Jeff Storck created KNOX-970:
--------------------------------
Summary: Add support for proxying NiFi
Key: KNOX-970
URL: https://issues.apache.org/jira/browse/KNOX-970
Project: Apache Knox
Issue Type: New Feature
Components: Server
Reporter: Jeff Storck
Apache NiFi hosts several known UIs/APIs at various context paths (/nifi,
/nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs
depending on individual installations/configurations of NiFi through multiple
component versions and custom NARs.
Knox needs to be able to proxy to all of the available context paths in NiFi
without being configured for each one individually.
The X-Forwarded-Context header set by Knox when proxying needs to include the
context path at which Knox is hosted (for example, /gateway/sandbox) and the
path at which the NiFi services are proxied (for example, nifi-web). Using
this header with the extra context path information (from the given examples,
/gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming
requests to the root context of the web server hosted by NiFi.
When proxying to a secured NiFi instance/cluster set up with multi-tenancy,
Knox also needs to set an additional header required by NiFi,
X-ProxiedEntitiesChain, which will contain the identity of the user making the
request to Knox. If the header is present in an incoming request to Knox, it
must be able to take the DN from the SSL cert of the requesting client (two-way
SSL) and add it to the value received in the header. The requests made from
Knox to NiFi must also be made with two-way SSL so that NiFi can obtain the
Knox server DN from its certificate. The values present in the
X-ProxiedEntitiesChain will be used to authorize each identity specified in the
header of the proxied request before the operation will be performed by NiFi.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
