Cloudera Docs

Handling file formats missing sensitive property values

When migrating NiFi flows, the handling of sensitive properties depends on the file format being used.

  • flow.json and flow.json.gz files contain all property values, including sensitive ones, in encrypted form.

  • Other formats, such as flow definitions or templates, do not include sensitive property values.

As a result, the Migration Tool has limited capabilities when handling sensitive properties. It cannot determine whether sensitive property values were originally set, and therefore cannot guarantee a complete migration of those values.

Example: GetHDFS processor

For the GetHDFS processor, if a controller service is not used for Kerberos credentials, configuration in NiFi 1 requires:
  • Kerberos Principal (not sensitive)
  • Exactly one of Kerberos Keytab (not sensitive) or Kerberos Password (sensitive)

Kerberos Password is classified as a sensitive property. In NiFi 2, these properties are replaced by a controller service that manages Kerberos credentials.

Migration Tool behavior

  • When working with flow.json:

    • The Migration Tool identifies which properties are populated and migrates them to the appropriate controller service.

    • It also validates the configuration and generates alerts through Manual Change Requests or Manual Validation Requests if inconsistencies exist.

    • For example, it can detect misconfigurations and alert you if all three properties are filled or a Kerberos Principal is set without a Kerberos Keytab or Kerberos Password is. These issues are listed as Manual Change Requests or Manual Validation Requests in the Activity Log.

  • When working with flow definitions:

    Because the sensitive Kerberos Password value is missing, the Migration Tool cannot determine if Kerberos Password was originally populated or not. In this case, the original configuration is inferred based on the values of the other properties.

    • If both Kerberos Principal and Kerberos Keytab are filled, Kerberos Password is assumed empty, and the Migration Tool creates a KerberosKeytabUserService.

    • If only Kerberos Principal is populated, Kerberos Password is assumed originally filled, and the Migration Tool creates a KerberosPasswordUserService with an empty Kerberos Password property.

    • If Kerberos Principal is empty, the Migration Tool assumes that Kerberos Password was not set. This typically indicates that either a controller service was already used for Kerberos credentials or Kerberos was not involved at all.

Example: GetAzureQueueStorage processor

For the GetAzureQueueStorage processor, credential configuration requires:
  • Storage Account Name (sensitive)
  • Exactly one of Storage Account Key or SAS Token (both sensitive)

Since all three properties are sensitive and the sensitive values are missing, the Migration Tool cannot reliably determine which property was populated in the original configuration. In such cases, final configuration decisions must be performed manually.

The Migration Tool relies on the original configuration being valid. If it is not, the tool may make incorrect assumptions, apply unintended changes, and may not be able to alert you about them. The Migration Tool provides minimal alerting when handling missing sensitive properties to prevent excessive noise in the Activity Log.

Post-migration requirements

  • Verify all sensitive property configurations for file formats that do not include values.

  • Ensure that all required sensitive values are populated in NiFi following import.

Sensitive parameters

Even in file types where sensitive property values are not available, parameter references are maintained, although their actual values may be empty. Similarly, in a complete flow.json,it is valid for parameter values to be empty (whether they are sensitive or not).

This means that the presence of a parameter does not guarantee that it resolves to a non-empty value. NiFi evaluates a component’s property configuration based on the value it resolves to, not merely the presence of a parameter reference.

For example, in the GetAzureQueueStorage processor, it is valid (although somewhat unusual) to configure all three properties (Storage Account Name, Storage Account Key, and SAS Token) with parameter references, even if only Storage Account Name and exactly one of Storage Account Key and SAS Token resolve to a non-empty value.

As a result, the Migration Tool generally does not distinguish between property values defined directly or through parameters when making decisions and assumptions about sensitive properties.

The exception occurs when the Migration Tool cannot make meaningful inferences from the configuration alone. In such cases, it can attempt to infer values based on the presence or absence of parameter references. For example:

  • If the GetAzureQueueStorage processor contains parameter references for Storage Account Name and Storage Account Key, but SAS Token is empty, the Migration Tool can infer that the referenced parameters have values.

  • If all three properties contain parameter references, or none of them do, the Migration Tool defers the resolution to you.