Known issues

Review the list of known issues in Cloudera Flow Management (CFM) 2.1.4.

Special characters in Keystore/Truststore passwords: If there are special characters in the passwords of the truststores/keystores, the normal operation of NiFi and its integration with Cloudera Manager (command and control, monitoring, etc) is affected.; Update the passwords using only [A-Z a-z 0-9] characters or upgrade to CFM 2.1.5. You can also file a support case to get a hotfix from Cloudera Support.

Configuration of java.arg.7: A property has been added for defining java.arg.7 to provide the ability to override the default location of the temporary directory used by JDK. By default this value is empty in Cloudera Manager. If you use this argument for another purpose, change it to a different, unused argument number (or use letters instead: java.arg.mycustomargument). Not changing the argument can impact functionalities after upgrades/migrations.

JDK error: JDK 8 version u252 is supported. Any lower version may result in this error when NiFi starts:
SHA512withRSAandMGF1 Signature not available; When using Java 8, only version u252, and above are supported.

JDK limitation: JDK 8u271, JDK 8u281, and JDK 8u291 may cause socket leak issues in NiFi due to JDK-8245417 and JDK-8256818. Verify the build version of your JDK. Later builds are fixed as described in JDK-8256818.; When using Java 8, only version u252, and above are supported.

KafkaRecordSink puts multiple records in one message: All records are sent as a single Kafka message containing an array of records.
For more information, see NIFI-8326.; There is no workaround for this issue.
Kudu Client: There is an issue in the Kudu client preventing the creation of a new tables using the NiFi processors. The table needs to exist before NiFi tries to push data into it. You may see this error when this issue arises:
Caused by: org.apache.kudu.client.NonRecoverableException: failed to wait for Hive Metastore notification log listener to catch up: failed to retrieve notification log events: failed to open Hive Metastore connection: SASL(-15): mechanism too weak for this user; Verify the necessary table exists in Kudu.
NiFi Node Connection test failures: Cloudera Manager includes a new health check feature. The health check alerts users if a NiFi instance is running but disconnected from the NiFi cluster. For this health check to be successful, you must update a Ranger policy. There is a known issue when the NiFi service is running but the NiFi Node(s) report Bad Health due to the NiFi Node Connection test.; Update the policy:

From the Ranger UI, access the Controller policy for the NiFi service.

Verify the nifi group is set in the policy.

Add the nifi user, to the policy, with READ permissions.
NiFi UI performance considerations: A known issue in Chrome 92.x causes significant slowness in the NiFi UI and may lead to high CPU consumption.
For more information, see the Chrome Known Issues documentation at 1235045.; Use another version of Chrome or a different browser.
SSHJ version change and key negotiation issue with old SSH servers: ListSFTP and PutSFTP processors fail when using the legacy ssh-rsa algorithm for authentication with the following error:
UserAuthException: Exhausted available authentication methods; Set Key Algorithms Allowed property in PutSFTP to ssh-rsa.
Parameter Context inheritance may be lost during NiFi restart: When restarting NiFi, the inheritance between parameter contexts may be lost under specific conditions.
UserAuthException: Exhausted available authentication methods; For more information, see NIFI-10096.; Cloudera recommends to upgrade to the latest version or to request a HOTFIX through the Support Portal.
KeyStoreException: placeholder not found: After an upgrade, NiFi may fail to start, displaying the following error:
WARN org.apache.nifi.web.server.JettyServer: Failed to start web server... shutting down. java.security.KeyStoreException: placeholder not found
The error is caused by missing configuration for the type of the keystore and truststore files.; Go to Cloudera Manager -> NiFi service -> Configuration.

Add the below properties for NiFi Node Advanced Configuration Snippet (Safety Valve) for staging/nifi.properties.xml.
nifi.security.keystoreType=**[value]** nifi.security.truststoreType=**[value]**
Where value must be PKCS12, JKS, or BCFKS. JKS is the preferred type, BCFKS and PKCS12 files are loaded with BouncyCastle provider.

Restart NiFi.

Technical Service Bulletins

TSB 2022-580: NiFi Processors cannot write to content repository

If the content repository disk is filled more than 50% (or any other value that is set in nifi.properties for nifi.content.repository.archive.max.usage.percentage), and if there is no data in the content repository archive, the following warning message can be found in the logs: "Unable to write flowfile content to content repository container default due to archive file size constraints; waiting for archive cleanup". This would block the processors and no more data is processed.

This appears to only happen if there is already data in the content repository on startup that needs to be archived, or if the following message is logged: “Found unknown file XYZ in the File System Repository; archiving file”.

Upstream JIRA

Action required

Upgrade (recommended)

Upgrade to a version containing the fix.
- CFM 2.1.4.1000
Workaround
- Increase the value associated to nifi.content.repository.archive.max.usage.percentage (example: 75%).
  OR
- Reduce disk space usage to get under the configured threshold.

Knowledge article

For the latest update on this issue see the corresponding Knowledge article: TSB 2022-580: NiFi Processors cannot write to content repository

TSB 2022-589: CVE-2022-33140 Apache NiFi ShellUserGroupProvider Vulnerability

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers (UGP) in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies in order to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups in order to execute the command. The resolution removes command formatting based on user-provided arguments.

CVE

Severity:

8.3 High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact

Operating System level command injection could cause security vulnerability in the Apache NiFi environment.

Action required

An option is to use another User Group Provider (such as the LDAP User Group Provider) if it is possible. Otherwise, customers are asked to upgrade to a release containing the fix, or to request a HOTFIX through the support portal.

Knowledge article

For the latest update on this issue see the corresponding Knowledge article: TSB 2022-589: CVE-2022-33140 Apache NiFi ShellUserGroupProvider Vulnerability