You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@knox.apache.org by Georg Heiler <ge...@gmail.com> on 2016/10/21 17:44:28 UTC
authenticate custom REST API
Hi,
I am curious if knox supports authenticating custom rest apis as well. I
would like to use knox as a sort of api gateway for a predictive
api exposed by http://predictionio.incubator.apache.org/index.html
- does this work?
- what amount of latency is added?
Kind Regards,
Georg
Re: authenticate custom REST API
Posted by larry mccay <lm...@apache.org>.
Anytime, Georg.
Please do keep us in the loop!
On Fri, Oct 21, 2016 at 4:03 PM, Georg Heiler <ge...@gmail.com>
wrote:
> Impressive. Thanks a lot.
> larry mccay <lm...@apache.org> schrieb am Fr. 21. Okt. 2016 um 20:00:
>
>> This would absolutely work.
>>
>> The question is how you would expect to have the authenticated identity
>> propagated to the custom service.
>> In hadoop there is a common pattern for components like Knox to be a
>> "trusted proxy".
>> This requires kerberos authentication, the use of a query param called
>> doas to set the username.
>> Config on the REST service side explicitly identifies the servers that
>> can act on behalf of other users.
>>
>> All you have to do to add a new API to Knox is provide a service
>> definition and rewrite rules for making sure that requests go back through
>> Knox.
>> See: https://cwiki.apache.org/confluence/display/KNOX/2015/
>> 12/17/Adding+a+service+to+Apache+Knox
>>
>> On Fri, Oct 21, 2016 at 1:44 PM, Georg Heiler <ge...@gmail.com>
>> wrote:
>>
>> Hi,
>> I am curious if knox supports authenticating custom rest apis as well. I
>> would like to use knox as a sort of api gateway for a predictive
>> api exposed by http://predictionio.incubator.apache.org/index.html
>>
>> - does this work?
>> - what amount of latency is added?
>>
>> Kind Regards,
>> Georg
>>
>>
>>
Re: authenticate custom REST API
Posted by Georg Heiler <ge...@gmail.com>.
Impressive. Thanks a lot.
larry mccay <lm...@apache.org> schrieb am Fr. 21. Okt. 2016 um 20:00:
> This would absolutely work.
>
> The question is how you would expect to have the authenticated identity
> propagated to the custom service.
> In hadoop there is a common pattern for components like Knox to be a
> "trusted proxy".
> This requires kerberos authentication, the use of a query param called
> doas to set the username.
> Config on the REST service side explicitly identifies the servers that can
> act on behalf of other users.
>
> All you have to do to add a new API to Knox is provide a service
> definition and rewrite rules for making sure that requests go back through
> Knox.
> See:
> https://cwiki.apache.org/confluence/display/KNOX/2015/12/17/Adding+a+service+to+Apache+Knox
>
>
> On Fri, Oct 21, 2016 at 1:44 PM, Georg Heiler <ge...@gmail.com>
> wrote:
>
> Hi,
> I am curious if knox supports authenticating custom rest apis as well. I
> would like to use knox as a sort of api gateway for a predictive
> api exposed by http://predictionio.incubator.apache.org/index.html
>
> - does this work?
> - what amount of latency is added?
>
> Kind Regards,
> Georg
>
>
>
Re: authenticate custom REST API
Posted by larry mccay <lm...@apache.org>.
This would absolutely work.
The question is how you would expect to have the authenticated identity
propagated to the custom service.
In hadoop there is a common pattern for components like Knox to be a
"trusted proxy".
This requires kerberos authentication, the use of a query param called doas
to set the username.
Config on the REST service side explicitly identifies the servers that can
act on behalf of other users.
All you have to do to add a new API to Knox is provide a service definition
and rewrite rules for making sure that requests go back through Knox.
See:
https://cwiki.apache.org/confluence/display/KNOX/2015/12/17/Adding+a+service+to+Apache+Knox
On Fri, Oct 21, 2016 at 1:44 PM, Georg Heiler <ge...@gmail.com>
wrote:
> Hi,
> I am curious if knox supports authenticating custom rest apis as well. I
> would like to use knox as a sort of api gateway for a predictive
> api exposed by http://predictionio.incubator.apache.org/index.html
>
> - does this work?
> - what amount of latency is added?
>
> Kind Regards,
> Georg
>