Member since
07-30-2019
3406
Posts
1623
Kudos Received
1008
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 336 | 12-17-2025 05:55 AM | |
| 397 | 12-15-2025 01:29 PM | |
| 405 | 12-15-2025 06:50 AM | |
| 367 | 12-05-2025 08:25 AM | |
| 604 | 12-03-2025 10:21 AM |
03-23-2023
11:43 AM
@srilakshmi Yes, Apache NiFi 1.9.0 was released over 4 years ago on February 19, 2019. Many bugs, improvements and security fixes have made there may into the product since then. The latest release as of this post is 1.20. While i can't verify 100% from what exists in this thread that you are experiencing NIFI-9688, the odds are pretty strong. You can fin the release notes for Apache NiFi here: https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.20.0 If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
03-23-2023
11:37 AM
1 Kudo
@apmmahesh Your current issue is unrelated to your original issue. What you have now is an issue with your mutual TLS exchange between your cluster nodes. NiFi does nothing unusual or out of spec with regards to TLS. Specifically this line snippet you shared: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors points to a trust issue within the exchange. So few things about your certificates: 1. Is "nifi1" the actual hostname for this server? (same for nifi2 and nifi3) 2. What is inside the truststore.jks you are using on each of your NiFi nodes? The complete TLS trustchain for your NiFi certificates must be in this truststore.jks. Your truststore.jks should contain one too many TrustedCertEntries. Your keystore.jks must contain only 1 PrivateKeyEntry. Assuming that all your node's certificates were generated using the NiFi TLS toolkit, they should all be issued/signed by the same certifcate Authority (Issuer: CN=localhost, OU=NIFI). Their then must be a a trustedCertEntry present in the trustsore.jks used by all your nodes for "CN=localhost, OU=NIFI". You can use the same keytool -v -list -keystore truststore.jks command to verify the contents of your truststore.jks. You can also use the following command to obtain the public cert(s) for your CA from any one of your NiFi servers: openssl s_client -connect <nifi hostname>:<nifi port> -showcerts each public cert will have this structure: -----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAw..............b9Sz/yilrbCgj8=
-----END CERTIFICATE---- I cut out portion of string in above, but the certificate includes everything above in it. You can copy each and save them to "<filename>.crt" files which you can import to your truststore.jks files (all nodes shoudl e using a common truststore.jks) if they are missing. keytool -import -alias <some unique ca name> -file <filename>.crt -keystore truststore.jks -storepass <truststore.jks password> You'll need to restart your NiFi anytime you modify either the keystore or truststore. NiFi only reads these files on startup. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
03-22-2023
09:47 AM
@srilakshmi Were you able to identify the three FlowFile that did not produce the expected log output from your logAttribute processors? Do you auto-terminate the "success" relationship out of your LogAttribute processors? If so, do you see DROP events in those FlowFIle's provenance lineage? If you look at the event timestamp does is correlate to a time that falls between when the shutdown was initiated and when you restarted the NiFi instance? What version of NiFi are you using? Is it older than Apache NiFi 1.16? If so, you may be hitting this bug addressed as of the NiFi 1.16 release: https://issues.apache.org/jira/browse/NIFI-9688 If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
03-21-2023
11:49 AM
@Techie123 What is observed in the endpoint logs for these transactions? Can you share the complete stack trace from the NiFi logs? Can you share your invokeHTTP processor configurations? Can you share your NiFi version? Thanks, Matt
... View more
03-21-2023
11:39 AM
@udayAle @ep_gunner When NiFi is brought down, the current state (stopped, started, enabled, disabled) of all components is retained and on startup that same state is set on the components. Only time this is not true is when the property "nifi.flowcontroller.autoResumeState" is set to false in the nifi.properties file. When set to false a restart of NiFi would result in all components in a stopped state. In a production environment, this property should be set to true. Perhaps you can share more details on the maintenance process you are using as I am not clear on how your maintenance is impacting the last known state of some components. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
03-21-2023
11:32 AM
@srilakshmi NiFi only offers HA at the controller level and not at the data/flowfile level. HA at the controller level is possible due to NiFi's zero master clustering capability that relies on a Zookeeper (ZK) quorum to elect am available NiFi node as the cluster coordinator. If the current elected cluster coordinator goes down, ZK elects another active node to assume this role. The zero master clustering allows you to access your NiFi cluster from any one of the active cluster nodes. Each node in the NiFi cluster has its own identical copy of the flow and its own set of repositories. NiFi nodes can not share repositories. So any queued FlowFile on a node that goes down will remain on that node until it is brought back online. This is what you are observing based on your description provided. When you execute the command to shutdown NiFi, it does initiate a graceful shutdown. The amount time for this graceful shutdown is controlled by this configuration property in the nifi.properties file: nifi.flowcontroller.graceful.shutdown.period the default is 10 seconds. If any active thread does not complete within that graceful shutdown period, the thread is killed with the JVM. This will not result in dataloss since a FlowFile is not removed from the inbound connection of a processor unless the thread completed and FlowFile was successfully transferred to an outbound connection. On startup FlowFile, the NiFi flow is loaded, FlowFile are loaded back in to connections, and then components are enabled and started. I'd be interested in your test dataflow and what logging your are looking for and from which processor component? Have you checked NiFi's data provenance to search for the lineage of your 3 FlowFiles you were missing logging for? If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
03-21-2023
06:32 AM
@davehkd When your nodes become disconnected, a reason will be logged and also most recent events viewable from within the cluster UI via the NIFi interface. So first question is reason given for node disconnections? Is it reporting a communication exception with Zookeeper or is it reporting disconnection due to lack of heartbeat (more common). Within a cluster a node is elected as the cluster coordinator by ZK, the nodes begin sending health and status heartbeats to that cluster coordinator. Default is every 5 seconds. The elected cluster coordinator expects to receive at least one heartbeat every 8x the configured heartbeat interval, so every 40 seconds. This is a pretty aggressive setting for NiFi clusters under heavy load or high heap pressure caused by dataflow design. So first make sure that every node in your cluster has the same configured heartbeat interval value (mixed values will definitely cause lots of node disconnections). If you are seeing reason for disconnection as lack of heartbeat, adjust the heartbeat interval to 30 seconds. This means a heartbeat would need to missed in a 4 minutes window instead of 40 seconds. As far as GC goes, GC is triggered when Java heap utilization gets around ~80%. How much memory have you configured your NiFi to use? Setting really high for no reason means would result in longer GC stop-the-world events. Generally NiFi would be configured with 16 GB to 32 GB for most use cases. If you find yourself needing more then that , you should take a closer look at your dataflow implementations (dataflows). The NiFi heap holds many things including the following: - fllow.json.gz is unpacked and loaded into heap memory on startup. Flow.json.gz includes everything you have added and configured via the NiFi UI (flows, controller settings, registry clients, templates, etc.). Templates are a deprecated method of creating flow snippets for reuse. They are held in heap because they are part of the flow.json.gz even though they are not part of any active dataflow. Downloading for external storage and deleting from within NiFi will reduce heap usage. - user and groups synced from ldap if using the ldap-user-group-provider. Shoudl make sure that your have configured filters on this provider so that you are liimiting the number of groups and users to only those the will actually be accessing yoru NiFi. - FlowFiles are what you see queued between processor components on the UI. FlowFiles consist of metatdata/attributes about the FlowFile. NiFi has build in swap settings for how many FlowFiles can exist in a given queue before they start swapping to disk (20,000 set via nifi.queue.swap.threshold in nifi.properties). Swap files are always 10,000 FlowFiles. By default, a connection has a backpressure object threshold of 10,000. This means by default a connection will not likely generate a swap file because it is unlikely to reach the swap threshold with these defaults (connection queues are soft limits). So If you have lots of connection with queued FlowFiles, you will have more heap usage. Generally speaking, a FlowFile's default metadata attributes amount to very little heap usage, but users can write whatever they want to FlowFile attributes. If you extracting and writing larges amounts of content to FlowFile attributes in yoru dataflow(s), you'll have high heap usage and should be question yourself as to why you are doing this. - NiFi processor components - Some processors have resource considerations that users should take in to considerations when using those processors. The embedded documentation within your NiFi will have section for resource considerations under each processor's docs. Look to see if you are using and with heap/memory consideration. Often heap usage can be reduced through dataflow design modifications. I hope these details help you dig into your heap usage and helps you make adjustments to improve your cluster stability. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
03-20-2023
12:58 PM
@apmmahesh You created certificates for each of your NiFi nodes. Base on exception you shared, it appears that you created DNs for those nodes as following? CN=node1, OU=NIFI CN=node2, OU=NIFI CN=node3, OU=NIFI When you have a NiFi cluster, you can manage that cluster via the UI of any one of the connected nodes. So let's say you authenticate via a mutual TLS handshake to node1 using your CN=admin, OU=NIFI certificate you created for yourself and loaded in your browser. What happens next is node1 wants to show you all the data/details from all three nodes and not just node1, so your request to load the NiFi is sent via proxy by node1 to whichever node is the elected cluster coordinator. That cluster coordinator replicates the request on your behalf to all nodes in the cluster. This how the node1 UI would show you details about connected nodes, queued data from other nodes, etc. This means that node1 would need to be authorized to proxy user requests. So typically on first startup secure NiFi will use the configuration in your authorizers.xml to setup these needed default authorization, but your configuration is missing your nodes, so this was not done. Inside your file user-group-provider, you need to also add your NiFi node DNs as users. <userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.authorization.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Legacy Authorized Users File"></property>
<property name="Initial User Identity 1">CN=admin, OU=NIFI</property>
<property name="Initial User Identity 2">CN=node1, OU=NIFI</property>
<property name="Initial User Identity 3">CN=node2, OU=NIFI</property>
<property name="Initial User Identity 4">CN=node3, OU=NIFI</property>
</userGroupProvider> Then in your file-access-policy-provider you need to add your nodes so that when it generates the authorizations.xml file, the nodes get authorized to the "proxy user requests" policy: <accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=admin, OU=NIFI</property>
<property name="Legacy Authorized Users File"></property>
<property name="Node Identity 1">CN=node1, OU=NIFI</property>
<property name="Node Identity 2">CN=node2, OU=NIFI</property>
<property name="Node Identity 3">CN=node3, OU=NIFI</property>
<property name="Node Group"></property>
</accessPolicyProvider> NOTE: NiFI will only create the users.xml and authorizations.xml files from the above two providers if they do NOT already exist. Making changes to these providers will not result in changes to existing files. The expectation is that after access for yoru initial admin and your proxy nodes is established that all new authorizations are setup via the NiFi UI which will result in updated to these files. So rename your existing users.xml and authorizations.xml before starting yoru NiFi so new get created. If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
03-17-2023
12:59 PM
@wffger2 A flow definition is a snippet of the components contained with in the Process Group (PG) on which the flow definition was exported. The import of a flow definition is handled differently since a flow definition can be imported over and over to the same NiFi or different NiFis. On import the components will be assigned unique new component UUIDs. So when you create/downloaded your flow definition from DEV and then imported to UAT, the UAT components will have different UUIDs. What you should be doing is install a NiFi-Registry [1] that both your DEV and UAT environments can connect to. This allows you to version control a Process Group (PG) on the your DEV environment and then load that version controlled PG to your UAT environment. While the component UUIDs in UAT will still be different from DEV, both PGs will track back to same version controlled flow stored in the NiFi-Registry. as you make changes in DEV to components in the Version controlled PG, the DEV PG will report that local changes exist. You can commit those local changes as a new version of the PG. At which time the same PG on your UAT env will report a newer version being available which you can change to. You will also have ability to see differences/changes between what is most recent version in NiFi-Registry and what is local to each NiFi from NiFi. [1] https://nifi.apache.org/registry.html If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped. Thank you, Matt
... View more
03-17-2023
07:30 AM
@anoop89 This is an unrelated issue to this original thread. Please start a new question. Fell free to @ckumar and @MattWho in your question so we get notified. This issue is related to authorization of your user. Thanks, Matt
... View more