This would absolutely work. The question is how you would expect to have the authenticated identity propagated to the custom service. In hadoop there is a common pattern for components like Knox to be a "trusted proxy". This requires kerberos authentication, the use of a query param called doas to set the username. Config on the REST service side explicitly identifies the servers that can act on behalf of other users.
All you have to do to add a new API to Knox is provide a service definition and rewrite rules for making sure that requests go back through Knox. See: https://cwiki.apache.org/confluence/display/KNOX/2015/12/17/Adding+a+service+to+Apache+Knox On Fri, Oct 21, 2016 at 1:44 PM, Georg Heiler <[email protected]> wrote: > Hi, > I am curious if knox supports authenticating custom rest apis as well. I > would like to use knox as a sort of api gateway for a predictive > api exposed by http://predictionio.incubator.apache.org/index.html > > - does this work? > - what amount of latency is added? > > Kind Regards, > Georg >
