[
https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16190540#comment-16190540
]
Jeff Storck commented on KNOX-970:
----------------------------------
[~moresandeep] I agree with your first point, I need to add unit tests before
this can be merged to master.
I removed the commented configuration sections in sandbox.xml as you
recommended in your second point, and updated the NIFI service by default to
proxy to an unsecured NiFi instance on port 9090, to bring it in line with
other service definitions in the topology.
I updated the method-scoped variable "twoWaySslAlias" as you recommended in
your third point, good catch!
In response to your fourth point, the coercion of "anonymous" to "<>" in the
X-ProxiedEntitiesChain shouldn't effect logging of Knox. It's just how the
anonymous user must be represented in the X-ProxiedEntitiesChain so that NiFi
knows the user being proxied was not authenticated by the proxy. In the edge
case that there is a user named "anonymous", NiFi recognizes "<>" in the
entities chain as an unauthenticated user.
Regarding your fifth point, the dispatch does not currently have access to the
configuration to know what the SSO cookie name should be, and [~lmccay] said
for now I could hardcode it for now.
I will update the patch regarding points 2-5 tonight.
> Add support for proxying NiFi
> -----------------------------
>
> Key: KNOX-970
> URL: https://issues.apache.org/jira/browse/KNOX-970
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Reporter: Jeff Storck
> Fix For: 0.14.0
>
> Attachments: KNOX-970-PR-9-full.patch
>
>
> Apache NiFi hosts several known UIs/APIs at various context paths (/nifi,
> /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs
> depending on individual installations/configurations of NiFi through multiple
> component versions and custom NARs.
> Knox needs to be able to proxy to all of the available context paths in NiFi
> without being configured for each one individually.
> The X-Forwarded-Context header set by Knox when proxying needs to include the
> context path at which Knox is hosted (for example, /gateway/sandbox) and the
> path at which the NiFi services are proxied (for example, nifi-web). Using
> this header with the extra context path information (from the given examples,
> /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming
> requests to the root context of the web server hosted by NiFi.
> When proxying to a secured NiFi instance/cluster set up with multi-tenancy,
> Knox also needs to set an additional header required by NiFi,
> X-ProxiedEntitiesChain, which will contain the identity of the user making
> the request to Knox. If the header is present in an incoming request to
> Knox, it must be able to take the DN from the SSL cert of the requesting
> client (two-way SSL) and add it to the value received in the header. The
> requests made from Knox to NiFi must also be made with two-way SSL so that
> NiFi can obtain the Knox server DN from its certificate. The values present
> in the X-ProxiedEntitiesChain will be used to authorize each identity
> specified in the header of the proxied request before the operation will be
> performed by NiFi.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
