archive.max.retention.period=1 hours nifi.content.repository.archive.max.usage.percentage=70% nifi.content.repository.archive.enabled=true nifi.content.repository.always.sync=false # Provenance Repository Properties nifi.provenance.repository.implementation=org.apache.nifi.provenance.VolatileProvenanceRepository # Persistent Provenance Repository Properties nifi.provenance.repository.directory.default=./provenance_repository nifi.provenance.repository.max.storage.time=30 days nifi.provenance.repository.max.storage.size=100 MB nifi.provenance.repository.rollover.time=30 secs nifi.provenance.repository.rollover.size=100 MB nifi.provenance.repository.query.threads=2 nifi.provenance.repository.index.threads=2 nifi.provenance.repository.compress.on.rollover=true nifi.provenance.repository.always.sync=false # Comma-separated list of fields. Fields that are not indexed will not be searchable. Valid fields are: # EventType, FlowFileUUID, Filename, TransitURI, ProcessorID, AlternateIdentifierURI, Relationship, Details nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, Filename, ProcessorID, Relationship # FlowFile Attributes that should be indexed and made searchable. Some examples to consider are filename, uuid, mime.type nifi.provenance.repository.indexed.attributes= # Large values for the shard size will result in more Java heap usage when searching the Provenance Repository # but should provide better performance nifi.provenance.repository.index.shard.size=500 MB # Indicates the maximum length that a FlowFile attribute can be when retrieving a Provenance Event from # the repository. If the length of any attribute exceeds this value, it will be truncated when the event is retrieved. nifi.provenance.repository.max.attribute.length=65536 nifi.provenance.repository.concurrent.merge.threads=2 # Volatile Provenance Respository Properties nifi.provenance.repository.buffer.size=100000 # Component and Node Status History Repository nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentStatusRepository # Volatile Status History Repository Properties nifi.components.status.repository.buffer.size=1440 nifi.components.status.snapshot.frequency=1 min # QuestDB Status History Repository Properties nifi.status.repository.questdb.persist.node.days=14 nifi.status.repository.questdb.persist.component.days=3 nifi.status.repository.questdb.persist.location=./status_repository # NAR Persistence Properties nifi.nar.persistence.provider.implementation=org.apache.nifi.nar.StandardNarPersistenceProvider nifi.nar.persistence.provider.properties.directory=./nar_repository # Asset Management nifi.asset.manager.implementation=org.apache.nifi.asset.StandardAssetManager nifi.asset.manager.properties.directory=./assets # Site to Site properties nifi.remote.input.host=172.24.0.3 nifi.remote.input.secure=true nifi.remote.input.socket.port=10000 nifi.remote.input.http.enabled=false nifi.remote.input.http.transaction.ttl=30 sec nifi.remote.contents.cache.expiration=30 secs nifi.web.http.host= nifi.web.http.port= nifi.web.http.network.interface.default= ############################################# nifi.web.https.host=172.24.0.3 nifi.web.https.port=8443 nifi.web.https.network.interface.default= nifi.web.https.application.protocols=h2 http/1.1 nifi.web.jetty.working.directory=./work/jetty nifi.web.jetty.threads=200 nifi.web.max.header.size=16 KB nifi.web.proxy.context.path= nifi.web.proxy.host= nifi.web.max.content.size= nifi.web.max.requests.per.second=30000 nifi.web.max.access.token.requests.per.second=25 nifi.web.request.timeout=60 secs nifi.web.request.ip.whitelist= nifi.web.should.send.server.version=true nifi.web.request.log.format=%{client}a - %u %t "%r" %s %O "%{Referer}i" "%{User-Agent}i" # Filter JMX MBeans available through the System Diagnostics REST API nifi.web.jmx.metrics.allowed.filter.pattern= # Include or Exclude TLS Cipher Suites for HTTPS nifi.web.https.ciphersuites.include= nifi.web.https.ciphersuites.exclude= # security properties # nifi.sensitive.props.key=/02b3ljnw7Lh/Yq5NMrChoib6xdgv1Y1 nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 nifi.security.autoreload.enabled=false nifi.security.autoreload.interval=10 secs nifi.security.keystore=/opt/nifi-2.1.0/certs/nifi_keystore.p12 nifi.security.keystore.certificate= nifi.security.keystore.privateKey= nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd=065ad6b41cf772b6a47f96cff82698f6 nifi.security.keyPasswd=065ad6b41cf772b6a47f96cff82698f6 nifi.security.truststore=/opt/nifi-2.1.0/certs/nifi_truststore.p12 nifi.security.truststore.certificate= nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd=61cac7c7fff3ab70e3fe4365192cd966 nifi.security.user.authorizer=managed-authorizer nifi.security.allow.anonymous.authentication=false nifi.security.user.login.identity.provider=oidc-provider nifi.security.user.jws.key.rotation.period=PT1H nifi.security.ocsp.responder.url= nifi.security.ocsp.responder.certificate= # OpenId Connect SSO Properties # nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXX/v2.0/.well-known/openid-configuration nifi.security.user.oidc.connect.timeout=10 secs nifi.security.user.oidc.read.timeout=10 secs nifi.security.user.oidc.client.id=XXXXXXXXXXXXXXXX nifi.security.user.oidc.client.secret=XXXXXXXXXXXXXXXXXXXXX nifi.security.user.oidc.preferred.jwsalgorithm= nifi.security.user.oidc.additional.scopes=profile nifi.security.user.oidc.claim.identifying.user=email nifi.security.user.oidc.fallback.claims.identifying.user=upn nifi.security.user.oidc.claim.groups=groups nifi.security.user.oidc.truststore.strategy=JDK nifi.security.user.oidc.token.refresh.window=60 secs # SAML Properties # nifi.security.user.saml.idp.metadata.url= nifi.security.user.saml.sp.entity.id= nifi.security.user.saml.identity.attribute.name= nifi.security.user.saml.group.attribute.name= nifi.security.user.saml.request.signing.enabled=false nifi.security.user.saml.want.assertions.signed=true nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 nifi.security.user.saml.authentication.expiration=12 hours nifi.security.user.saml.single.logout.enabled=false nifi.security.user.saml.http.client.truststore.strategy=JDK nifi.security.user.saml.http.client.connect.timeout=30 secs nifi.security.user.saml.http.client.read.timeout=30 secs nifi.cluster.protocol.heartbeat.interval=5 sec nifi.cluster.protocol.heartbeat.missable.max=8 nifi.cluster.protocol.is.secure=true # cluster node properties (only configure for cluster nodes) # nifi.cluster.is.node=true nifi.cluster.leader.election.implementation=CuratorLeaderElectionManager nifi.cluster.node.address=172.24.0.3 nifi.cluster.node.protocol.port=8082 nifi.cluster.node.protocol.max.threads=50 nifi.cluster.node.event.history.size=25 nifi.cluster.node.connection.timeout=60 secs nifi.cluster.node.read.timeout=60 secs nifi.cluster.node.max.concurrent.requests=100 nifi.cluster.firewall.file= nifi.cluster.flow.election.max.wait.time=1 mins nifi.cluster.flow.election.max.candidates=1 # cluster load balancing properties # nifi.cluster.load.balance.host=172.24.0.3 nifi.cluster.load.balance.port=6342 nifi.cluster.load.balance.connections.per.node=1 nifi.cluster.load.balance.max.thread.count=8 nifi.cluster.load.balance.comms.timeout=30 sec # zookeeper properties, used for cluster management # nifi.zookeeper.connect.string=zookeeper:2181 nifi.zookeeper.connect.timeout=30 secs nifi.zookeeper.session.timeout=30 secs nifi.zookeeper.root.node=/nifi nifi.zookeeper.client.secure=false nifi.zookeeper.security.keystore= nifi.zookeeper.security.keystoreType= nifi.zookeeper.security.keystorePasswd= nifi.zookeeper.security.truststore= nifi.zookeeper.security.truststoreType= nifi.zookeeper.security.truststorePasswd= nifi.zookeeper.jute.maxbuffer= nifi.zookeeper.auth.type= nifi.zookeeper.kerberos.removeHostFromPrincipal= nifi.zookeeper.kerberos.removeRealmFromPrincipal= # kerberos # nifi.kerberos.krb5.file=/etc/krb5.conf # kerberos service principal # nifi.kerberos.service.principal= nifi.kerberos.service.keytab.location= # analytics properties # nifi.analytics.predict.enabled=false nifi.analytics.predict.interval=3 mins nifi.analytics.query.interval=5 mins nifi.analytics.connection.model.implementation=org.apache.nifi.controller.status.analytics.models.OrdinaryLeastSquares nifi.analytics.connection.model.score.name=rSquared nifi.analytics.connection.model.score.threshold=.90 # kubernetes # nifi.cluster.leader.election.kubernetes.lease.prefix= # flow analysis properties nifi.registry.check.for.rule.violations.before.commit= # runtime monitoring properties nifi.monitor.long.running.task.schedule= nifi.monitor.long.running.task.threshold= # Enable automatic diagnostic at shutdown. nifi.diagnostics.on.shutdown.enabled=false # Include verbose diagnostic information. nifi.diagnostics.on.shutdown.verbose=false # The location of the diagnostics folder. nifi.diagnostics.on.shutdown.directory=./diagnostics # The maximum number of files permitted in the directory. If the limit is exceeded, the oldest files are deleted. nifi.diagnostics.on.shutdown.max.filecount=10 # The diagnostics folder's maximum permitted size in bytes. If the limit is exceeded, the oldest files are deleted. nifi.diagnostics.on.shutdown.max.directory.size=10 MB nifi.performance.tracking.percentage=0     ... View more

Re: Untrusted proxy error Authentication Failed o....

by Explorer in Support Questions
‎01-03-2025 07:46 AM
1 Kudo
‎01-03-2025 07:46 AM
1 Kudo
hi @MattWho , The nifi version I am using is nifi-2.1.0. currently I am using 2 Node cluster. authorizations.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizations> <policies> <policy identifier="f99bccd1-a30e-3e4a-98a2-dbc708edc67f" resource="/flow" action="R"> <user identifier="9cc0191f-def9-4d5d-a553-74052a8bb43a"/> </policy> <policy identifier="b8775bd4-704a-34c6-987b-84f2daf7a515" resource="/restricted-components" action="W"> <user identifier="9cc0191f-def9-4d5d-a553-74052a8bb43a"/> </policy> <policy identifier="627410be-1717-35b4-a06f-e9362b89e0b7" resource="/tenants" action="R"> <user identifier="9cc0191f-def9-4d5d-a553-74052a8bb43a"/> </policy> <policy identifier="15e4e0bd-cb28-34fd-8587-f8d15162cba5" resource="/tenants" action="W"> <user identifier="9cc0191f-def9-4d5d-a553-74052a8bb43a"/> </policy> <policy identifier="ff96062a-fa99-36dc-9942-0f6442ae7212" resource="/policies" action="R"> <user identifier="9cc0191f-def9-4d5d-a553-74052a8bb43a"/> </policy> <policy identifier="ad99ea98-3af6-3561-ae27-5bf09e1d969d" resource="/policies" action="W"> <user identifier="9cc0191f-def9-4d5d-a553-74052a8bb43a"/> </policy> <policy identifier="2e1015cb-0fed-3005-8e0d-722311f21a03" resource="/controller" action="R"> <user identifier="9cc0191f-def9-4d5d-a553-74052a8bb43a"/> </policy> <policy identifier="c6322e6c-4cc1-3bcc-91b3-2ed2111674cf" resource="/controller" action="W"> <user identifier="9cc0191f-def9-4d5d-a553-74052a8bb43a"/> </policy> </policies> </authorizations> users.xml <tenants> <groups/> <users> <user identifier="42fb9315-4643-3735-9283-fb2720a523d7" identity="CN=172.24.0.3, OU=NIFI, O=NIFI, L=HYDRABAD, ST=TELANGANA, C=IN"/> </users> </tenants> ... View more

Re: Untrusted proxy error Authentication Failed o....

by Explorer in Support Questions
‎01-03-2025 07:25 AM
‎01-03-2025 07:25 AM
Hi @Shelton / @MattWho , The log message are :- 2025-01-03 20:30:36,418 INFO [NiFi Web Server-164] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 172.24.0.3 [<oncloudtemuser@sossourabh7687gmail.onmicrosoft.com><CN=172.24.0.3, OU=NIFI, O=NIFI, L=HYDRABAD, ST=TELANGANA, C=IN>] GET https://172.24.0.3:8443/nifi-api/flow/current-user 2025-01-03 20:30:36,419 WARN [NiFi Web Server-164] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 172.24.0.3 GET https://172.24.0.3:8443/nifi-api/flow/current-user [Untrusted proxy CN=172.24.0.3, OU=NIFI, O=NIFI, L=HYDRABAD, ST=TELANGANA, C=IN] 2025-01-03 20:30:36,423 ERROR [NiFi Web Server-51] o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred: java.io.UncheckedIOException: Read Current User Entity failed. Returning Internal Server Error response. java.io.UncheckedIOException: Read Current User Entity failed at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:453) at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:428) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) at java.base/java.lang.reflect.Method.invoke(Method.java:565) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189) at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93) at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400) at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:274) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) at org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379) at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736) at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1619) at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365) at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:101) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.log.AuthenticationUserFilter.doFilterInternal(AuthenticationUserFilter.java:57) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.oidc.client.web.OidcBearerTokenRefreshFilter.doFilterInternal(OidcBearerTokenRefreshFilter.java:135) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:198) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter.doFilterInternal(OAuth2AuthorizationCodeGrantFilter.java:183) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:145) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.NiFiAuthenticationFilter.authenticate(NiFiAuthenticationFilter.java:94) at org.apache.nifi.web.security.NiFiAuthenticationFilter.doFilter(NiFiAuthenticationFilter.java:56) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.csrf.CsrfCookieFilter.doFilterInternal(CsrfCookieFilter.java:43) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.logout.StandardLogoutFilter.doFilterInternal(StandardLogoutFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.apache.nifi.web.security.csrf.SkipReplicatedCsrfFilter.doFilterInternal(SkipReplicatedCsrfFilter.java:59) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:44) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilterChain(DoSFilter.java:462) at org.apache.nifi.web.server.filter.DataTransferExcludedDoSFilter.doFilterChain(DataTransferExcludedDoSFilter.java:51) at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:317) at org.eclipse.jetty.ee10.servlets.DoSFilter.doFilter(DoSFilter.java:282) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.apache.nifi.web.server.log.RequestAuthenticationFilter.doFilterInternal(RequestAuthenticationFilter.java:59) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1591) at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1552) at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:819) at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436) at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:469) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575) at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717) at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181) at org.eclipse.jetty.server.Server.handle(Server.java:182) at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662) at org.eclipse.jetty.util.thread.Invocable$ReadyTask.run(Invocable.java:175) at org.eclipse.jetty.http2.server.internal.HttpStreamOverHTTP2$1.run(HttpStreamOverHTTP2.java:135) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.produce(AdaptiveExecutionStrategy.java:195) at org.eclipse.jetty.http2.HTTP2Connection.produce(HTTP2Connection.java:209) at org.eclipse.jetty.http2.HTTP2Connection.onFillable(HTTP2Connection.java:156) at org.eclipse.jetty.http2.HTTP2Connection$FillableCallback.succeeded(HTTP2Connection.java:442) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.ssl.SslConnection$SslEndPoint.onFillable(SslConnection.java:575) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:390) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:150) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164) at java.base/java.lang.Thread.run(Thread.java:1447) Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 16] at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2584) at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2610) at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2618) at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:825) at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._reportInvalidToken(UTF8StreamJsonParser.java:3662) at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._handleUnexpectedValue(UTF8StreamJsonParser.java:2749) at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject(UTF8StreamJsonParser.java:867) at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:753) at com.fasterxml.jackson.databind.ObjectMapper._initForReading(ObjectMapper.java:5004) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4910) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3921) at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:451) ... 132 common frames omitted ... View more

Re: Untrusted proxy error Authentication Failed o....

by Explorer in Support Questions
‎01-03-2025 07:09 AM
‎01-03-2025 07:09 AM
Hi @MattWho / @Shelton , None of the solutions you provided are working. I am still encountering the same error mentioned earlier, along with the message in the UI. Is there any possible solution for this? Any help would be appreciated. Thanks, spiker ... View more

Re: Untrusted proxy error Authentication Failed o....

by Explorer in Support Questions
‎01-03-2025 12:00 AM
1 Kudo
‎01-03-2025 12:00 AM
1 Kudo
Hi @MattWho, Could you please help me resolve the issue I mentioned above? I would be very grateful if you could take a moment to look at my question and provide some guidance or insights. ... View more

Untrusted proxy error Authentication Failed o.a.n....

by Explorer in Support Questions
‎01-02-2025 08:02 PM
‎01-02-2025 08:02 PM
I'm currently facing an issue with implementing OpenID Connect (OIDC) authentication in Apache NiFi. And I am putting my NIFI in the kubernets. so, I am with the NIFI containers. Error Overview: I receive the following error in the NiFi logs: 2025-01-02 10:29:05,167 INFO [NiFi Web Server-52] o.a.n.w.s.NiFiAuthenticationFilter Authentication Started 172.24.0.3 [<oncloudtemuser@sossourabh7687gmail.onmicrosoft.com><CN=172.24.0.3, OU=NIFI, O=NIFI, L=HYDRABAD, ST=TELANGANA, C=IN>] GET https://172.24.0.3:8443/nifi-api/flow/current-user 2025-01-02 10:29:05,173 WARN [NiFi Web Server-52] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 172.24.0.3 GET https://172.24.0.3:8443/nifi-api/flow/current-user [Untrusted proxy CN=172.24.0.3, OU=NIFI, O=NIFI, L=HYDRABAD, ST=TELANGANA, C=IN] 2025-01-02 10:29:05,207 ERROR [NiFi Web Server-190] o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred: java.io.UncheckedIOException: Read Current User Entity failed. Returning Internal Server Error response. Error Details: The logs indicate a JsonParseException when trying to read the current user entity, and the Untrusted proxy warning appears to be a potential cause: Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 16] This seems to be a token parsing issue where an unexpected token (Authentication) is encountered, possibly due to a misconfigured authentication header or an issue with the proxy setup.  nifi.properties file # Core Properties # nifi.flow.configuration.file=./conf/flow.json.gz nifi.flow.configuration.archive.enabled=true nifi.flow.configuration.archive.dir=./conf/archive/ nifi.flow.configuration.archive.max.time=10 days nifi.flow.configuration.archive.max.storage=500 MB nifi.flow.configuration.archive.max.count= nifi.flowcontroller.autoResumeState=true nifi.flowcontroller.graceful.shutdown.period=20 secs nifi.flowservice.writedelay.interval=500 ms nifi.administrative.yield.duration=30 sec # If a component has no work to do (is "bored"), how long should we wait before checking again for work? nifi.bored.yield.duration=10 millis nifi.queue.backpressure.count=10000 nifi.queue.backpressure.size=1 GB nifi.authorizer.configuration.file=./conf/authorizers.xml nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml nifi.ui.banner.text=nifi-dev nifi.nar.library.directory=./lib nifi.nar.library.autoload.directory=./extensions nifi.nar.working.directory=./work/nar/ nifi.nar.unpack.uber.jar=false nifi.upload.working.directory=./work/uploads ##################### # Python Extensions # ##################### # Uncomment in order to enable Python Extensions. #nifi.python.command=python3 nifi.python.framework.source.directory=./python/framework nifi.python.extensions.source.directory.default=./python/extensions nifi.python.working.directory=./work/python nifi.python.max.processes=100 nifi.python.max.processes.per.extension.type=10 #################### # State Management # #################### nifi.state.management.configuration.file=./conf/state-management.xml # The ID of the local state provider nifi.state.management.provider.local=local-provider # The ID of the cluster-wide state provider. This will be ignored if NiFi is not clustered but must be populated if running in a cluster. nifi.state.management.provider.cluster=zk-provider # The Previous Cluster State Provider from which the framework will load Cluster State when the current Cluster Provider has no entries nifi.state.management.provider.cluster.previous= # Specifies whether or not this instance of NiFi should run an embedded ZooKeeper server nifi.state.management.embedded.zookeeper.start=false # Properties file that provides the ZooKeeper properties to use if <nifi.state.management.embedded.zookeeper.start> is set to true nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties # Database Settings nifi.database.directory=./database_repository # FlowFile Repository nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository nifi.flowfile.repository.wal.implementation=org.apache.nifi.wali.SequentialAccessWriteAheadLog nifi.flowfile.repository.directory=./flowfile_repository nifi.flowfile.repository.checkpoint.interval=20 secs nifi.flowfile.repository.always.sync=false nifi.flowfile.repository.retain.orphaned.flowfiles=false nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager nifi.queue.swap.threshold=20000 # Content Repository nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository nifi.content.claim.max.appendable.size=50 KB nifi.content.repository.directory.default=./content_repository nifi.content.repository.archive.max.retention.period=1 hours nifi.content.repository.archive.max.usage.percentage=70% nifi.content.repository.archive.enabled=true nifi.content.repository.always.sync=false # Provenance Repository Properties nifi.provenance.repository.implementation=org.apache.nifi.provenance.VolatileProvenanceRepository # Persistent Provenance Repository Properties nifi.provenance.repository.directory.default=./provenance_repository nifi.provenance.repository.max.storage.time=30 days nifi.provenance.repository.max.storage.size=100 MB nifi.provenance.repository.rollover.time=30 secs nifi.provenance.repository.rollover.size=100 MB nifi.provenance.repository.query.threads=2 nifi.provenance.repository.index.threads=2 nifi.provenance.repository.compress.on.rollover=true nifi.provenance.repository.always.sync=false # Comma-separated list of fields. Fields that are not indexed will not be searchable. Valid fields are: # EventType, FlowFileUUID, Filename, TransitURI, ProcessorID, AlternateIdentifierURI, Relationship, Details nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, Filename, ProcessorID, Relationship # FlowFile Attributes that should be indexed and made searchable.  Some examples to consider are filename, uuid, mime.type nifi.provenance.repository.indexed.attributes= # Large values for the shard size will result in more Java heap usage when searching the Provenance Repository # but should provide better performance nifi.provenance.repository.index.shard.size=500 MB # Indicates the maximum length that a FlowFile attribute can be when retrieving a Provenance Event from # the repository. If the length of any attribute exceeds this value, it will be truncated when the event is retrieved. nifi.provenance.repository.max.attribute.length=65536 nifi.provenance.repository.concurrent.merge.threads=2 # Volatile Provenance Respository Properties nifi.provenance.repository.buffer.size=100000 # Component and Node Status History Repository nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentStatusRepository # Volatile Status History Repository Properties nifi.components.status.repository.buffer.size=1440 nifi.components.status.snapshot.frequency=1 min # QuestDB Status History Repository Properties nifi.status.repository.questdb.persist.node.days=14 nifi.status.repository.questdb.persist.component.days=3 nifi.status.repository.questdb.persist.location=./status_repository # NAR Persistence Properties nifi.nar.persistence.provider.implementation=org.apache.nifi.nar.StandardNarPersistenceProvider nifi.nar.persistence.provider.properties.directory=./nar_repository # Asset Management nifi.asset.manager.implementation=org.apache.nifi.asset.StandardAssetManager nifi.asset.manager.properties.directory=./assets # Site to Site properties nifi.remote.input.host=172.24.0.3 nifi.remote.input.secure=true nifi.remote.input.socket.port=10000 nifi.remote.input.http.enabled=false nifi.remote.input.http.transaction.ttl=30 sec nifi.remote.contents.cache.expiration=30 secs # web properties # ############################################# # For security, NiFi will present the UI on 127.0.0.1 and only be accessible through this loopback interface. # Be aware that changing these properties may affect how your instance can be accessed without any restriction. # We recommend configuring HTTPS instead. The administrators guide provides instructions on how to do this. nifi.web.http.host= nifi.web.http.port= nifi.web.http.network.interface.default= ############################################# nifi.web.https.host=172.24.0.3 nifi.web.https.port=8443 nifi.web.https.network.interface.default= nifi.web.https.application.protocols=h2 http/1.1 nifi.web.jetty.working.directory=./work/jetty nifi.web.jetty.threads=200 nifi.web.max.header.size=16 KB nifi.web.proxy.context.path= nifi.web.proxy.host= nifi.web.max.content.size= nifi.web.max.requests.per.second=30000 nifi.web.max.access.token.requests.per.second=25 nifi.web.request.timeout=60 secs nifi.web.request.ip.whitelist= nifi.web.should.send.server.version=true nifi.web.request.log.format=%{client}a - %u %t "%r" %s %O "%{Referer}i" "%{User-Agent}i" # Filter JMX MBeans available through the System Diagnostics REST API nifi.web.jmx.metrics.allowed.filter.pattern= # Include or Exclude TLS Cipher Suites for HTTPS nifi.web.https.ciphersuites.include= nifi.web.https.ciphersuites.exclude= # security properties # nifi.sensitive.props.key=/02b3ljnw7Lh/Yq5NMrChoib6xdgv1Y1 nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 nifi.security.autoreload.enabled=false nifi.security.autoreload.interval=10 secs nifi.security.keystore=/opt/nifi-2.1.0/certs/nifi_keystore.p12 nifi.security.keystore.certificate=/opt/nifi-2.1.0/certs/nifi.crt nifi.security.keystore.privateKey=/opt/nifi-2.1.0/certs/nifi.key nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd=065ad6b41cf772b6a47f96cff82698f6 nifi.security.keyPasswd=065ad6b41cf772b6a47f96cff82698f6 nifi.security.truststore=/opt/nifi-2.1.0/certs/nifi_truststore.p12 nifi.security.truststore.certificate=/opt/nifi-2.1.0/certs/rootCA.pem nifi.security.truststoreType=PKCS12 nifi.security.truststorePasswd=61cac7c7fff3ab70e3fe4365192cd966 nifi.security.user.authorizer=managed-authorizer nifi.security.allow.anonymous.authentication=false nifi.security.user.login.identity.provider= nifi.security.user.jws.key.rotation.period=PT1H nifi.security.ocsp.responder.url= nifi.security.ocsp.responder.certificate= # OpenId Connect SSO Properties # nifi.security.user.oidc.discovery.url=https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXXXXXX/v2.0/.well-known/openid-configuration nifi.security.user.oidc.connect.timeout=10 secs nifi.security.user.oidc.read.timeout=10 secs nifi.security.user.oidc.client.id=XXXXXXXXXXXXXXXX nifi.security.user.oidc.client.secret=XXXXXXXXXXXXXXXXXXXXX nifi.security.user.oidc.preferred.jwsalgorithm= nifi.security.user.oidc.additional.scopes=profile nifi.security.user.oidc.claim.identifying.user=email nifi.security.user.oidc.fallback.claims.identifying.user=upn nifi.security.user.oidc.claim.groups=groups nifi.security.user.oidc.truststore.strategy=JDK nifi.security.user.oidc.token.refresh.window=60 secs # SAML Properties # nifi.security.user.saml.idp.metadata.url= nifi.security.user.saml.sp.entity.id= nifi.security.user.saml.identity.attribute.name= nifi.security.user.saml.group.attribute.name= nifi.security.user.saml.request.signing.enabled=false nifi.security.user.saml.want.assertions.signed=true nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 nifi.security.user.saml.authentication.expiration=12 hours nifi.security.user.saml.single.logout.enabled=false nifi.security.user.saml.http.client.truststore.strategy=JDK nifi.security.user.saml.http.client.connect.timeout=30 secs nifi.security.user.saml.http.client.read.timeout=30 secs # Identity Mapping Properties # # These properties allow normalizing user identities such that identities coming from different identity providers # (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing # DNs from certificates and principals from Kerberos into a common identity string: # # nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ # nifi.security.identity.mapping.value.dn=$1@$2 # nifi.security.identity.mapping.transform.dn=NONE # nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ # nifi.security.identity.mapping.value.kerb=$1@$2 # nifi.security.identity.mapping.transform.kerb=UPPER # Group Mapping Properties # # These properties allow normalizing group names coming from external sources like LDAP. The following example # lowercases any group name. # # nifi.security.group.mapping.pattern.anygroup=^(.*)$ # nifi.security.group.mapping.value.anygroup=$1 # nifi.security.group.mapping.transform.anygroup=LOWER # cluster common properties (all nodes must have same values) # nifi.cluster.protocol.heartbeat.interval=5 sec nifi.cluster.protocol.heartbeat.missable.max=8 nifi.cluster.protocol.is.secure=true # cluster node properties (only configure for cluster nodes) # nifi.cluster.is.node=true nifi.cluster.leader.election.implementation=CuratorLeaderElectionManager nifi.cluster.node.address=172.24.0.3 nifi.cluster.node.protocol.port=8082 nifi.cluster.node.protocol.max.threads=50 nifi.cluster.node.event.history.size=25 nifi.cluster.node.connection.timeout=60 secs nifi.cluster.node.read.timeout=60 secs nifi.cluster.node.max.concurrent.requests=100 nifi.cluster.firewall.file= nifi.cluster.flow.election.max.wait.time=1 mins nifi.cluster.flow.election.max.candidates=1 # cluster load balancing properties # nifi.cluster.load.balance.host=172.24.0.3 nifi.cluster.load.balance.port=6342 nifi.cluster.load.balance.connections.per.node=1 nifi.cluster.load.balance.max.thread.count=8 nifi.cluster.load.balance.comms.timeout=30 sec # zookeeper properties, used for cluster management # nifi.zookeeper.connect.string=zookeeper:2181 nifi.zookeeper.connect.timeout=30 secs nifi.zookeeper.session.timeout=30 secs nifi.zookeeper.root.node=/nifi nifi.zookeeper.client.secure=false nifi.zookeeper.security.keystore= nifi.zookeeper.security.keystoreType= nifi.zookeeper.security.keystorePasswd= nifi.zookeeper.security.truststore= nifi.zookeeper.security.truststoreType= nifi.zookeeper.security.truststorePasswd= nifi.zookeeper.jute.maxbuffer= # Zookeeper properties for the authentication scheme used when creating acls on znodes used for cluster management # Values supported for nifi.zookeeper.auth.type are "default", which will apply world/anyone rights on znodes # and "sasl" which will give rights to the sasl/kerberos identity used to authenticate the nifi node # The identity is determined using the value in nifi.kerberos.service.principal and the removeHostFromPrincipal # and removeRealmFromPrincipal values (which should align with the kerberos.removeHostFromPrincipal and kerberos.removeRealmFromPrincipal # values configured on the zookeeper server). nifi.zookeeper.auth.type= nifi.zookeeper.kerberos.removeHostFromPrincipal= nifi.zookeeper.kerberos.removeRealmFromPrincipal= # kerberos # nifi.kerberos.krb5.file=/etc/krb5.conf # kerberos service principal # nifi.kerberos.service.principal= nifi.kerberos.service.keytab.location= # analytics properties # nifi.analytics.predict.enabled=false nifi.analytics.predict.interval=3 mins nifi.analytics.query.interval=5 mins nifi.analytics.connection.model.implementation=org.apache.nifi.controller.status.analytics.models.OrdinaryLeastSquares nifi.analytics.connection.model.score.name=rSquared nifi.analytics.connection.model.score.threshold=.90 # kubernetes # nifi.cluster.leader.election.kubernetes.lease.prefix= # flow analysis properties nifi.registry.check.for.rule.violations.before.commit= # runtime monitoring properties nifi.monitor.long.running.task.schedule= nifi.monitor.long.running.task.threshold= # Enable automatic diagnostic at shutdown. nifi.diagnostics.on.shutdown.enabled=false # Include verbose diagnostic information. nifi.diagnostics.on.shutdown.verbose=false # The location of the diagnostics folder. nifi.diagnostics.on.shutdown.directory=./diagnostics # The maximum number of files permitted in the directory. If the limit is exceeded, the oldest files are deleted. nifi.diagnostics.on.shutdown.max.filecount=10 # The diagnostics folder's maximum permitted size in bytes. If the limit is exceeded, the oldest files are deleted. nifi.diagnostics.on.shutdown.max.directory.size=10 MB # Performance tracking properties ## Specifies what percentage of the time we should track the amount of time processors are using CPU, reading from/writing to content repo, etc. ## This can be useful to understand which components are the most expensive and to understand where system bottlenecks may be occurring. ## The value must be in the range of 0 (inclusive) to 100 (inclusive). A larger value will produce more accurate results, while a smaller value may be ## less expensive to compute. ## Results can be obtained by running "nifi.sh diagnostics <filename>" and then inspecting the produced file. nifi.performance.tracking.percentage=0 # NAR Provider Properties # # These properties allow configuring one or more NAR providers. A NAR provider retrieves NARs from an external source # and copies them to the directory specified by nifi.nar.library.autoload.directory. # # Each NAR provider property follows the format: #  nifi.nar.library.provider.<identifier>.<property-name> # # Each NAR provider must have at least one property named "implementation". # # Example HDFS NAR Provider: #   nifi.nar.library.provider.hdfs.implementation=org.apache.nifi.flow.resource.hadoop.HDFSExternalResourceProvider #   nifi.nar.library.provider.hdfs.resources=/path/to/core-site.xml,/path/to/hdfs-site.xml #   nifi.nar.library.provider.hdfs.storage.location=hdfs://hdfs-location #   nifi.nar.library.provider.hdfs.source.directory=/nars #   nifi.nar.library.provider.hdfs.kerberos.principal=nifi@NIFI.COM #   nifi.nar.library.provider.hdfs.kerberos.keytab=/path/to/nifi.keytab #   nifi.nar.library.provider.hdfs.kerberos.password= # # Example NiFi Registry NAR Provider: #   nifi.nar.library.provider.nifi-registry.implementation=org.apache.nifi.registry.extension.NiFiRegistryExternalResourceProvider #   nifi.nar.library.provider.nifi-registry.url=http://localhost:18080 authorizers.xml file <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <authorizers>     <userGroupProvider>         <identifier>file-user-group-provider</identifier>         <class>org.apache.nifi.authorization.FileUserGroupProvider</class>         <property name="Users File">./conf/users.xml</property>         <property name="Legacy Authorized Users File"></property>     </userGroupProvider>     <userGroupProvider>         <identifier>aad-user-group-provider</identifier>         <class>org.apache.nifi.authorization.azure.AzureGraphUserGroupProvider</class>         <property name="Refresh Delay">5 mins</property>         <property name="Authority Endpoint">https://login.microsoftonline.com</property>         <property name="Directory ID">XXXXXXXXXXXXXXXXX</property>         <property name="Application ID">XXXXXXXXXXXXXXXXX</property>         <property name="Client Secret">XXXXXXXXXXXXXXXXX</property>         <property name="Group Filter Prefix">Nifi-AAD</property>         <property name="Page Size">100</property>     </userGroupProvider>     <userGroupProvider>         <identifier>composite-configurable-user-group-provider</identifier>         <class>org.apache.nifi.authorization.CompositeConfigurableUserGroupProvider</class>         <property name="Configurable User Group Provider">file-user-group-provider</property>         <property name="User Group Provider 1">aad-user-group-provider</property>     </userGroupProvider>     <accessPolicyProvider>         <identifier>file-access-policy-provider</identifier>         <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>         <property name="User Group Provider">composite-configurable-user-group-provider</property>         <property name="Authorizations File">./conf/authorizations.xml</property>         <property name="Initial Admin Identity">oncloudtemuser@sossourabh7687gmail.onmicrosoft.com</property>         <property name="Legacy Authorized Users File"></property>         <property name="Node Identity 1"></property>     </accessPolicyProvider>     <authorizer>         <identifier>managed-authorizer</identifier>         <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>         <property name="Access Policy Provider">file-access-policy-provider</property>     </authorizer> </authorizers> Thank you for your help! ... View more
Labels:
Contact Me
Online
Online
Last Visited
‎01-07-2025 02:36 AM
Community Statistics
Member Since ‎01-02-2025 04:51 AM
Last Visited ‎01-07-2025 02:36 AM
Posts 8
Kudos received 2