[jira] [Assigned] (KNOX-1109) DefaultDispatch should have extension points for customizing requests
[ https://issues.apache.org/jira/browse/KNOX-1109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck reassigned KNOX-1109: - Assignee: (was: Jeff Storck) > DefaultDispatch should have extension points for customizing requests > - > > Key: KNOX-1109 > URL: https://issues.apache.org/jira/browse/KNOX-1109 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Jeff Storck >Priority: Minor > > To customize requests, a developer must override default implementation > methods and possibly duplicate code. The default implementations should have > some extension points/methods that extending classes can implement without > having to override default functionality. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (KNOX-1170) Add unit tests for NiFiDispatch
[ https://issues.apache.org/jira/browse/KNOX-1170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck reassigned KNOX-1170: - Assignee: (was: Jeff Storck) > Add unit tests for NiFiDispatch > --- > > Key: KNOX-1170 > URL: https://issues.apache.org/jira/browse/KNOX-1170 > Project: Apache Knox > Issue Type: Test > Components: Server >Affects Versions: 0.14.0 >Reporter: Jeff Storck >Priority: Minor > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1080) Custom dispatch for NiFi should be moved to its own package
[ https://issues.apache.org/jira/browse/KNOX-1080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16640077#comment-16640077 ] Jeff Storck commented on KNOX-1080: --- [~risdenk] Thanks for the reminder. Yes, I can create a patch for this. > Custom dispatch for NiFi should be moved to its own package > --- > > Key: KNOX-1080 > URL: https://issues.apache.org/jira/browse/KNOX-1080 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Jeff Storck >Priority: Minor > Fix For: 1.2.0 > > > The custom NiFi dispatch code should be moved from the > org.apache.knox.gateway.dispatch package to org.apache.knox.gateway.nifi > package. In addition, the default service.xml for the NiFi dispatch should be > updated to use the new package name. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1080) Custom dispatch for NiFi should be moved to its own package
[ https://issues.apache.org/jira/browse/KNOX-1080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16471499#comment-16471499 ] Jeff Storck commented on KNOX-1080: --- Yes, I can submit a patch, might not be until Monday though. > Custom dispatch for NiFi should be moved to its own package > --- > > Key: KNOX-1080 > URL: https://issues.apache.org/jira/browse/KNOX-1080 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Jeff Storck >Priority: Minor > Fix For: 1.2.0 > > > The custom NiFi dispatch code should be moved from the > org.apache.knox.gateway.dispatch package to org.apache.knox.gateway.nifi > package. In addition, the default service.xml for the NiFi dispatch should be > updated to use the new package name. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1080) Custom dispatch for NiFi should be moved to its own package
[ https://issues.apache.org/jira/browse/KNOX-1080?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16464114#comment-16464114 ] Jeff Storck commented on KNOX-1080: --- [~pzampino] No requirement, unless adhering to the convention of packaging in the other dispatch modules counts as a requirement. > Custom dispatch for NiFi should be moved to its own package > --- > > Key: KNOX-1080 > URL: https://issues.apache.org/jira/browse/KNOX-1080 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Jeff Storck >Priority: Minor > Fix For: 1.1.0 > > > The custom NiFi dispatch code should be moved from the > org.apache.knox.gateway.dispatch package to org.apache.knox.gateway.nifi > package. In addition, the default service.xml for the NiFi dispatch should be > updated to use the new package name. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (KNOX-1210) SSOCookieProvider should detect expired SSO token
Jeff Storck created KNOX-1210:
-
Summary: SSOCookieProvider should detect expired SSO token
Key: KNOX-1210
URL: https://issues.apache.org/jira/browse/KNOX-1210
Project: Apache Knox
Issue Type: Bug
Components: KnoxSSO
Affects Versions: 0.14.0
Reporter: Jeff Storck
While proxying a UI that makes XHR (XMLHttpRequest) calls through Knox, if the
SSO token expires, that request through Knox will be redirected to the KnoxSSO
login page, which will be the response to the request itself. The UI that
receives this response will attempt to parse it and fail, since it is not the
expected response; it is the KnoxSSO login page itself.
When a request is made with a {code}X-Requested-With{code} header set to
{code}XMLHttpRequest{code} the SSOCookieProvider should check for SSO token
expiry. If the token has not expired, the request should continue through to
the proxied resource. If the token has expired, rather than redirecting to the
KnoxSSO login page, a
{code}401 Unauthorized{code} response should be returned.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (KNOX-1170) Add unit tests for NiFiDispatch
Jeff Storck created KNOX-1170: - Summary: Add unit tests for NiFiDispatch Key: KNOX-1170 URL: https://issues.apache.org/jira/browse/KNOX-1170 Project: Apache Knox Issue Type: Test Components: Server Affects Versions: 0.14.0 Reporter: Jeff Storck Assignee: Jeff Storck -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1108) NiFiHaDispatch not failing over
[ https://issues.apache.org/jira/browse/KNOX-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-1108: -- Status: Patch Available (was: Open) > NiFiHaDispatch not failing over > --- > > Key: KNOX-1108 > URL: https://issues.apache.org/jira/browse/KNOX-1108 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 0.14.0 >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.15.0 > > Attachments: KNOX-1108-full-patch-PR-13.patch > > > In NiFiHaDispatch, executeRequest is overridden and does not have the > try/catch block in DefaultHaDispatch's executeRequest method which is used to > catch exceptions and begin the failover process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-1108) NiFiHaDispatch not failing over
[ https://issues.apache.org/jira/browse/KNOX-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-1108: -- Attachment: KNOX-1108-full-patch-PR-13.patch [^KNOX-1108-full-patch-PR-13.patch] provided to fix no failover processing in NiFiHaDispatch. > NiFiHaDispatch not failing over > --- > > Key: KNOX-1108 > URL: https://issues.apache.org/jira/browse/KNOX-1108 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 0.14.0 >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.15.0 > > Attachments: KNOX-1108-full-patch-PR-13.patch > > > In NiFiHaDispatch, executeRequest is overridden and does not have the > try/catch block in DefaultHaDispatch's executeRequest method which is used to > catch exceptions and begin the failover process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-1111) 2-way SSL Truststore and Keystore Improvements
[ https://issues.apache.org/jira/browse/KNOX-?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16244186#comment-16244186 ] Jeff Storck commented on KNOX-: --- Agreed, on these improvements. Should be very similar to the addition and management of the useTwoWaySsl filter param. Low level of effort, easy to test. > 2-way SSL Truststore and Keystore Improvements > -- > > Key: KNOX- > URL: https://issues.apache.org/jira/browse/KNOX- > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Larry McCay >Assignee: Jeff Storck > Fix For: 0.15.0 > > > Currently, the DefaultHttpClientFactory is setting the 2-way SSL for > dispatches truststore as gateway.jks. This should be driven by configuration > and probably default to cacerts rather than gateway.jks. > The client cert alias inside the keystore should be configurable as well so > that we can possibly have different certs representing different topologies. > In addition, the keystore to host the client certs should be configurable. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Assigned] (KNOX-1109) DefaultDispatch should have extension points for customizing requests
[ https://issues.apache.org/jira/browse/KNOX-1109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck reassigned KNOX-1109: - Assignee: Jeff Storck > DefaultDispatch should have extension points for customizing requests > - > > Key: KNOX-1109 > URL: https://issues.apache.org/jira/browse/KNOX-1109 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck >Priority: Minor > > To customize requests, a developer must override default implementation > methods and possibly duplicate code. The default implementations should have > some extension points/methods that extending classes can implement without > having to override default functionality. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (KNOX-1109) DefaultDispatch should have extension points for customizing requests
Jeff Storck created KNOX-1109: - Summary: DefaultDispatch should have extension points for customizing requests Key: KNOX-1109 URL: https://issues.apache.org/jira/browse/KNOX-1109 Project: Apache Knox Issue Type: Improvement Components: Server Reporter: Jeff Storck Priority: Minor To customize requests, a developer must override default implementation methods and possibly duplicate code. The default implementations should have some extension points/methods that extending classes can implement without having to override default functionality. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (KNOX-1108) NiFiHaDispatch not failing over
Jeff Storck created KNOX-1108: - Summary: NiFiHaDispatch not failing over Key: KNOX-1108 URL: https://issues.apache.org/jira/browse/KNOX-1108 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 0.14.0 Reporter: Jeff Storck Assignee: Jeff Storck In NiFiHaDispatch, executeRequest is overridden and does not have the try/catch block in DefaultHaDispatch's executeRequest method which is used to catch exceptions and begin the failover process. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16240494#comment-16240494 ] Jeff Storck commented on KNOX-970: -- [~lmccay] Regarding the removal of the use-two-way-ssl attribute from the dispatch tag, it would bring NiFi's service.xml in line with the rest of the services, in terms of config. It's certainly not a critical change, but it would bring it back to the convention used in the other service.xml definitions; keeping it simple, and not explicitly setting default values. For docs, I should have something to contribute today. I'll contribute the unit tests as soon as they're ready, in a patch on a separate JIRA. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[
https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16236715#comment-16236715
]
Jeff Storck commented on KNOX-970:
--
[~lmccay] In my patch, there are a few things I need to address:
* ServiceDefinitionDeploymentContributor.addDispatchFilterForClass(), for the
method that takes the useTwoWaySsl param, sets the "useTwoWaySsl" param with
the value read from service.xml after the for loop that adds all params. I
need to move the line that sets the "default" value of "useTwoWaySsl" to before
the for loop to prevent overwriting of the "useTwoWaySsl" param if one was
defined for a service in the topology.
* In NiFi's service.xml, I'd like to add
{{ha-classname=org.apache.hadoop.gateway.dispatch.NiFiHaDispatch}} to the
dispatch element.
* In NiFi's service.xml, since useTwoWaySsl defaults to false (in
CustomDispatch) and is explicitly being set to "false", the "use-two-way-ssl"
attribute can (and should?) probably be removed from NiFi's service.xml...
Thoughts on that?
* Unit tests for the NiFi dispatch are still in the works. I've been swamped
with some other tasks, but should be able to contribute those in the next
couple days.
> Add support for proxying NiFi
> -
>
> Key: KNOX-970
> URL: https://issues.apache.org/jira/browse/KNOX-970
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
>Reporter: Jeff Storck
>Assignee: Jeff Storck
>Priority: Major
> Fix For: 0.14.0
>
> Attachments: KNOX-970-PR-9-full.patch
>
>
> Apache NiFi hosts several known UIs/APIs at various context paths (/nifi,
> /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs
> depending on individual installations/configurations of NiFi through multiple
> component versions and custom NARs.
> Knox needs to be able to proxy to all of the available context paths in NiFi
> without being configured for each one individually.
> The X-Forwarded-Context header set by Knox when proxying needs to include the
> context path at which Knox is hosted (for example, /gateway/sandbox) and the
> path at which the NiFi services are proxied (for example, nifi-web). Using
> this header with the extra context path information (from the given examples,
> /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming
> requests to the root context of the web server hosted by NiFi.
> When proxying to a secured NiFi instance/cluster set up with multi-tenancy,
> Knox also needs to set an additional header required by NiFi,
> X-ProxiedEntitiesChain, which will contain the identity of the user making
> the request to Knox. If the header is present in an incoming request to
> Knox, it must be able to take the DN from the SSL cert of the requesting
> client (two-way SSL) and add it to the value received in the header. The
> requests made from Knox to NiFi must also be made with two-way SSL so that
> NiFi can obtain the Knox server DN from its certificate. The values present
> in the X-ProxiedEntitiesChain will be used to authorize each identity
> specified in the header of the proxied request before the operation will be
> performed by NiFi.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16225422#comment-16225422 ] Jeff Storck commented on KNOX-970: -- [~lmccay] I will try to update my patch with tests tomorrow, 10/31. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (KNOX-1080) Custom dispatch for NiFi should be moved to its own package
Jeff Storck created KNOX-1080: - Summary: Custom dispatch for NiFi should be moved to its own package Key: KNOX-1080 URL: https://issues.apache.org/jira/browse/KNOX-1080 Project: Apache Knox Issue Type: Improvement Components: Server Affects Versions: 0.14.0 Reporter: Jeff Storck Priority: Minor Fix For: 0.14.0 The custom NiFi dispatch code should be moved from the org.apache.hadoop.gateway.dispatch package to org.apache.hadoop.gateway.nifi package. In addition, the default service.xml for the NiFi dispatch should be updated to use the new package name. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Issue Comment Deleted] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Comment: was deleted (was: [^KNOX-970-PR-9-full.patch] Updated patch based on review comments.) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16192934#comment-16192934 ] Jeff Storck commented on KNOX-970: -- [^KNOX-970-PR-9-full.patch] New patch based on comments from [~lmccay]. Some cleanup, defaulting to unsecure (http) for NiFi to match the example service definition in sandbox.xml, and updated NiFi dispatch filter param "use-two-way-ssl" to "useTwoWaySsl". > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: KNOX-970-PR-9-full.patch > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Status: Open (was: Patch Available) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: (was: KNOX-970-PR-9-full.patch) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Issue Comment Deleted] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Comment: was deleted (was: Newest complete patch (includes removing the hadoop-jwt token from the request bewteen Knox and NiFi) ready for review: [^KNOX-970-PR-9-full.patch]) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Status: Patch Available (was: Open) [^KNOX-970-PR-9-full.patch] Updated patch based on review comments. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: KNOX-970-PR-9-full.patch > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16190663#comment-16190663 ] Jeff Storck edited comment on KNOX-970 at 10/4/17 2:04 AM: --- [~lmccay] I will update the NiFi dispatch to remove the "Cookie" header(s). was (Author: jtstorck): [~lmccay] I will update the NiFi dispatch to remove the "Cookie" header. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Status: Open (was: Patch Available) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: (was: KNOX-970-PR-9-full.patch) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16190663#comment-16190663 ] Jeff Storck edited comment on KNOX-970 at 10/4/17 1:47 AM: --- [~lmccay] I will update the NiFi dispatch to remove the "Cookie" header. was (Author: jtstorck): [~lmccay] I will update the NiFi dispatch to remove all "Cookie" headers. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16190663#comment-16190663 ] Jeff Storck commented on KNOX-970: -- [~lmccay] I will update the NiFi dispatch to remove all "Cookie" headers. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck >Assignee: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16190540#comment-16190540 ] Jeff Storck commented on KNOX-970: -- [~moresandeep] I agree with your first point, I need to add unit tests before this can be merged to master. I removed the commented configuration sections in sandbox.xml as you recommended in your second point, and updated the NIFI service by default to proxy to an unsecured NiFi instance on port 9090, to bring it in line with other service definitions in the topology. I updated the method-scoped variable "twoWaySslAlias" as you recommended in your third point, good catch! In response to your fourth point, the coercion of "anonymous" to "<>" in the X-ProxiedEntitiesChain shouldn't effect logging of Knox. It's just how the anonymous user must be represented in the X-ProxiedEntitiesChain so that NiFi knows the user being proxied was not authenticated by the proxy. In the edge case that there is a user named "anonymous", NiFi recognizes "<>" in the entities chain as an unauthenticated user. Regarding your fifth point, the dispatch does not currently have access to the configuration to know what the SSO cookie name should be, and [~lmccay] said for now I could hardcode it for now. I will update the patch regarding points 2-5 tonight. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16183173#comment-16183173 ] Jeff Storck edited comment on KNOX-970 at 9/27/17 8:03 PM: --- Newest complete patch (includes removing the hadoop-jwt token from the request bewteen Knox and NiFi) ready for review: [^KNOX-970-PR-9-full.patch] was (Author: jtstorck): Newest complete patch (includes removing the hadoop-jwt token from the request bewteen Knox and NiFi) ready for review: [^KNOX-970-PR-9-full.patch] Please disregard [^KNOX-970-PR-9.patch] and [^KNOX-970-PR-9-updated-full.patch], they are outdated. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Issue Comment Deleted] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Comment: was deleted (was: [^KNOX-970-PR-9.patch]) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: (was: KNOX-970-PR-9.patch) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Issue Comment Deleted] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Comment: was deleted (was: [^KNOX-970-PR-9-updated-full.patch] is the updated patch with full two-way SSL and KnoxSSO support.) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Status: Patch Available (was: Open) Newest complete patch (includes removing the hadoop-jwt token from the request bewteen Knox and NiFi) ready for review: [^KNOX-970-PR-9-full.patch] Please disregard [^KNOX-970-PR-9.patch] and [^KNOX-970-PR-9-updated-full.patch], they are outdated. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: (was: KNOX-970-PR-9-updated-full.patch) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Status: Open (was: Patch Available) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9.patch, KNOX-970-PR-9-updated-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: KNOX-970-PR-9-full.patch > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9-full.patch, KNOX-970-PR-9.patch, > KNOX-970-PR-9-updated-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (KNOX-1069) KnoxSSO token audience config should trim values
Jeff Storck created KNOX-1069:
-
Summary: KnoxSSO token audience config should trim values
Key: KNOX-1069
URL: https://issues.apache.org/jira/browse/KNOX-1069
Project: Apache Knox
Issue Type: Improvement
Components: KnoxSSO
Affects Versions: 0.13.0
Reporter: Jeff Storck
Priority: Minor
knoxsso.token.audiences can be set to a comma-separated list of values. Those
values can end up containing spaces, depending on how the list is configured.
For example:
{code:xml}
knoxsso.token.audiences
foo,bar, baz
{code}
With that config, the token seen by the receiving service will see three
audiences, "foo", "bar", and " baz". Notice the space in front of baz.
If the list is parsed and the values are trimmed, it might avoid confusion for
services that need to parse that list and match values. Other areas within
Knox (such as federation filters) should also trim the values in the list for
matching purposes.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Status: Patch Available (was: Open) [^KNOX-970-PR-9-updated-full.patch] is the updated patch with full two-way SSL and KnoxSSO support. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9.patch, KNOX-970-PR-9-updated-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Status: Open (was: Patch Available) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9.patch, KNOX-970-PR-9-updated-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: KNOX-970-PR-9-updated-full.patch > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9.patch, KNOX-970-PR-9-updated-full.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Attachment: KNOX-970-PR-9.patch > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > Attachments: KNOX-970-PR-9.patch > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16148282#comment-16148282 ] Jeff Storck commented on KNOX-970: -- Submitted PR: https://github.com/apache/knox/pull/9 > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeff Storck updated KNOX-970: - Status: Patch Available (was: Open) > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.14.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (KNOX-991) Extend support of OAuth by adding generation of Discovery Document
Jeff Storck created KNOX-991: Summary: Extend support of OAuth by adding generation of Discovery Document Key: KNOX-991 URL: https://issues.apache.org/jira/browse/KNOX-991 Project: Apache Knox Issue Type: Improvement Components: Server Reporter: Jeff Storck To make it easier for clients to use Knox as an IdP, OAuth support can be extended to provide a Discovery Document, similar to what is documented here: https://openid.net/specs/openid-connect-discovery-1_0.html Google's Discovery Document example: https://developers.google.com/identity/protocols/OpenIDConnect#discovery -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16059693#comment-16059693 ] Jeff Storck commented on KNOX-970: -- NiFi will have the support added for X-Forwarded-* headers in the 1.4.0 release. I'm expecting Knox 0.13.0 to be released before NiFi 1.4.0; most likely, this contribution will be in 0.14.0. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > Fix For: 0.13.0 > > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16051350#comment-16051350 ] Jeff Storck edited comment on KNOX-970 at 6/16/17 4:20 AM: --- I have begun work on this JIRA, and created a new Maven module with a custom NiFi dispatch. I will be implementing the two-way SSL connections and the creation and setting of the X-ProxiedEntitiesChain. I will also contribute example service.xml and rewrite.xml configurations to enable Knox to proxy to the root context of the web server hosted by NiFi. I should have a PR for this contribution hopefully early next week. was (Author: jtstorck): I have begun work on this JIRA, and have created a new Maven module with a custom NiFi dispatch. I will be implementing the two-way SSL connections and the creation and setting of the X-ProxiedEntitiesChain. I will also contribute example service.xml and rewrite.xml configurations to enable Knox to proxy to the root context of the web server hosted by NiFi. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-970) Add support for proxying NiFi
[ https://issues.apache.org/jira/browse/KNOX-970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16051350#comment-16051350 ] Jeff Storck commented on KNOX-970: -- I have begun work on this JIRA, and have created a new Maven module with a custom NiFi dispatch. I will be implementing the two-way SSL connections and the creation and setting of the X-ProxiedEntitiesChain. I will also contribute example service.xml and rewrite.xml configurations to enable Knox to proxy to the root context of the web server hosted by NiFi. > Add support for proxying NiFi > - > > Key: KNOX-970 > URL: https://issues.apache.org/jira/browse/KNOX-970 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Jeff Storck > > Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, > /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs > depending on individual installations/configurations of NiFi through multiple > component versions and custom NARs. > Knox needs to be able to proxy to all of the available context paths in NiFi > without being configured for each one individually. > The X-Forwarded-Context header set by Knox when proxying needs to include the > context path at which Knox is hosted (for example, /gateway/sandbox) and the > path at which the NiFi services are proxied (for example, nifi-web). Using > this header with the extra context path information (from the given examples, > /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming > requests to the root context of the web server hosted by NiFi. > When proxying to a secured NiFi instance/cluster set up with multi-tenancy, > Knox also needs to set an additional header required by NiFi, > X-ProxiedEntitiesChain, which will contain the identity of the user making > the request to Knox. If the header is present in an incoming request to > Knox, it must be able to take the DN from the SSL cert of the requesting > client (two-way SSL) and add it to the value received in the header. The > requests made from Knox to NiFi must also be made with two-way SSL so that > NiFi can obtain the Knox server DN from its certificate. The values present > in the X-ProxiedEntitiesChain will be used to authorize each identity > specified in the header of the proxied request before the operation will be > performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (KNOX-970) Add support for proxying NiFi
Jeff Storck created KNOX-970: Summary: Add support for proxying NiFi Key: KNOX-970 URL: https://issues.apache.org/jira/browse/KNOX-970 Project: Apache Knox Issue Type: New Feature Components: Server Reporter: Jeff Storck Apache NiFi hosts several known UIs/APIs at various context paths (/nifi, /nifi-api, /nifi-docs, etc) and several dynamically discovered UIs/APIs depending on individual installations/configurations of NiFi through multiple component versions and custom NARs. Knox needs to be able to proxy to all of the available context paths in NiFi without being configured for each one individually. The X-Forwarded-Context header set by Knox when proxying needs to include the context path at which Knox is hosted (for example, /gateway/sandbox) and the path at which the NiFi services are proxied (for example, nifi-web). Using this header with the extra context path information (from the given examples, /gateway/sandbox/nifi-web), Knox needs to be able to rewrite URLs of incoming requests to the root context of the web server hosted by NiFi. When proxying to a secured NiFi instance/cluster set up with multi-tenancy, Knox also needs to set an additional header required by NiFi, X-ProxiedEntitiesChain, which will contain the identity of the user making the request to Knox. If the header is present in an incoming request to Knox, it must be able to take the DN from the SSL cert of the requesting client (two-way SSL) and add it to the value received in the header. The requests made from Knox to NiFi must also be made with two-way SSL so that NiFi can obtain the Knox server DN from its certificate. The values present in the X-ProxiedEntitiesChain will be used to authorize each identity specified in the header of the proxied request before the operation will be performed by NiFi. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
