[jira] [Commented] (KNOX-970) Add support for proxying NiFi

Sun, 29 Oct 2017 13:17:24 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16224183#comment-16224183
 ] 

Larry McCay commented on KNOX-970:
----------------------------------

[~jtstorck] - If we want to get this into 0.14.0/1.0.0 then we will need to get 
some tests added in the next day or so. We are closing down in anticipation of 
an RC on the 31st or so.

> Add support for proxying NiFi
> -----------------------------
>
>                 Key: KNOX-970
>                 URL: https://issues.apache.org/jira/browse/KNOX-970
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Jeff Storck
>            Assignee: Jeff Storck
>             Fix For: 0.14.0
>
>         Attachments: KNOX-970-PR-9-full.patch
>
>
> Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, 
> /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs 
> depending on individual installations/configurations of NiFi through multiple 
> component versions and custom NARs.
> Knox needs to be able to proxy to all of the available context paths in NiFi 
> without being configured for each one individually.
> The X-Forwarded-Context header set by Knox when proxying needs to include the 
> context path at which Knox is hosted (for example, /gateway/sandbox) and the 
> path at which the NiFi services are proxied (for example, nifi-web).  Using 
> this header with the extra context path information (from the given examples, 
> /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming 
> requests to the root context of the web server hosted by NiFi.
> When proxying to a secured NiFi instance/cluster set up with multi-tenancy, 
> Knox also needs to set an additional header required by NiFi, 
> X-ProxiedEntitiesChain, which will contain the identity of the user making 
> the request to Knox.  If the header is present in an incoming request to 
> Knox, it must be able to take the DN from the SSL cert of the requesting 
> client (two-way SSL) and add it to the value received in the header.  The 
> requests made from Knox to NiFi must also be made with two-way SSL so that 
> NiFi can obtain the Knox server DN from its certificate.  The values present 
> in the X-ProxiedEntitiesChain will be used to authorize each identity 
> specified in the header of the proxied request before the operation will be 
> performed by NiFi.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to