@drewski7  Why are you connecting your NiFi to NiFi-Registry via Knox instead of directly[y connecting to the NiFi-registry host? NiFi will authenticate via a mutual TLS exchange using the keystore and truststores configured in nifi.properties and the nifi-registry.properties files. Thanks, Matt ... View more

@Meeran Where are you seeing above exception? System Error The request contained an invalid host header [internal-myappname-13718787520.us-east-1.elb.amazonaws.com:8443] in the request [/]. Check for request manipulation or third-party intercept. In your Load Balancer logs? This host header "internal-myappname-13718787520.us-east-1.elb.amazonaws.com" is in your nifi.web.proxy.host list or in the SAN list within each of your node's certificates? In NiFi, check the nifi-user.log and nifi-app.log for any WARN or ERROR log output being produced when you try to access NiFi via the load balancer URL. ... View more

@davehkd  Sounds like your NiFi-Registry service install went well.  There is not such thing as a NiFi registry tool. I assume you were referring to the NiFi TLS toolkit you used to generate your certificates and keystores? You are dealing with an issue related to your initial admin.   1. When you configured the user-group-provider and file-access-policy provider, you stated that you used your "ec2-user" DN; however, the authorization exception you shared is as follows" AccessDeniedExceptionMapper: identity CN=ec2-user does not have permission to access the requested resource. That is not a the user's full DN in that exception.  To NiFi and NiFi-Registry the user identity string "CN=ec2-user. OU=NiFi" is not the same user as "CN=ec2-user".  What appears to me from your description is the full user DN has been created in the users.xml and authorization for that full DN setup in the authorizations.xml.   So to answer why your "CN=ec2-user, OU=NiFi" DN resulted in NiFi-Registry seeing your user identity as only "CN=ec2-user" comes down to identity mapping properties. So in yoou nifi-registry.properties file you'll want to look for sets of properties like the following: nifi.registry.security.identity.mapping.pattern.<some string>=<some regex pattern with 1 or more capture groups> nifi.registry.security.identity.mapping.value.<some string>=$1 nifi.registry.security.identity.mapping.transform.<some string>=NONE My guess here is you will find some regex pattern that matches on your user's full DN and the corresponding value property is then only returning "CN=ec2-user".   You can remove or modify the matching mapping pattern or change your initial admin to just "CN=ec2-user" instead of using full DN.  Either will work.  Keep in mind if you decide to go with "CN=ec2-user", then you will need edit the authorizers.xml to use "CN=ec2-user" instead of full DN.   You will also need to remove the current users.xml and authorizations.xml files created by the authorizer on first startup so they get recreated with these new identity strings.  The authorizer providers only generate the authorizations.xml and users.xml on startup if they do NOT already exist. 2. the following output you reported from your nifi-registry-app.log is normal and expected: Kerberos service ticket not supported by the NiFi Registry. This is not an ERROR log.  It is simply reporting that the spnego related kerberos properties in the nifi-registry.properties file were not configured and thus kerberos authentication via spnego is not supported.  You can just ignore this notification.   If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more

@wffger2 @cotopaul  The InstanceIdentifier was introduced when NiFi switched from using the flow.xml.gz to the flow.josn.gz for flow persistence.  It is also currently being written to the flows stored in the NiFi-Registry.  I say "currently" because this jira exist and is still open: https://issues.apache.org/jira/browse/NIFI-11321 So as @cotopaul points out, the "instanceIdentifier" will be unique for each instantiation of the flow definition, but the "identifier" will be the same.  Downside here is every time you want to do a comparison, you'll need to download latest flow definition from DEV and UAT environments and compare for difference based on the Identifiers. Thanks, Matt ... View more

@nabilraza456  I am curious about the solution you said worked in HDF? Can you share that with me? I'd like to explore how that capability changed going to CFM. Thanks, Matt ... View more

@cotopaul  Is that complete stack trace from the nifi-app.log? What version of Apache NiFi? What version of Java? Have you tried using ConsumeKafkaRecord processor instead of ConsumeKafka --> MergeContent? Do you have issue only when using the ParquetRecordSetWriter? How large are the FlowFiles coming out of the MergeContent processor? Have you tried reducing the size of the Content being output from MergeContent processor? Thanks, Matt ... View more

@saquibsk  Stop your NiFi service. Try using the following command to reset the single user "username" and "password" to new values: $ ./bin/nifi.sh set-single-user-credentials <username> <password> Then start your NiFi service and see it you can successfully login. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt ... View more