Larry, You are absolutely correct. We should not be able to see the protected Zookeeper instance in the first place.
What I am trying to solve is the problem of which Knox Gateway instance is available to our external client app. We hope to have several for load balancing and high availability purposes. Another hardware option is the use of a F5 with DNS load balancing against Knox. Thanks for bringing this up. Rick -----Original Message----- From: larry mccay [mailto:[email protected]] Sent: Wednesday, June 14, 2017 3:18 PM To: [email protected] Subject: Re: Knox Gateway Registration within Zookeeper Hi Rick - It's an interesting thought. My follow up question would be... How often does the REST client that is having access to services gated by Knox have line of sight of ZK? My personal expectation is that most clients of Knox do not and ZK should actually be hidden from them. ZK is rather cumbersome to secure and there are lots of sensitive network topology and state information in there. While I do dream of the day that Knox will be able to discover all the URLs of the services in a topology from the ZK based register, I don't think that I can see the value in having Knox be discoverable through it. Can you more fully articulate the usecase? thanks! --larry On Wed, Jun 14, 2017 at 3:11 PM, Rick Kellogg <[email protected]> wrote: > Greetings, > > > > What are your thoughts about optional registering of live Knox Gateway > instances in Zookeeper? Then as a client, I could query Zookeeper to > find a valid host. > > > > No idea of complexity involved but it seems to be a good idea to me. > > > > Thoughts? > > Rick > >
