Access ADS services via the Knox Gateway
Overview
In ADPS, Knox Gateway, among other things, is used as a reverse proxy — a single point of access to communicate with target services while keeping the internal topology hidden from potential attackers. Knox accepts requests and redirects them to the appropriate backend services.
In Knox, a topology is defined by it’s provider and descriptor. The example below demonstrates how to setup access for the ADS services in the Knox Admin UI. This guide only features the cURL access and UI proxying. For Groovy and DSL access, refer to the Knox documentation.
Authentication provider
|
NOTE
If you already have a sufficient authentication provider, you may skip this section.
|
First, set up an authentication provider:
-
On the Provider configurations page, click
to the right from the Provider Configurations list title.
Provider configurations
Provider configurations -
Choose a name for a provider (e.g.
my-provider) and click Add Provider.
Adding a provider
Adding a provider -
On the opened screen, select the Authentication option and click Next.
Selecting a provider type
Selecting a provider type -
Select an authentication type and click Next. In this example, it’s Kerberos.
Selecting an authentication type
Selecting an authentication type -
Fill in the required information and click Ok.
Setting authentication parameters
Setting authentication parameters -
On the final screen, you can configure additional settings for a provider like ACLs.
Descriptor
The next step is to prepare a descriptor. If you want to create a topology for several services within a cluster, follow the steps below. If you want to have separate topologies, you’ll have to repeat the same steps for each service.
-
On the Descriptors page, click
to the right from the Descriptors list title.
Descriptors list
Descriptors list -
Choose a name for your descriptor (e.g.
ads) and select the necessary provider. Among the presented services, select NIFI — it’s a service for proxying the UI of NiFi Flow. After that, click Ok.
Selecting cluster services
Selecting cluster services -
Select the created descriptor and click
on the right from Services. In the opened field, enter KAFKA. -
Below a service name, there are two parameters: Params and URLs. In the URLs field, enter URLs of the ADS services. Once you’re done, click
.
Adding service URLs
Adding service URLsBy default, the URLs are:
-
KAFKA —
http://<kafka_rest_host>:8082(make sure that the Kafka REST Proxy service is installed). -
NIFI —
http://<nifi_server_host_1>:9090,http://<nifi_server_host_2>:9090.
-
|
NOTE
A read-only topology file is automatically generated based on each descriptor. The name of the topology matches the descriptor name.
|
Service access
To test if a service can be access through Knox Gateway, you can run a command of the following format:
$ curl -ik --negotiate -u <principal>:<password> -X GET https://<gateway_host>:8443/gateway/ads/<service>/[<parameters>]where:
-
<principal>is a Kerberos principal that has access to<gateway_host>. -
<password>is a password for<principal>. -
<gateway_host>is a Knox gateway host. -
<service>is a service that is defined within themy-descriptortopology. -
<parameters>are optional parameters that specify the requested resource.
KAFKA
$ curl -ik --negotiate -u <principal>:<password> -X GET https://<gateway_host>:8443/gateway/ads/kafka/topicsAs a result, you will get a list of topics in Kafka:
["mm-connect-offsets","mm-connect-status","mm-connect-configs","_schemas"]
NIFI
Open your web browser and enter https://<knox_host>:8443/gateway/ads/nifi-app/nifi in the search bar. This will lead you to the NiFi Flow interface.