Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 99C8F200D15 for ; Thu, 5 Oct 2017 16:16:10 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 980631609DA; Thu, 5 Oct 2017 14:16:10 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E7DDE1609E1 for ; Thu, 5 Oct 2017 16:16:09 +0200 (CEST) Received: (qmail 34971 invoked by uid 500); 5 Oct 2017 14:16:09 -0000 Mailing-List: contact dev-help@knox.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@knox.apache.org Delivered-To: mailing list dev@knox.apache.org Received: (qmail 34960 invoked by uid 99); 5 Oct 2017 14:16:09 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Oct 2017 14:16:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 359C618E281 for ; Thu, 5 Oct 2017 14:16:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id vVEjrtcUyvkx for ; Thu, 5 Oct 2017 14:16:07 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 3594A5FDD1 for ; Thu, 5 Oct 2017 14:16:07 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id B0E94E0F8E for ; Thu, 5 Oct 2017 14:16:05 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 328D82433F for ; Thu, 5 Oct 2017 14:16:03 +0000 (UTC) Date: Thu, 5 Oct 2017 14:16:03 +0000 (UTC) From: "Jeff Storck (JIRA)" To: dev@knox.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (KNOX-970) Add support for proxying NiFi MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 05 Oct 2017 14:16:10 -0000 [ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: ----------------------------- Attachment: (was: KNOX-970-PR-9-full.patch) > Add support for proxying NiFi > ----------------------------- > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server > Reporter: Jeff Storck > Assignee: Jeff Storck > Fix For: 0.14.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs depending on individual installations/configurations of NiFi through multiple component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the context path at which Knox is hosted (for example, /gateway/sandbox) and the path at which the NiFi services are proxied (for example, nifi-web). Using this header with the extra context path information (from the given examples, /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, Knox also needs to set an additional header required by NiFi, X-ProxiedEntitiesChain, which will contain the identity of the user making the request to Knox. If the header is present in an incoming request to Knox, it must be able to take the DN from the SSL cert of the requesting client (two-way SSL) and add it to the value received in the header. The requests made from Knox to NiFi must also be made with two-way SSL so that NiFi can obtain the Knox server DN from its certificate. The values present in the X-ProxiedEntitiesChain will be used to authorize each identity specified in the header of the proxied request before the operation will be performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)