[ 
https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16241115#comment-16241115
 ] 

Larry McCay edited comment on KNOX-970 at 11/6/17 10:43 PM:
------------------------------------------------------------

[~jtstorck] - I am going to make the above discussed adjustments and commit.
We will also need to file a JIRA for following up on a couple small details 
that will work fine for now but are probably a little more brittle than they 
need to be.



was (Author: lmccay):
[~jtstorck] - I am going to make the above discussed adjustments and commit.
We will also need to file a JIRA for following up on a couple small details 
that will work fine for now but are probably a little more brittle than they 
can be.


> Add support for proxying NiFi
> -----------------------------
>
>                 Key: KNOX-970
>                 URL: https://issues.apache.org/jira/browse/KNOX-970
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Jeff Storck
>            Assignee: Jeff Storck
>             Fix For: 0.14.0
>
>         Attachments: KNOX-970-PR-9-full.patch
>
>
> Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, 
> /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs 
> depending on individual installations/configurations of NiFi through multiple 
> component versions and custom NARs.
> Knox needs to be able to proxy to all of the available context paths in NiFi 
> without being configured for each one individually.
> The X-Forwarded-Context header set by Knox when proxying needs to include the 
> context path at which Knox is hosted (for example, /gateway/sandbox) and the 
> path at which the NiFi services are proxied (for example, nifi-web).  Using 
> this header with the extra context path information (from the given examples, 
> /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming 
> requests to the root context of the web server hosted by NiFi.
> When proxying to a secured NiFi instance/cluster set up with multi-tenancy, 
> Knox also needs to set an additional header required by NiFi, 
> X-ProxiedEntitiesChain, which will contain the identity of the user making 
> the request to Knox.  If the header is present in an incoming request to 
> Knox, it must be able to take the DN from the SSL cert of the requesting 
> client (two-way SSL) and add it to the value received in the header.  The 
> requests made from Knox to NiFi must also be made with two-way SSL so that 
> NiFi can obtain the Knox server DN from its certificate.  The values present 
> in the X-ProxiedEntitiesChain will be used to authorize each identity 
> specified in the header of the proxied request before the operation will be 
> performed by NiFi.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to