[
https://issues.apache.org/jira/browse/NIFI-15013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18022492#comment-18022492
]
Matt Gilman commented on NIFI-15013:
------------------------------------
[~turcsanyip] Thanks for the detailed explanation. Why is Knox sending the
"doAs" parameter? As you noted, NiFi does not honor it. Instead NiFi accepts a
X-ProxiedEntitiesChain request header for the same purpose. Knox added custom
support for proxying to NiFi here [1] which should use X-ProxiedEntitiesChain
header. The simplest solution would be for Knox to not include this query
parameter.
The steps you outline are not the case for every embedded web application. Only
web applications that leverage hash based routing where the query parameters
must be included in the fragment in order for the custom UI to access them. The
filter you mentioned is referenced and ran from each individual custom UI.
[1] https://issues.apache.org/jira/browse/KNOX-970
> Embedded UI pages may fail to open when NiFi runs behind a reverse proxy
> ------------------------------------------------------------------------
>
> Key: NIFI-15013
> URL: https://issues.apache.org/jira/browse/NIFI-15013
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Peter Turcsanyi
> Priority: Major
>
> When a reverse proxy sits between the browser and the NiFi backend, it may
> change the incoming requests and add some extra technical parameters. E.g.
> Apache Knox adds "doAs=username" which is used for passing the authenticated
> user to the backend services.
> NiFi does not use the "doAs" parameter effectively because it relies on the
> X-ProxiedEntitiesChain header instead (also set by the proxy). In most cases,
> "doAs" does not cause any issues in NiFi and it just omits the extra
> parameter but the embedded UI pages (like the Advanced property pages and the
> Content Viewer) cannot handle it properly.
> Switching from the core UI to an embedded UI page involves two steps:
> # The client sends an HTTP request with query parameters indicating the
> component id, etc. The backend converts the query string to an URL fragment
> and sends back a redirection with this modified URL.
> # The client uses the fragment internally and sends a second request
> (according to the redirection), this time without parameters. The backend
> responses with the HTML content of the page.
> Both requests go through
> [QueryStringToFragmentFilter|https://github.com/apache/nifi/blob/main/nifi-commons/nifi-web-servlet-shared/src/main/java/org/apache/nifi/web/servlet/filter/QueryStringToFragmentFilter.java]
> which decides if it is the first or the second step and sends the
> redirection with the fragment in case of step #1. The decision is simply made
> based on the presence of a query string and this leads to the issue with Knox
> (and potentially with other proxies too) because "doAs" is always present and
> it triggers redirection infinitely.
> A trivial solution would be to filter for "doAs" in
> QueryStringToFragmentFilter and do not redirect if this is the only parameter
> but it would be Knox specific and definitely not ideal.
> Another option would be to add an extra parameter by the NiFi client that
> explicitly distinguishes whether the request is the first step or the second.
> So QueryStringToFragmentFilter could use it when making the decision to
> redirect or not.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
