Announcing Apache Knox Gateway 0.4.0 for Hadoop Security
The Apache Knox Gateway team is pleased to announce Knox’s first release as an Apache top-level project: Apache Knox Gateway 0.4.0. The team resolved approximately 100 JIRAs for this release and Knox Gateway is now better positioned to provide complete security for REST API access to a Hadoop cluster.
The new features in Knox Gateway 0.4.0 are the features that enterprise security officers expect in a gateway solution:
- Perimeter security for a Hadoop cluster
- Support for enterprise group lookup
- Audit log of all gateway activity
- Command line tooling for CMF provisioning
- Protection for web application vulnerabilities
- Pre-authentication via SSO token
- And many more…
As a top-level project, Apache Knox Gateway is fully endorsed by the Apache Software Foundation, and this improves coordination between development of Knox and the other core Hadoop projects with which it interacts.
Here is more detail on some of the specific features in Knox 0.4.0.
Perimeter Security and Group Lookup Through Apache Shiro
We extended the Apache Shiro provider to pull group memberships from the LDAP directory. It also provides support for dynamic groups.
Group memberships, coupled with an ACL-based authorization provider, form a powerful solution for service-level authorization and perimeter security that can be elegantly integrated with the enterprise directory server.
Audit Log of all Gateway Activity
All interactions that pass through the gateway are recorded in an audit log. This includes the IP and principal of the caller and other relevant attributes of the user, service and resource.
Pluggability within the audit mechanism allows for the use of custom audit stores.
Command Line Tooling for Keys and Passwords
The KnoxCLI utility facilitates creation and management of security artifacts. This allows the user to:
- Create the master secret,
- Create and manage password/credential aliases and
- Generate a self-signed certificate for use as the gateway identity certificate.
The KnoxCLI also provides commands for general gateway management services.
Protection for Web Application Vulnerabilities
This release introduces a Web App Security provider. Cross-site-scripting (CSRF) is the first web app vulnerability addressed for REST APIs, but the web app security provider is designed for extension to protect against other future vulnerabilities.
Pre-authentication Via an SSO Token
This feature allows the identity and groups from an external authentication to be propagated and trusted by the Knox Gateway server. It targets integrations with SSO solutions such as CA SiteMinder where HTTP Headers are used to assert the authenticated identity.
The Apache Knox Gateway community is already looking forward to the next release—to improve existing features and to add new protections for Hadoop clusters.
The Knox Gateway project is always looking for more security-savvy developers to contribute to our top-level project within the Apache Software Foundation and to develop the Hadoop ecosystem!