[
https://issues.apache.org/jira/browse/NIFI-15013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18022823#comment-18022823
]
David Handermann commented on NIFI-15013:
-----------------------------------------
The QueryStringToFragmentFilter should not be changed to accommodate specific
reverse proxy implementations, so any potential changes should be evaluated in
the context of general patterns.
If a reverse proxy, such as Apache Knox, adds its own query parameter, it is
the responsibility of that proxy server to maintain that parameter without
changes to NiFi.
In this scenario, it sounds like Apache Knox would need to evaluate the HTTP
Location header returned from NiFi and append the query parameter, if that is
required.
As Matt described, passing authenticated user information is supported through
the X-ProxiedEntitiesChain request header, so any reverse proxy should not
depend on the ability to pass an authenticated user through a query parameter.
> Embedded UI pages may fail to open when NiFi runs behind a reverse proxy
> ------------------------------------------------------------------------
>
> Key: NIFI-15013
> URL: https://issues.apache.org/jira/browse/NIFI-15013
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Peter Turcsanyi
> Priority: Major
>
> When a reverse proxy sits between the browser and the NiFi backend, it may
> change the incoming requests and add some extra technical parameters. E.g.
> Apache Knox adds "doAs=username" which is used for passing the authenticated
> user to the backend services.
> NiFi does not use the "doAs" parameter effectively because it relies on the
> X-ProxiedEntitiesChain header instead (also set by the proxy). In most cases,
> "doAs" does not cause any issues in NiFi and it just omits the extra
> parameter but the embedded UI pages (like the Advanced property pages and the
> Content Viewer) cannot handle it properly.
> Switching from the core UI to an embedded UI page involves two steps:
> # The client sends an HTTP request with query parameters indicating the
> component id, etc. The backend converts the query string to an URL fragment
> and sends back a redirection with this modified URL.
> # The client uses the fragment internally and sends a second request
> (according to the redirection), this time without parameters. The backend
> responses with the HTML content of the page.
> Both requests go through
> [QueryStringToFragmentFilter|https://github.com/apache/nifi/blob/main/nifi-commons/nifi-web-servlet-shared/src/main/java/org/apache/nifi/web/servlet/filter/QueryStringToFragmentFilter.java]
> which decides if it is the first or the second step and sends the
> redirection with the fragment in case of step #1. The decision is simply made
> based on the presence of a query string and this leads to the issue with Knox
> (and potentially with other proxies too) because "doAs" is always present and
> it triggers redirection infinitely.
> A trivial solution would be to filter for "doAs" in
> QueryStringToFragmentFilter and do not redirect if this is the only parameter
> but it would be Knox specific and definitely not ideal.
> Another option would be to add an extra parameter by the NiFi client that
> explicitly distinguishes whether the request is the first step or the second.
> So QueryStringToFragmentFilter could use it when making the decision to
> redirect or not.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
