Larry McCay commented on KNOX-970:

[~jtstorck] - I am going to make the above discussed adjustments and commit.
We will also need to file a JIRA for following up on a couple small details 
that will work fine for now but are probably a little more brittle than they 
can be.

> Add support for proxying NiFi
> -----------------------------
>                 Key: KNOX-970
>                 URL: https://issues.apache.org/jira/browse/KNOX-970
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Jeff Storck
>            Assignee: Jeff Storck
>             Fix For: 0.14.0
>         Attachments: KNOX-970-PR-9-full.patch
> Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, 
> /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs 
> depending on individual installations/configurations of NiFi through multiple 
> component versions and custom NARs.
> Knox needs to be able to proxy to all of the available context paths in NiFi 
> without being configured for each one individually.
> The X-Forwarded-Context header set by Knox when proxying needs to include the 
> context path at which Knox is hosted (for example, /gateway/sandbox) and the 
> path at which the NiFi services are proxied (for example, nifi-web).  Using 
> this header with the extra context path information (from the given examples, 
> /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming 
> requests to the root context of the web server hosted by NiFi.
> When proxying to a secured NiFi instance/cluster set up with multi-tenancy, 
> Knox also needs to set an additional header required by NiFi, 
> X-ProxiedEntitiesChain, which will contain the identity of the user making 
> the request to Knox.  If the header is present in an incoming request to 
> Knox, it must be able to take the DN from the SSL cert of the requesting 
> client (two-way SSL) and add it to the value received in the header.  The 
> requests made from Knox to NiFi must also be made with two-way SSL so that 
> NiFi can obtain the Knox server DN from its certificate.  The values present 
> in the X-ProxiedEntitiesChain will be used to authorize each identity 
> specified in the header of the proxied request before the operation will be 
> performed by NiFi.

This message was sent by Atlassian JIRA

Reply via email to