Add and configure the NiFi service

Provides the steps for how to add and configure your NiFi service.

  • You have installed a CDP Private Cloud Base cluster and prepared it for the CFM deployment. For more information, see the Deployment Guide.

  • You have equivalence between source and target clusters. For example, if your source NiFi cluster has 3 nodes, the CFM 2.1.4 NiFi cluster must have at least 3 nodes as well.

  • You have reviewed the information about preserving your source cluster files and directories and made the necessary backups.
  1. From Cloudera Manager, add the CFM 2.1.4 NiFi service.
  2. Set some initial configurations.
    Generally, you can accept default values during the initial installation. However, there are some settings that you should configure before proceeding:
    Property Description

    Master Key Password

    nifi.master.key.password

    This password is used when you generate the master key for sensitive properties encryption in the NiFi properties file when it is written to disk. It must contain at least 12 characters.

    Sensitive Properties Key

    nifi.sensitive.props.key

    This is the password used when you encrypt any sensitive property values that are configured in NiFi components. It must contain at least 12 characters.

    If you change the Sensitive Properties Key from what was used in your source cluster, you must also update the encrypted sensitive property values in the flow.xml.gz. Refer to the section “Migrating a Flow with Sensitive Properties” below.

  3. Stop the NiFi service.
  4. Update the NiFi configuration.

    In your CFM 2.1.4 NiFi, use Cloudera Manager to walk through all the configuration values and match the values from your source cluster that are not cluster specific. Examples of cluster specific values include keystore, truststore, ZooKeeper hostnames, and similar.

    Reference the source NiFi configuration files collected earlier as needed. Double check all entries for typos.

Sample configuration changes

Update the Login Identity Provider properties.

The Template for login-identity-providers.xml from Ambari is now composed of individual properties in Cloudera Manager.

As an example, if using LDAP for authentication, the following login-identity-providers.xml:

<loginIdentityProviders>
    <provider>
            <identifier>ldap-provider</identifier>
            <class>org.apache.nifi.ldap.LdapProvider</class>
            <property name="Authentication Strategy">SIMPLE</property>
            <property name="Manager DN">uid=admin,ou=people,dc=hadoop,dc=apache,dc=org</property>
            <property name="Manager Password">admin-password</property>
            <property name="Referral Strategy">FOLLOW</property>
            <property name="Connect Timeout">10 secs</property>
            <property name="Read Timeout">10 secs</property>
            <property name="Url">ldap://ctr-e144-1587379642025-3931-01-000003.hwx.site:33389</property>
            <property name="User Search Base">ou=people,dc=hadoop,dc=apache,dc=org</property>
            <property name="User Search Filter">uid={0}</property>
            <property name="Identity Strategy">USE_USERNAME</property>
            <property name="Authentication Expiration">12 hours</property>
    </provider>
</loginIdentityProviders>

You would use Cloudera Manager to set the following NiFi service properties instead.

  • LDAP Enabled is checked

  • Login Identity Provider: Default LDAP Provider Class set to org.apache.nifi.ldap.LdapProvider

  • LDAP Authentication Strategy set to SIMPLE

  • LDAP Manager DN set to uid=admin,ou=people,dc=hadoop,dc=apache,dc=org

  • LDAP Manager Password set to admin-password

  • LDAP Referral Strategy set to FOLLOW

  • LDAP Connect Timeout set to 10 secs

  • LDAP Read Timeout set to 10 secs

  • LDAP Url set to ldap://ctr-e144-1587379642025-3931-01-000003.hwx.site:33389

  • LDAP User Search Base set to ou=people,dc=hadoop,dc=apache,dc=org

  • Login Identity Provider: Default LDAP User Search Filter set to uid={0}

  • Login Identity Provider: Default LDAP Identity Strategy set to USE_USERNAME

  • Login Identity Provider: Default LDAP Authentication Expiration set to 12 hours

There are several additional LDAP configuration requirements:

  • Enable TLS/SSL for NiFi Node is checked

  • Initial Admin Identity set to admin

  • Login Identity Provider ID set to ldap-provider

  • Authorizers: LDAP User Search Filter set to (uid=*)

  • Authorizers: LDAP User Identity Attribute set to uid

When you have completed the steps for adding and configuring the NiFi Service, you may proceed with adding and configuring the NiFi Registry service.