knox-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <>
Subject [jira] [Commented] (KNOX-970) Add support for proxying NiFi
Date Thu, 05 Oct 2017 04:09:02 GMT


Larry McCay commented on KNOX-970:

[~jtstorck] - this patch looks pretty good.
One thing that bothers me a bit is the service param name being use-two-way-ssl with dashes.
I would have rather have seen it be with dots but there is already a precedent set in the
file ServiceDefinitionDeploymentContributor for camelCase. I think the attribute name in the
service definition itself is fine with the dashes.

Beyond that, I am having trouble actually building and running tests on master and need to
get to the bottom of that but if you are so inclined a revision to address the above would
be appreciated.

Thanks for this contribution, the 2-way ssl support in dispatch is a great improvement that
I can already see other uses for!

> Add support for proxying NiFi
> -----------------------------
>                 Key: KNOX-970
>                 URL:
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Jeff Storck
>            Assignee: Jeff Storck
>             Fix For: 0.14.0
>         Attachments: KNOX-970-PR-9-full.patch
> Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, /nifi-api,
/nifi-docs, etc) and several dynamically discovered UIs/APIs depending on individual installations/configurations
of NiFi through multiple component versions and custom NARs.
> Knox needs to be able to proxy to all of the available context paths in NiFi without
being configured for each one individually.
> The X-Forwarded-Context header set by Knox when proxying needs to include the context
path at which Knox is hosted (for example, /gateway/sandbox) and the path at which the NiFi
services are proxied (for example, nifi-web).  Using this header with the extra context path
information (from the given examples, /gateway/sandbox/nifi-web), Knox needs to be able to
rewrite URLs of incoming requests to the root context of the web server hosted by NiFi.
> When proxying to a secured NiFi instance/cluster set up with multi-tenancy, Knox also
needs to set an additional header required by NiFi, X-ProxiedEntitiesChain, which will contain
the identity of the user making the request to Knox.  If the header is present in an incoming
request to Knox, it must be able to take the DN from the SSL cert of the requesting client
(two-way SSL) and add it to the value received in the header.  The requests made from Knox
to NiFi must also be made with two-way SSL so that NiFi can obtain the Knox server DN from
its certificate.  The values present in the X-ProxiedEntitiesChain will be used to authorize
each identity specified in the header of the proxied request before the operation will be
performed by NiFi.

This message was sent by Atlassian JIRA

View raw message