Member since
07-30-2019
3470
Posts
1642
Kudos Received
1018
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 271 | 05-06-2026 09:16 AM | |
| 454 | 05-04-2026 05:20 AM | |
| 333 | 05-01-2026 10:15 AM | |
| 515 | 03-23-2026 05:44 AM | |
| 389 | 02-18-2026 09:59 AM |
08-16-2023
06:00 AM
@edim2525 It would be very difficult to tell you exactly what is wrong without seeing your AD entries. The User Search Base should be set to what ever base level is needed to be able to search on all user DNs that are members of your nifi-admins group. This may require you to change the "User Search Scope" to " SUBTREE", but again I can't say for sure for your AD. I see you set up an or in your "User Search Filter" even though you only have one filter, but that should not be an issue. Are you also trying to return only that one group "nifi-admins"? If so, you could also add the following "Group Search Filter" to limit your returned groups to just one. (cn=nifi-admins) The ldap-user-group-provider also does not require that your setup both "user" sync and "group" sync as it is often possible to make user to group associations with only setting up one or the other. for example: <property name="User Search Base"></property>
<property name="User Object Class"></property>
<property name="User Search Scope">ONE_LEVEL</property>
<property name="User Search Filter"></property>
<property name="User Identity Attribute">sAMAccountName</property>
<property name="User Group Name Attribute"></property>
<property name="User Group Name Attribute - Referenced Group Attribute"></property>
<property name="Group Search Base">XXX</property>
<property name="Group Object Class">group</property>
<property name="Group Search Scope">ONE_LEVEL</property>
<property name="Group Search Filter">(|(cn=nifi-admins)(cn=nifi-team1))</property>
<property name="Group Name Attribute">cn</property>
<property name="Group Member Attribute">member</property>
<property name="Group Member Attribute - Referenced User Attribute"></property> What above config will do is initiate a group sync only execution returning a member user DNs from the "member" attributes found on the groups "nifi-admins" and "nifi-team1". For each of those returned Member DNs, the provider will search those users in AD to retrieve thee user Identity string from the sAMAccountName attribute of each users AD entry. Those sAMAccountName user strings then get associated with the appropriate group. There are many ways to set this up, but they all depend on an individuals LDAP/AD entries, so all I can make are suggestions and examples based on commonly seen structures. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-15-2023
06:59 AM
2 Kudos
@learner-loading The Site-To-Site functionality in NiFi has not evolved a whole lot since it was first introduced. You have an initial client server connection over http(s) followed by FlowFile transfer via either the same HTTP(s) connection or via a dedicated Raw socket connection depending on the configuration on the server side of the connection. To use a mutual TLS HTTPS connection for initial connection, the following property must be set tp true: nifi.remote.input.secure=true In order to set this to true, NiFi must be configured with a keystore and truststore in the nifi.properties file as well. To support HTTP(s) FlowFile transfer the following property must be set to "true": nifi.remote.input.http.enabled=true To support RAW socket connection for FlowFile transfer, the following property must be configured with a port not in use by all nodes in yoru NiFi cluster: nifi.remote.input.socket.port=10443 The Remote Process Group is always the "client" in the site-to-site connection. The Remote Input and Remote output ports are then the "server" side of the connection. So when the Remote Process Group (RPG) has been configured with a URL(s) (If target NiFi is a cluster setup, you can optionally provide a comma separated list of URLs for the hosts in the same target cluster to offer some redundancy in case one of the target nodes is down), the RPG will start automatically connecting to first URL to try to fetch Site-To-Site (S2S) details about the server side of this connection. Those server details include if the server side is configured secure or unsecured, if it supports HTTP, RAW, or both, the URLs for all connected nodes in target cluster, NiFi HTTTP port for all connected nodes, RAW port for all connected nodes, total amount of queued FlowFiles on each connected node, Available Remote Input and Output ports on target NiFi cluster. With an HTTPS enabled Site-To-Site, the keystore and truststore files configured on both source/client Nifi and target/server NiFi will be used in the mutual TLS handshake connection made (The client certificate DN is used as the client identity passed to the server that needs to be properly authorized on the target Remote Input and Output ports. If authorization is successful and the ROPG has "enabled transmission" FlowFiles will be able to transfer from RPG to Remote Input Port or From a Remote Output Port to the RPG. Better load-balancing is achieved with RPG pushing to Remote Input Ports. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-15-2023
06:23 AM
@Tenda Since you are saying you can freely navigate the NiFi UI when in this "stuck" state, NiFi is not stuck as both the UI and processor components all operate within the same JVM. What you circled indicates that at the exact moment (last time browser refreshed) there were 24 active threads out of the 32 configured in the Max Timer Driven Thread pool settings. Milliseconds later that could still be 24 active threads but consumed by different components. The NiFi processors will all show small a small number in the upper right corner if they have an active threads, so step one is determining which processors are holding these 24 threads for a long time. Then looking at those processors and the thread dumps to figure out why those threads are long running. Typically we would see this when external service connections are made which are unstable, network issues, local NiFi repo I/O, NiFi CPU utilization, or long or very frequent GC pauses, or even OOMs. So you have ruled out a few of these so far it sounds. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-15-2023
06:10 AM
1 Kudo
@edim2525 You have a configuration issue in your ldap-user-group-provider within the authorizers.xml. The following filter will not work in this provider. <property name="User Search Filter">(sAMAccountName={0})</property> "{0}" can only be used in the ldap-provider within the login-identity-providers.xml configuration file. That string gets replaced with the username entered at the NiFi login window. The ldap-user-group-provider executes independent of any input every 30 mins to sync current users and groups. So here is is literally looking for a user with that sAMAccountName which does not exist, so no users are be synced. All you are getting back is groups. A more common User Search Filter would be an "or" of select groups that you will be using to authorize various levels of access to your NiFi. Leaving blank would sync all users at ONE_LEVEL of your configured User Search Base. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-14-2023
08:10 AM
@tej_s @jakese There are some recently discovered issues seen as more individuals start using the encrypted repository capability that have been addressed in Apache NiFi 1.23. I encourage you to see if you can reproduce your issue with release 1.23 or newer. Some specific related fix that are part of 1.23: https://issues.apache.org/jira/browse/NIFI-10235 https://issues.apache.org/jira/browse/NIFI-11670 11670 fixed some offset tracking issues and content handling issues that could very likely be causing your issue. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-14-2023
07:25 AM
1 Kudo
@Tenda What processor become unresponsive? You mean that the processor indicates that it is currently executing a thread (small number shown in upper right corner); however, all the stats on the processor for in, out, tasks show 0 for last 5 minutes? If tasks show numbers updating, then tasks/threads are executing and completing. If tasks is showing 0 for last 5 minutes or very low for last 5 minutes and you see an active thread number in upper right corner of processor, it may be caused by a few reasons: Your CPU load average is how due to cpu intensive processors executing at same time. (would expect lag in UI if CPU was saturated) You have a processors configured with too many concurrent tasks leading to other processors not getting allocated a thread often enough. (If core load average is consistently low, you could increase the size of your max timer driven thread pool higher than 32. Java heap garbage collection (GC). GC happens when your JVM heap usage reaches ~80% utilization. If your heap is too small, you could be experiencing lots of back to back GC. All GC whether partial or full GC are stop-the-world events weaning JVM will do nothing while GC is happening. If you heap is set to large, the GC stop-the-world may take much longer to complete. You have processors that have long running tasks or hung threads consuming threads from your available max timer driven thread pool thus limiting available threads for other components. Only the examination of a series of multiple NiFi JVM thread dumps collected minutes apart will tell you if you have a long running task (thread dump shows change to thread indicating slow progress being made) or potentially hung thread (thread dumps all show same consistent output for thread. When you have a processor that is in this state and "terminate" the thread on the processor, does the terminated thread (shown as small number with parenthesis "(1)") ever go away? if not, that terminated thread never completed. While "terminate" release FlowFile associated to that thread back to inbound connection queue and give user back full control of the processor. The only way to "kill" a truly hung thread is by restarting the entire NiFi JVM. Which you said you do once in awhile. Hope you find this information helps you drill deeper in to your issue and identify what is impacting you. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-11-2023
08:27 AM
@tej_s I recommend against switching to encrypted repositories while you still have content in your flowfile_repository, content_repository, and provenance_repository. What version of Apache NiFi are you using? If you stop NiFi and delete the contents of these encrypted repositories and startup clean, do you encounter and issues like above with all new data being processed through your dataflows? If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-11-2023
08:18 AM
1 Kudo
@Madhav_VD Apache NiFi contains no native processors that utilize Apache Tika other than IdentifyMimeType (this processor does not do any extraction), but you can find others in the Apache that have created custom processors that utilize Apache Tika. Adding custom nars to Apache NiFi is as easy as adding the custom nar to the auto-load directory: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#autoloading-processors While I have no experience with any of these custom nars, you can give them a try to see if they meet your needs. If not they may provide you with a stepping stone for creating your own custom variant. https://github.com/tspannhw/nifi-extracttext-processor/releases/tag/html https://community.cloudera.com/t5/Community-Articles/ExtractText-NiFi-Custom-Processor-Powered-by-Apache-Tika/ta-p/249392 https://community.cloudera.com/t5/Community-Articles/Creating-HTML-from-PDF-Excel-and-Word-Documents-using-Apache/ta-p/247968 https://github.com/tspannhw/nifi-extracttext-processor If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-10-2023
12:28 PM
@ravi_tadepally The NiFi CLI toolkit currently only supports authentication with client certificate, client certificate with proxied user identity or basic auth (via basic auth token). There is no option to obtain a token via OIDC authentication method. Using token based authentication to perform other NiFi Toolkit CLI commands is probably not the best approach. Tokens have limited life, are only valid fro use interacting with the specific NiFi instance from which it was issued. The better approach would be to create a cli-nifi.properties file with a proxied entity (this would be your OIDC user identity): baseUrl=https://<nifi-hostname>:<NiFi-port>
keystore=/path/to/<nifi-keystore.jks>
keystoreType=JKS
keystorePasswd=<nifi-keystore-password>
keyPasswd=<nifi-key-password>
truststore=/path/to/truststore.jks
truststoreType=JKS
truststorePasswd=<nifi-truststore-password>
proxiedEntity=<OIDC username> In a NIfI cluster, the NiFi keystore certificate should already be authorized to "proxy user requests". The "-p cli-nifi.properties" option in NiFi Cli toolkit will utilize the config file above to authenticate via the NiFi node certificate and then make authorized request on behalf of the proxied entity. So, no need to directly authenticate and obtain a token for that proxied entity. example: ./cli.sh nifi cluster-summary -p cli-nifi.properties would return following provided the proxied entity is authorized for that endpoint data: Total node count: 3
Connected node count: 3
Clustered: true
Connected to cluster: true If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
08-10-2023
11:12 AM
1 Kudo
@Fredi NiFi's remote input ports are designed to receive NiFi FlowFiles transmitted to the remote-input port by a NiFi Remote Process Group (RPG) using NiFi's Site-to-Site (S2S) protocol. They are not intended to be used for pushing arbitrary files into a NiFi dataflow. For moving files in to NiFi, you should be using a NiFi processor for that. There a variety of different of different processors available to include but not limited to ListFile+FetchFile, ListSMB+fetchSMB, listSFTP+FetchSFTP, GetFile, HandleHTTPRequest+HandleHTTPResponse, ListenHTTP, etc. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more