Larry McCay commented on KNOX-970:
[~jtstorck] - I am going to make the above discussed adjustments and commit.
We will also need to file a JIRA for following up on a couple small details
that will work fine for now but are probably a little more brittle than they
> Add support for proxying NiFi
> Key: KNOX-970
> URL: https://issues.apache.org/jira/browse/KNOX-970
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Reporter: Jeff Storck
> Assignee: Jeff Storck
> Fix For: 0.14.0
> Attachments: KNOX-970-PR-9-full.patch
> Apache NiFi hosts several known UIs/APIs at various context paths (/nifi,
> /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs
> depending on individual installations/configurations of NiFi through multiple
> component versions and custom NARs.
> Knox needs to be able to proxy to all of the available context paths in NiFi
> without being configured for each one individually.
> The X-Forwarded-Context header set by Knox when proxying needs to include the
> context path at which Knox is hosted (for example, /gateway/sandbox) and the
> path at which the NiFi services are proxied (for example, nifi-web). Using
> this header with the extra context path information (from the given examples,
> /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming
> requests to the root context of the web server hosted by NiFi.
> When proxying to a secured NiFi instance/cluster set up with multi-tenancy,
> Knox also needs to set an additional header required by NiFi,
> X-ProxiedEntitiesChain, which will contain the identity of the user making
> the request to Knox. If the header is present in an incoming request to
> Knox, it must be able to take the DN from the SSL cert of the requesting
> client (two-way SSL) and add it to the value received in the header. The
> requests made from Knox to NiFi must also be made with two-way SSL so that
> NiFi can obtain the Knox server DN from its certificate. The values present
> in the X-ProxiedEntitiesChain will be used to authorize each identity
> specified in the header of the proxied request before the operation will be
> performed by NiFi.
This message was sent by Atlassian JIRA