Ambari views and Knox

[Eric Yang <ey...@apache.org>]

Hi all,

Ambari web offers Ambari views feature to proxy third party UI in 2014,
then Knox was introduced as a security REST gateway.  It seems there are
some duplicate functions of reverse proxy from two different view points.
Ambari was original design to be a multi-cluster deployment system for
system administrators.  The exposure of Ambari Server is mostly to
operational folks who may want to restrict Ambari Server access to private
management network only.  Can Ambari views be exposed to outside and not
expose Ambari-Server UI?

Is Knox designed as a gateway in front of Ambari views?  If Knox is a
gateway in front of Ambari views, shouldn't reverse proxy feature being
inside of Knox project instead of Ambari views?

If Knox is behind Ambari views, what mechanism will be to secure Ambari
views?

Take Hue as a possible candidate for assimilation.  For someone to
integrate Hue into the stack of software.

Option 1: Someone needs to modify the login mechanism for Hue to accept
Knox authentication, and define Ambari views quick link to Hue UI, if Knox
is in front of Ambari views.  Ambari views is the landing page for all end
user facing UI.  The only issue is, can Ambari views and Ambari Server
deploy to two different networks?  Hue is a data scientist UI that end
users facing network.  Ambari Web is ops oriented, and deployed on ops only
network.

Option 2: It is also possible only reverse proxy via Knox only, which makes
Ambari views proxy irrelevant to end user facing UI.

Option 3: If Ambari views are in front of Knox, Hue authentication remains
standalone, and Ambari views will do the proxy.  This may breach security
model offer by Knox.

It would be great to discuss this to ensure there is no duplication between
projects.  Thanks

regards,
Eric