[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16224183#comment-16224183 ]
Larry McCay commented on KNOX-970: ---------------------------------- [~jtstorck] - If we want to get this into 0.14.0/1.0.0 then we will need to get some tests added in the next day or so. We are closing down in anticipation of an RC on the 31st or so. > Add support for proxying NiFi > ----------------------------- > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server > Reporter: Jeff Storck > Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)