Member since
05-13-2025
7
Posts
0
Kudos Received
0
Solutions
07-23-2025
05:48 AM
Hello Cloudera Support, We are running an environment based on Apache Ambari, where Apache Log4j 1.x is in use. The identified security vulnerabilities are: CVE-2019-17571 – Insecure deserialization via SocketServer CVE-2020-9488 – TLS certificate hostname validation issue in SMTPAppender CVE-2022-23302 – Unprotected JNDI usage in JMSSink Since Log4j 1.x has reached End of Life (EOL), no security updates are available. Additionally, in our Ambari environment, upgrading to Log4j 2 is not supported by Cloudera, and therefore version upgrade is not an option. Questions Is there a supported workaround for Log4j 1.x similar to the official solution (cloudera-scripts-for-log4j) you provided for Log4j 2.x vulnerabilities? Would manually removing the vulnerable classes (e.g., SocketServer.class, JMSSink.class, JMSAppender.class, SMTPAppender.class) from the Log4j 1.x JAR files cause any service interruptions or functional issues in Ambari or Hadoop components (HDFS, YARN, HBase, Hive, Kafka, etc.)? Are these classes actively used by default in an Ambari environment, or can they be safely removed? Do you have a supported approach to temporarily mitigate these vulnerabilities in an Ambari environment? Current Situation For Log4j 2.x vulnerabilities, the official Cloudera scripts were used to remove the affected classes. However, since Log4j 1.x is used in the Ambari environment, we are looking for a similar workaround. Could you please share the official and supported best approach for this case? I would appreciate your assistance on this matter.
... View more
Labels:
- Labels:
-
Apache Ambari
06-19-2025
03:08 AM
Hello, I have set up a 4-node NiFi 2.4.0 cluster. When I attempt to clear the queue from the NiFi UI, I encounter the following error: Node x.x.x.x:8443 is unable to fulfill this request due to: Unable to modify the data for Processor with ID d3a802c6-0196-1000-ffff-ffff90fdc7b8. Contact the system administrator. My user has admin privileges with both operate and modify permissions granted. As a workaround, I disconnected each node from the cluster one by one, cleared the queues locally on each node, and then reconnected them back to the cluster. While this temporarily resolved the issue, it is not a practical or sustainable solution. I am looking for a permanent fix to this issue. I would appreciate your assistance on this matter.
... View more
Labels:
- Labels:
-
Apache NiFi
05-21-2025
03:40 AM
Hello, I have a 3-node NiFi cluster, and I want to manage it using NiFi Registry. I configured both NiFi and NiFi Registry with a single certificate using the TLS Toolkit. I also set up LDAP integration. I can successfully connect to both NiFi and NiFi Registry individually using my LDAP users. However, the LDAP user that I added and authorized in the Registry does not appear in NiFi. With the certificate user, I can view the bucket in NiFi Registry from NiFi and perform flow version control. But I cannot do this with my LDAP user. NOTE: Even if I generate separate certificates for NiFi and NiFi Registry and trust each certificate independently, the certificate user does not have permission to view the bucket. This is because the certificate user from the Registry is also not created in NiFi. For this reason, I generated both from the same certificate. Nifi / Nifi Registry version: 1.28.1 Nifi Registry nifi-registry.properties # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # web properties # nifi.registry.web.war.directory=./lib nifi.registry.web.http.host= nifi.registry.web.http.port= nifi.registry.web.https.host=vtmnosqlnifip04.yyy.com nifi.registry.web.https.port=18084 nifi.registry.web.https.application.protocols=http/1.1 nifi.registry.web.jetty.working.directory=./work/jetty nifi.registry.web.jetty.threads=200 nifi.registry.web.should.send.server.version=true # security properties # nifi.registry.security.keystore=/data/certs/keystore.jks nifi.registry.security.keystoreType=jks nifi.registry.security.keystorePasswd=PBSckF3zHJj8h7iAsZqes2zJhXyzjXVanE0F8Cy4NEA nifi.registry.security.keyPasswd=PBSckF3zHJj8h7iAsZqes2zJhXyzjXVanE0F8Cy4NEA nifi.registry.security.truststore=/data/certs/truststore.jks nifi.registry.security.truststoreType=jks nifi.registry.security.truststorePasswd=rFXj+NsPyiH1tf43/sD6NCYW9mdXI9hZs+T/8DHs8b4 nifi.registry.security.needClientAuth=false nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml nifi.registry.security.authorizer=managed-authorizer nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml nifi.registry.security.identity.provider=ldap-identity-provider # sensitive property protection properties # # nifi.registry.sensitive.props.additional.keys= # providers properties # nifi.registry.providers.configuration.file=./conf/providers.xml # registry alias properties # nifi.registry.registry.alias.configuration.file=./conf/registry-aliases.xml # extensions working dir # nifi.registry.extensions.working.directory=./work/extensions # legacy database properties, used to migrate data from original DB to new DB below # NOTE: Users upgrading from 0.1.0 should leave these populated, but new installs after 0.1.0 should leave these empty nifi.registry.db.directory= nifi.registry.db.url.append= # database properties nifi.registry.db.url=jdbc:h2:./database/nifi-registry-primary;AUTOCOMMIT=OFF;DB_CLOSE_ON_EXIT=FALSE;LOCK_MODE=3;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE nifi.registry.db.driver.class=org.h2.Driver nifi.registry.db.driver.directory= nifi.registry.db.username=nifireg nifi.registry.db.password=nifireg nifi.registry.db.maxConnections=5 nifi.registry.db.sql.debug=false # extension directories # # Each property beginning with "nifi.registry.extension.dir." will be treated as location for an extension, # and a class loader will be created for each location, with the system class loader as the parent # #nifi.registry.extension.dir.1=/path/to/extension1 #nifi.registry.extension.dir.2=/path/to/extension2 nifi.registry.extension.dir.aws=./ext/aws/lib # Identity Mapping Properties # # These properties allow normalizing user identities such that identities coming from different identity providers # (certificates, LDAP, Kerberos) can be treated the same internally in NiFi. The following example demonstrates normalizing # DNs from certificates and principals from Kerberos into a common identity string: # # nifi.registry.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ # nifi.registry.security.identity.mapping.value.dn=$1@$2 # nifi.registry.security.identity.mapping.transform.dn=NONE # nifi.registry.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$ # nifi.registry.security.identity.mapping.value.kerb=$1@$2 # nifi.registry.security.identity.mapping.transform.kerb=UPPER # Group Mapping Properties # # These properties allow normalizing group names coming from external sources like LDAP. The following example # lowercases any group name. # # nifi.registry.security.group.mapping.pattern.anygroup=^(.*)$ # nifi.registry.security.group.mapping.value.anygroup=$1 # nifi.registry.security.group.mapping.transform.anygroup=LOWER # kerberos properties # #nifi.registry.kerberos.krb5.file= #nifi.registry.kerberos.spnego.principal= #nifi.registry.kerberos.spnego.keytab.location= #nifi.registry.kerberos.spnego.authentication.expiration=12 hours # OIDC # #nifi.registry.security.user.oidc.discovery.url= #nifi.registry.security.user.oidc.connect.timeout= #nifi.registry.security.user.oidc.read.timeout= #nifi.registry.security.user.oidc.client.id= #nifi.registry.security.user.oidc.client.secret= #nifi.registry.security.user.oidc.preferred.jwsalgorithm= # revision management # # This feature should remain disabled until a future NiFi release that supports the revision API changes nifi.registry.revisions.enabled=false Nifi Registry authorizers.xml <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Initial User Identity 1">CN=nifi_amadeus_admin</property> <property name="Initial User Identity 2">CN=vtmnosqlnifip04.yyy.com, OU=NIFI</property> <property name="Initial User Identity 3">CN=vtmnosqlnifip03.yyy.com, OU=NIFI</property> <property name="Initial User Identity 4">CN=vtmnosqlnifip02.yyy.com, OU=NIFI</property> <property name="Initial User Identity 5">CN=vtmnosqlnifip01.yyy.com, OU=NIFI</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=nifi_amadeus_admin</property> <property name="Node Identity 1">CN=vtmnosqlnifip04.yyy.com, OU=NIFI</property> <property name="NiFi Group Name"></property> <property name="NiFi Identity 1">CN=vtmnosqlnifip01.yyy.com, OU=NIFI</property> <property name="NiFi Identity 2">CN=vtmnosqlnifip02.yyy.com, OU=NIFI</property> <property name="NiFi Identity 3">CN=vtmnosqlnifip03.yyy.com, OU=NIFI</property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.registry.security.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> Nifi Registry identity-providers.xml <identityProviders> <provider> <identifier>ldap-identity-provider</identifier> <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> <property name="Authentication Strategy">SIMPLE</property> <property name="Manager DN">CN=service_user,CN=Users,DC=xxx,DC=yyy,DC=com</property> <property name="Manager Password">OPGwqvD8YrHi</property> <property name="Referral Strategy">FOLLOW</property> <property name="Connect Timeout">10 secs</property> <property name="Read Timeout">10 secs</property> <property name="TLS - Keystore">/data/certs/keystore.jks</property> <property name="TLS - Keystore Password">PBSckF3zHJj8h7iAsZqes2zJhXyzjXVanE0F8Cy4NEA</property> <property name="TLS - Keystore Type">JKS</property> <property name="TLS - Truststore">/data/certs/truststore.jks</property> <property name="TLS - Truststore Password">rFXj+NsPyiH1tf43/sD6NCYW9mdXI9hZs+T/8DHs8b4</property> <property name="TLS - Truststore Type">JKS</property> <property name="TLS - Client Auth">NONE</property> <property name="TLS - Protocol">TLS</property> <property name="TLS - Shutdown Gracefully">true</property> <property name="Url">ldaps://ldap.xxx.yyy.com:636</property> <property name="User Search Base">CN=Users,DC=xxx,DC=yyy,DC=com</property> <property name="User Search Filter">(&(objectClass=user)(sAMAccountName={0}))</property> <property name="Identity Strategy">USE_USERNAME</property> <property name="Authentication Expiration">12 hours</property> </provider> I would appreciate your assistance on this matter.
... View more
Labels:
- Labels:
-
Apache NiFi
05-13-2025
03:37 AM
I set up a 4-node NiFi cluster and generated certificates. When I try to log in using my certificate user nifi_admin, I get the error: "An unexpected error has occurred. Please check the logs for additional details." When I checked the logs, I saw that the nodes in the cluster were encountering the following errors when trying to connect to the coordinator node: The node I connect to the interface: https://vtmrt3anifit01.x.com:8443/nifi/ The error received in the nifi-user.log file on this machine is as follows: ERROR [NiFi Web Server-221] o.a.nifi.web.api.config.ThrowableMapper An unexpected error has occurred: java.io.UncheckedIOException: Read Current User Entity failed. Returning Internal Server Error response. java.io.UncheckedIOException: Read Current User Entity failed at org.apache.nifi.web.api.FlowResource.readReplicatedCurrentUserEntity(FlowResource.java:446) at org.apache.nifi.web.api.FlowResource.getCurrentUser(FlowResource.java:421) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146) at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189) . . Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 16] at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:2584) at com.fasterxml.jackson.core.JsonParser._constructReadException(JsonParser.java:2610) The error received in the nifi-user.log file of other nodes in the cluster is as follows: WARN [NiFi Web Server-37] o.a.n.w.s.NiFiAuthenticationFilter Authentication Failed 10.84.2.184 GET https://vtmrt3anifit01.x.com:8443/nifi-api/flow/current-user [Untrusted proxy CN=vtmrt3anifit04.x.com, OU=NIFI] nifi.properties . nifi.sensitive.props.key=6y3hk3TWqOV0E2B1AHHikAqKH8lbqo84 nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256 nifi.security.autoreload.enabled=false nifi.security.autoreload.interval=10 secs nifi.security.keystore=/data/cert/keystore.jks nifi.security.keystoreType=jks nifi.security.keystorePasswd=UuW0OHTYY+e9OAM9Gs4MTjbR9KF7BWZ7yPZ09FB5lC0 nifi.security.keyPasswd=UuW0OHTYY+e9OAM9Gs4MTjbR9KF7BWZ7yPZ09FB5lC0 nifi.security.truststore=/data/cert/truststore.jks nifi.security.truststoreType=jks nifi.security.truststorePasswd=1rAfyXpFQvaPys8DCj0+YSH9n4hKSHT4Do0yErt/5ZM . . nifi.web.https.host=vtmrt3anifit01.x.com nifi.web.https.port=8443 nifi.web.proxy.host=vtmrt3anifit01.x.com:8443,vtmrt3anifit02.x.com:8443,vtmrt3anifit03.x.com:8443,vtmrt3anifit04.x.com:8443 authorizers.xml: (It is arranged in the same way for all nodes.) <authorizers> <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">/data/nifi-2.2.0/conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 0">CN=nifi_admin</property> <property name="Initial User Identity 1">CN=vtmrt3anifit01.x.com, OU=NIFI</property> <property name="Initial User Identity 2">CN=vtmrt3anifit02.x.com, OU=NIFI</property> <property name="Initial User Identity 3">CN=vtmrt3anifit03.x.com, OU=NIFI</property> <property name="Initial User Identity 4">CN=vtmrt3anifit04.x.com, OU=NIFI</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">/data/nifi-2.2.0/conf/authorizations.xml</property> <property name="Initial Admin Identity">CN=nifi_admin</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">CN=vtmrt3anifit01.x.com, OU=NIFI</property> <property name="Initial User Identity 2">CN=vtmrt3anifit02.x.com, OU=NIFI</property> <property name="Initial User Identity 3">CN=vtmrt3anifit03.x.com, OU=NIFI</property> <property name="Initial User Identity 4">CN=vtmrt3anifit04.x.com, OU=NIFI</property> <property name="Node Group"></property> </accessPolicyProvider> <authorizer> <identifier>managed-authorizer</identifier> <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> <property name="Access Policy Provider">file-access-policy-provider</property> </authorizer> </authorizers> nifi_admin.p12 vtmrt3anifit01.x.com keystore.jks I would appreciate your assistance on this matter.
... View more
Labels:
- Labels:
-
Apache NiFi