[
https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16192440#comment-16192440
]
Larry McCay commented on KNOX-970:
----------------------------------
[~jtstorck] - this patch looks pretty good.
One thing that bothers me a bit is the service param name being use-two-way-ssl
with dashes. I would have rather have seen it be with dots but there is already
a precedent set in the file ServiceDefinitionDeploymentContributor for
camelCase. I think the attribute name in the service definition itself is fine
with the dashes.
Beyond that, I am having trouble actually building and running tests on master
and need to get to the bottom of that but if you are so inclined a revision to
address the above would be appreciated.
Thanks for this contribution, the 2-way ssl support in dispatch is a great
improvement that I can already see other uses for!
> Add support for proxying NiFi
> -----------------------------
>
> Key: KNOX-970
> URL: https://issues.apache.org/jira/browse/KNOX-970
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Reporter: Jeff Storck
> Assignee: Jeff Storck
> Fix For: 0.14.0
>
> Attachments: KNOX-970-PR-9-full.patch
>
>
> Apache NiFi hosts several known UIs/APIs at various context paths (/nifi,
> /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs
> depending on individual installations/configurations of NiFi through multiple
> component versions and custom NARs.
> Knox needs to be able to proxy to all of the available context paths in NiFi
> without being configured for each one individually.
> The X-Forwarded-Context header set by Knox when proxying needs to include the
> context path at which Knox is hosted (for example, /gateway/sandbox) and the
> path at which the NiFi services are proxied (for example, nifi-web). Using
> this header with the extra context path information (from the given examples,
> /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming
> requests to the root context of the web server hosted by NiFi.
> When proxying to a secured NiFi instance/cluster set up with multi-tenancy,
> Knox also needs to set an additional header required by NiFi,
> X-ProxiedEntitiesChain, which will contain the identity of the user making
> the request to Knox. If the header is present in an incoming request to
> Knox, it must be able to take the DN from the SSL cert of the requesting
> client (two-way SSL) and add it to the value received in the header. The
> requests made from Knox to NiFi must also be made with two-way SSL so that
> NiFi can obtain the Knox server DN from its certificate. The values present
> in the X-ProxiedEntitiesChain will be used to authorize each identity
> specified in the header of the proxied request before the operation will be
> performed by NiFi.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
