-
Processors
- AttributeRollingWindow
- AttributesToCSV
- AttributesToJSON
- CalculateRecordStats
- CaptureChangeMySQL
- CompressContent
- ConnectWebSocket
- ConsumeAMQP
- ConsumeAzureEventHub
- ConsumeElasticsearch
- ConsumeGCPubSub
- ConsumeIMAP
- ConsumeJMS
- ConsumeKafka
- ConsumeKinesisStream
- ConsumeMQTT
- ConsumePOP3
- ConsumeSlack
- ConsumeTwitter
- ConsumeWindowsEventLog
- ControlRate
- ConvertCharacterSet
- ConvertRecord
- CopyAzureBlobStorage_v12
- CopyS3Object
- CountText
- CryptographicHashContent
- DebugFlow
- DecryptContentAge
- DecryptContentPGP
- DeduplicateRecord
- DeleteAzureBlobStorage_v12
- DeleteAzureDataLakeStorage
- DeleteByQueryElasticsearch
- DeleteDynamoDB
- DeleteFile
- DeleteGCSObject
- DeleteGridFS
- DeleteMongo
- DeleteS3Object
- DeleteSFTP
- DeleteSQS
- DetectDuplicate
- DistributeLoad
- DuplicateFlowFile
- EncodeContent
- EncryptContentAge
- EncryptContentPGP
- EnforceOrder
- EvaluateJsonPath
- EvaluateXPath
- EvaluateXQuery
- ExecuteGroovyScript
- ExecuteProcess
- ExecuteScript
- ExecuteSQL
- ExecuteSQLRecord
- ExecuteStreamCommand
- ExtractAvroMetadata
- ExtractEmailAttachments
- ExtractEmailHeaders
- ExtractGrok
- ExtractHL7Attributes
- ExtractRecordSchema
- ExtractText
- FetchAzureBlobStorage_v12
- FetchAzureDataLakeStorage
- FetchBoxFile
- FetchDistributedMapCache
- FetchDropbox
- FetchFile
- FetchFTP
- FetchGCSObject
- FetchGoogleDrive
- FetchGridFS
- FetchS3Object
- FetchSFTP
- FetchSmb
- FilterAttribute
- FlattenJson
- ForkEnrichment
- ForkRecord
- GenerateFlowFile
- GenerateRecord
- GenerateTableFetch
- GeoEnrichIP
- GeoEnrichIPRecord
- GeohashRecord
- GetAsanaObject
- GetAwsPollyJobStatus
- GetAwsTextractJobStatus
- GetAwsTranscribeJobStatus
- GetAwsTranslateJobStatus
- GetAzureEventHub
- GetAzureQueueStorage_v12
- GetDynamoDB
- GetElasticsearch
- GetFile
- GetFTP
- GetGcpVisionAnnotateFilesOperationStatus
- GetGcpVisionAnnotateImagesOperationStatus
- GetHubSpot
- GetMongo
- GetMongoRecord
- GetS3ObjectMetadata
- GetSFTP
- GetShopify
- GetSmbFile
- GetSNMP
- GetSplunk
- GetSQS
- GetWorkdayReport
- GetZendesk
- HandleHttpRequest
- HandleHttpResponse
- IdentifyMimeType
- InvokeHTTP
- InvokeScriptedProcessor
- ISPEnrichIP
- JoinEnrichment
- JoltTransformJSON
- JoltTransformRecord
- JSLTTransformJSON
- JsonQueryElasticsearch
- ListAzureBlobStorage_v12
- ListAzureDataLakeStorage
- ListBoxFile
- ListDatabaseTables
- ListDropbox
- ListenFTP
- ListenHTTP
- ListenOTLP
- ListenSlack
- ListenSyslog
- ListenTCP
- ListenTrapSNMP
- ListenUDP
- ListenUDPRecord
- ListenWebSocket
- ListFile
- ListFTP
- ListGCSBucket
- ListGoogleDrive
- ListS3
- ListSFTP
- ListSmb
- LogAttribute
- LogMessage
- LookupAttribute
- LookupRecord
- MergeContent
- MergeRecord
- ModifyBytes
- ModifyCompression
- MonitorActivity
- MoveAzureDataLakeStorage
- Notify
- PackageFlowFile
- PaginatedJsonQueryElasticsearch
- ParseEvtx
- ParseNetflowv5
- ParseSyslog
- ParseSyslog5424
- PartitionRecord
- PublishAMQP
- PublishGCPubSub
- PublishJMS
- PublishKafka
- PublishMQTT
- PublishSlack
- PutAzureBlobStorage_v12
- PutAzureCosmosDBRecord
- PutAzureDataExplorer
- PutAzureDataLakeStorage
- PutAzureEventHub
- PutAzureQueueStorage_v12
- PutBigQuery
- PutBoxFile
- PutCloudWatchMetric
- PutDatabaseRecord
- PutDistributedMapCache
- PutDropbox
- PutDynamoDB
- PutDynamoDBRecord
- PutElasticsearchJson
- PutElasticsearchRecord
- PutEmail
- PutFile
- PutFTP
- PutGCSObject
- PutGoogleDrive
- PutGridFS
- PutKinesisFirehose
- PutKinesisStream
- PutLambda
- PutMongo
- PutMongoBulkOperations
- PutMongoRecord
- PutRecord
- PutRedisHashRecord
- PutS3Object
- PutSalesforceObject
- PutSFTP
- PutSmbFile
- PutSNS
- PutSplunk
- PutSplunkHTTP
- PutSQL
- PutSQS
- PutSyslog
- PutTCP
- PutUDP
- PutWebSocket
- PutZendeskTicket
- QueryAirtableTable
- QueryAzureDataExplorer
- QueryDatabaseTable
- QueryDatabaseTableRecord
- QueryRecord
- QuerySalesforceObject
- QuerySplunkIndexingStatus
- RemoveRecordField
- RenameRecordField
- ReplaceText
- ReplaceTextWithMapping
- RetryFlowFile
- RouteHL7
- RouteOnAttribute
- RouteOnContent
- RouteText
- RunMongoAggregation
- SampleRecord
- ScanAttribute
- ScanContent
- ScriptedFilterRecord
- ScriptedPartitionRecord
- ScriptedTransformRecord
- ScriptedValidateRecord
- SearchElasticsearch
- SegmentContent
- SendTrapSNMP
- SetSNMP
- SignContentPGP
- SplitAvro
- SplitContent
- SplitExcel
- SplitJson
- SplitPCAP
- SplitRecord
- SplitText
- SplitXml
- StartAwsPollyJob
- StartAwsTextractJob
- StartAwsTranscribeJob
- StartAwsTranslateJob
- StartGcpVisionAnnotateFilesOperation
- StartGcpVisionAnnotateImagesOperation
- TagS3Object
- TailFile
- TransformXml
- UnpackContent
- UpdateAttribute
- UpdateByQueryElasticsearch
- UpdateCounter
- UpdateDatabaseTable
- UpdateRecord
- ValidateCsv
- ValidateJson
- ValidateRecord
- ValidateXml
- VerifyContentMAC
- VerifyContentPGP
- Wait
-
Controller Services
- ADLSCredentialsControllerService
- ADLSCredentialsControllerServiceLookup
- AmazonGlueSchemaRegistry
- ApicurioSchemaRegistry
- AvroReader
- AvroRecordSetWriter
- AvroSchemaRegistry
- AWSCredentialsProviderControllerService
- AzureBlobStorageFileResourceService
- AzureCosmosDBClientService
- AzureDataLakeStorageFileResourceService
- AzureEventHubRecordSink
- AzureStorageCredentialsControllerService_v12
- AzureStorageCredentialsControllerServiceLookup_v12
- CEFReader
- ConfluentEncodedSchemaReferenceReader
- ConfluentEncodedSchemaReferenceWriter
- ConfluentSchemaRegistry
- CSVReader
- CSVRecordLookupService
- CSVRecordSetWriter
- DatabaseRecordLookupService
- DatabaseRecordSink
- DatabaseTableSchemaRegistry
- DBCPConnectionPool
- DBCPConnectionPoolLookup
- DistributedMapCacheLookupService
- ElasticSearchClientServiceImpl
- ElasticSearchLookupService
- ElasticSearchStringLookupService
- EmailRecordSink
- EmbeddedHazelcastCacheManager
- ExcelReader
- ExternalHazelcastCacheManager
- FreeFormTextRecordSetWriter
- GCPCredentialsControllerService
- GCSFileResourceService
- GrokReader
- HazelcastMapCacheClient
- HikariCPConnectionPool
- HttpRecordSink
- IPLookupService
- JettyWebSocketClient
- JettyWebSocketServer
- JMSConnectionFactoryProvider
- JndiJmsConnectionFactoryProvider
- JsonConfigBasedBoxClientService
- JsonPathReader
- JsonRecordSetWriter
- JsonTreeReader
- Kafka3ConnectionService
- KerberosKeytabUserService
- KerberosPasswordUserService
- KerberosTicketCacheUserService
- LoggingRecordSink
- MapCacheClientService
- MapCacheServer
- MongoDBControllerService
- MongoDBLookupService
- PropertiesFileLookupService
- ProtobufReader
- ReaderLookup
- RecordSetWriterLookup
- RecordSinkServiceLookup
- RedisConnectionPoolService
- RedisDistributedMapCacheClientService
- RestLookupService
- S3FileResourceService
- ScriptedLookupService
- ScriptedReader
- ScriptedRecordSetWriter
- ScriptedRecordSink
- SetCacheClientService
- SetCacheServer
- SimpleCsvFileLookupService
- SimpleDatabaseLookupService
- SimpleKeyValueLookupService
- SimpleRedisDistributedMapCacheClientService
- SimpleScriptedLookupService
- SiteToSiteReportingRecordSink
- SlackRecordSink
- SmbjClientProviderService
- StandardAsanaClientProviderService
- StandardAzureCredentialsControllerService
- StandardDropboxCredentialService
- StandardFileResourceService
- StandardHashiCorpVaultClientService
- StandardHttpContextMap
- StandardJsonSchemaRegistry
- StandardKustoIngestService
- StandardKustoQueryService
- StandardOauth2AccessTokenProvider
- StandardPGPPrivateKeyService
- StandardPGPPublicKeyService
- StandardPrivateKeyService
- StandardProxyConfigurationService
- StandardRestrictedSSLContextService
- StandardS3EncryptionService
- StandardSSLContextService
- StandardWebClientServiceProvider
- Syslog5424Reader
- SyslogReader
- UDPEventRecordSink
- VolatileSchemaCache
- WindowsEventLogReader
- XMLFileLookupService
- XMLReader
- XMLRecordSetWriter
- YamlTreeReader
- ZendeskRecordSink
StandardHashiCorpVaultClientService 2.0.0
- Bundle
- org.apache.nifi | nifi-hashicorp-vault-nar
- Description
- A controller service for interacting with HashiCorp Vault.
- Tags
- client, hashicorp, vault
- Input Requirement
- Supports Sensitive Dynamic Properties
- true
-
Additional Details for StandardHashiCorpVaultClientService 2.0.0
StandardHashiCorpVaultClientService
Configuring the Bootstrap HashiCorp Vault Configuration File
The ./conf/bootstrap-hashicorp-vault.conf file that comes with Apache NiFi is a convenient way to configure this controller service in a manner consistent with the HashiCorpVault sensitive property provider. Since this file is already used for configuring the Vault client for protecting sensitive properties in the NiFi configuration files (see the Administrator’s Guide), it’s a natural starting point for configuring the controller service as well.
An example configuration of this properties file is as follows:
# HTTP or HTTPS URI for HashiCorp Vault is required to enable the Sensitive Properties Provider vault.uri=https://127.0.0.1:8200 # Optional file supports authentication properties described in the Spring Vault Environment Configuration # https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration # # All authentication properties must be included in bootstrap-hashicorp-vault.conf when this property is not specified. # Properties in bootstrap-hashicorp-vault.conf take precedence when the same values are defined in both files. # Token Authentication is the default when the 'vault.authentication' property is not specified. vault.authentication.properties.file=[full/path/to/vault-auth.properties] # Optional Timeout properties vault.connection.timeout=5 secs vault.read.timeout=15 secs # Optional TLS properties vault.ssl.enabledCipherSuites= vault.ssl.enabledProtocols=TLSv1.3 vault.ssl.key-store=[path/to/keystore.p12] vault.ssl.key-store-type=PKCS12 vault.ssl.key-store-password=[keystore password] vault.ssl.trust-store=[path/to/truststore.p12] vault.ssl.trust-store-type=PKCS12 vault.ssl.trust-store-password=[truststore password]
In order to use this file in the StandardHashiCorpVaultClientService, specify the following properties:
- Configuration Strategy - Properties Files
- Vault Properties Files - ./conf/bootstrap-hashicorp-vault.conf
If your bootstrap configuration includes the vault.authentication.properties.file containing additional authentication properties, this file will also need to be added to the Vault Properties Files property as a comma-separated value.
Configuring the Client using Direct Properties
However, if you want to specify or override properties directly in the controller service, you may do this by specifying a Configuration Strategy of ‘Direct Properties’. This can be useful if you are reusing an SSLContextService or want to parameterize the Vault configuration properties. Authentication-related properties can also be added as sensitive dynamic properties, as seen in the examples below.
Vault Authentication
Under the hood, the controller service uses Spring Vault, and directly supports the property keys specified in Spring Vault’s documentation. Following are some common examples of authentication with Vault.
Token Authentication
The simplest authentication scheme uses a rotating token, which is enabled by default in Vault. To specify this mechanism, select “TOKEN” from the “Vault Authentication” property (the default). However, since the token should rotate by nature, it is a best practice to use the ‘Properties Files’ Configuration Strategy, and keep the token value in an external properties file, indicating this filename in the ‘Vault Properties Files’ property. Then an external process can rotate the token in the file without updating NiFi configuration. In order to pick up the changed token, the controller service must be disabled and re-enabled.
For testing purposes, however, it may be more convenient to specify the token directly in the controller service. To do so, add a new Sensitive property named ‘vault.token’ and enter the token as the value.
Certificate Authentication
Certificate authentication must be enabled in the Vault server before it can be used from NiFi, but it uses the same TLS settings as the actual client connection, so no additional authentication properties are required. While these TLS settings can be provided in an external properties file, we will demonstrate configuring an SSLContextService instead.
First, create an SSLContextService controller service and configure the Filename, Password, and Type for both the Keystore and Truststore. Enable it, and assign it as the SSL Context Service in the Vault controller service. Then, simply specify “CERT” as the “Vault Authentication” property value.
Other Authentication Methods
To configure the other authentication methods, see the Spring Vault documentation linked above. All relevant properties should be added either to the external properties files referenced in the “Vault Properties Files” property if using the ‘Properties Files’ Configuration Strategy, or added as custom properties with the same name if using the ‘Direct Properties’ Configuration Strategy. For example, for the Azure authentication mechanism, properties will have to be added for ‘vault.azure-msi.azure-path’, ‘vault.azure-msi.role’, and ‘vault.azure-msi.identity-token-service’.
-
Configuration Strategy
Specifies the source of the configuration properties.
- Display Name
- Configuration Strategy
- Description
- Specifies the source of the configuration properties.
- API Name
- configuration-strategy
- Default Value
- direct-properties
- Allowable Values
-
- Direct Properties
- Properties Files
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
Vault Authentication
Vault authentication method, as described in the Spring Vault Environment Configuration documentation (https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration).
- Display Name
- Vault Authentication
- Description
- Vault authentication method, as described in the Spring Vault Environment Configuration documentation (https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration).
- API Name
- vault.authentication
- Default Value
- TOKEN
- Allowable Values
-
- TOKEN
- APPID
- APPROLE
- AWS_EC2
- AZURE
- CERT
- CUBBYHOLE
- KUBERNETES
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
- Dependencies
-
- Configuration Strategy is set to any of [direct-properties]
-
Connection Timeout
The connection timeout for the HashiCorp Vault client
- Display Name
- Connection Timeout
- Description
- The connection timeout for the HashiCorp Vault client
- API Name
- vault.connection.timeout
- Default Value
- 5 sec
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
Vault Properties Files
A comma-separated list of files containing HashiCorp Vault configuration properties, as described in the Spring Vault Environment Configuration documentation (https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration). All of the Spring property keys and authentication-specific property keys are supported.
- Display Name
- Vault Properties Files
- Description
- A comma-separated list of files containing HashiCorp Vault configuration properties, as described in the Spring Vault Environment Configuration documentation (https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration). All of the Spring property keys and authentication-specific property keys are supported.
- API Name
- vault.properties.files
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
- Dependencies
-
- Configuration Strategy is set to any of [properties-files]
-
Read Timeout
The read timeout for the HashiCorp Vault client
- Display Name
- Read Timeout
- Description
- The read timeout for the HashiCorp Vault client
- API Name
- vault.read.timeout
- Default Value
- 15 sec
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- true
-
SSL Context Service
The SSL Context Service used to provide client certificate information for TLS/SSL connections to the HashiCorp Vault server.
- Display Name
- SSL Context Service
- Description
- The SSL Context Service used to provide client certificate information for TLS/SSL connections to the HashiCorp Vault server.
- API Name
- vault.ssl.context.service
- Service Interface
- org.apache.nifi.ssl.SSLContextService
- Service Implementations
- Expression Language Scope
- Not Supported
- Sensitive
- false
- Required
- false
- Dependencies
-
- Configuration Strategy is set to any of [direct-properties]
-
Vault URI
The URI of the HashiCorp Vault server (e.g., http://localhost:8200). Required if not specified in the Bootstrap HashiCorp Vault Configuration File.
- Display Name
- Vault URI
- Description
- The URI of the HashiCorp Vault server (e.g., http://localhost:8200). Required if not specified in the Bootstrap HashiCorp Vault Configuration File.
- API Name
- vault.uri
- Expression Language Scope
- Environment variables defined at JVM level and system properties
- Sensitive
- false
- Required
- true
- Dependencies
-
- Configuration Strategy is set to any of [direct-properties]
-
A Spring Vault configuration property name
Allows any Spring Vault property keys to be specified, as described in (https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration). See Additional Details for more information.
- Name
- A Spring Vault configuration property name
- Description
- Allows any Spring Vault property keys to be specified, as described in (https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration). See Additional Details for more information.
- Value
- The property value
- Expression Language Scope
- ENVIRONMENT