Cloudera Docs

Handling file formats missing sensitive property values

When migrating NiFi flows, the handling of sensitive properties depends on the file format being used.

  • flow.json and flow.json.gz files contain all property values, including sensitive ones, in encrypted form.

  • Other formats, such as flow definitions or templates, do not include sensitive property values.

The Migration Tool has limited capabilities when handling sensitive properties. It cannot determine whether sensitive property values were originally set, and therefore cannot guarantee a complete migration of those values.

Example: GetHDFS processor

For the GetHDFS processor, if a controller service is not used to provide Kerberos credentials, credential configuration in NiFi 1 requires defining:
  • Kerberos Principal (not sensitive)
  • Exactly one of Kerberos Keytab (not sensitive) or Kerberos Password (sensitive)

In NiFi 2, these properties are replaced by a controller service that manages Kerberos credentials.

Migration Tool behavior

  • When working with a flow.json file:

    • The Migration Tool identifies which properties are populated and migrates them to the appropriate controller service.

    • It also validates the configuration and generates alerts through Manual Change Requests or Manual Validation Requests if there are any errors or inconsistencies.

      For example, it can detect the misconfiguration and alert you if all three properties are filled or a Kerberos Principal is set without a Kerberos Keytab or Kerberos Password. These issues are listed as Manual Change Requests or Manual Validation Requests in the Activity Log.

  • When working with a flow definition:

    Because the sensitive Kerberos Password value is missing, the Migration Tool cannot determine if Kerberos Password was originally populated or not. In this case, the original configuration is inferred based on the values of the other properties. For example:

    • If both Kerberos Principal and Kerberos Keytab are filled, the Migration Tool assumes that Kerberos Password was empty, and it creates a KerberosKeytabUserService.

    • If only Kerberos Principal is populated, the Migration Tool assumes that Kerberos Password was originally filled, and it creates a KerberosPasswordUserService with an empty Kerberos Password property, as the Migration Tool does not know its actual value.

    • If Kerberos Principal is empty, the Migration Tool assumes that Kerberos Password was not set as Kerberos Password is not valid without Kerberos Principal. This typically indicates that either a controller service was already used for Kerberos credentials or Kerberos was not involved at all.

Example: GetAzureQueueStorage processor

For the GetAzureQueueStorage processor, if a controller service is not used to provide Kerberos credentials, credential configuration in NiFi requires defining:
  • Storage Account Name (sensitive)
  • Exactly one of Storage Account Key (sensitive) or SAS Token (sensitive)

Since all three properties are sensitive and their values are missing, the Migration Tool cannot determine which properties were populated in the original configuration. In such cases, you must review and finalize these configuration settings manually.

Post-migration requirements

The Migration Tool assumes that the original configuration is valid. If the original configuration contains errors, the tool may make incorrect assumptions, apply unintended changes, and may not be able to notify you about these. To reduce noise in the Activity Log, the tool provides limited alerts for missing sensitive properties.

After migration, you should:
  • Review and verify all sensitive property configurations, especially for file formats that do not include values.
  • Ensure that all required sensitive values are populated in NiFi after importing the migrated flows.

Sensitive parameters

Even in file types where sensitive property values are not available, parameter references are preserved, although their values may be empty. Similarly, in a complete flow.json, parameter values can also be empty, no matter whether they are sensitive or not.

This means that the presence of a parameter does not guarantee that it resolves to a non-empty value. NiFi evaluates a component’s property configuration based solely on the value it resolves to, and not on the presence of a parameter reference.

For example, in the GetAzureQueueStorage processor, it is valid (although somewhat unusual) to configure all three properties (Storage Account Name, Storage Account Key, and SAS Token) using parameter references and have only Storage Account Name and exactly one of Storage Account Key and SAS Token resolve to a non-empty value.

As a result, the Migration Tool generally does not distinguish between property values defined directly or through parameters when making decisions and assumptions about sensitive properties.

The Migration Tool generally does not distinguish between property values defined directly or through parameters when making decisions and assumptions about sensitive properties. The exception is when the Migration Tool cannot make meaningful inferences from the configuration alone and needs to consider the presence or absence of parameter references. For example:

  • If Storage Account Name and Storage Account Key, contain parameter references, but SAS Token is empty, the Migration Tool can infer that the referenced parameters have values.

  • If all three properties contain parameter references, or none of them do, the Migration Tool defers the resolution to you.