Announcing Apache Knox Gateway 0.4.0 for Hadoop Security

First Release as an Apache Top-Level Project!

knoxThe Apache Knox Gateway team is pleased to announce Knox’s first release as an Apache top-level project: Apache Knox Gateway 0.4.0. The team resolved approximately 100 JIRAs for this release and Knox Gateway is now better positioned to provide complete security for REST API access to a Hadoop cluster.

The new features in Knox Gateway 0.4.0 are the features that enterprise security officers expect in a gateway solution:

  • Perimeter security for a Hadoop cluster
  • Support for enterprise group lookup
  • Audit log of all gateway activity
  • Command line tooling for CMF provisioning
  • Protection for web application vulnerabilities
  • Pre-authentication via SSO token
  • And many more…

As a top-level project, Apache Knox Gateway is fully endorsed by the Apache Software Foundation, and this improves coordination between development of Knox and the other core Hadoop projects with which it interacts.

You can take Apache Knox for a test-drive with this tutorial for HDP Sandbox.

Here is more detail on some of the specific features in Knox 0.4.0.

Perimeter Security and Group Lookup Through Apache Shiro

We extended the Apache Shiro provider to pull group memberships from the LDAP directory. It also provides support for dynamic groups.

Group memberships, coupled with an ACL-based authorization provider, form a powerful solution for service-level authorization and perimeter security that can be elegantly integrated with the enterprise directory server.

Audit Log of all Gateway Activity

All interactions that pass through the gateway are recorded in an audit log. This includes the IP and principal of the caller and other relevant attributes of the user, service and resource.

Pluggability within the audit mechanism allows for the use of custom audit stores.

Command Line Tooling for Keys and Passwords

The KnoxCLI utility facilitates creation and management of security artifacts. This allows the user to:

  • Create the master secret,
  • Create and manage password/credential aliases and
  • Generate a self-signed certificate for use as the gateway identity certificate.

The KnoxCLI also provides commands for general gateway management services.

Protection for Web Application Vulnerabilities

This release introduces a Web App Security provider. Cross-site-scripting (CSRF) is the first web app vulnerability addressed for REST APIs, but the web app security provider is designed for extension to protect against other future vulnerabilities.

Pre-authentication Via an SSO Token

This feature allows the identity and groups from an external authentication to be propagated and trusted by the Knox Gateway server. It targets integrations with SSO solutions such as CA SiteMinder where HTTP Headers are used to assert the authenticated identity.

The Apache Knox Gateway community is already looking forward to the next release—to improve existing features and to add new protections for Hadoop clusters.

The Knox Gateway project is always looking for more security-savvy developers to contribute to our top-level project within the Apache Software Foundation and to develop the Hadoop ecosystem!

Downloads

Categorized by :
Administrator Knox Gateway New Features Security

Leave a Reply

Your email address will not be published. Required fields are marked *

If you have specific technical questions, please post them in the Forums

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

HDP 2.1 Webinar Series
Join us for a series of talks on some of the new enterprise functionality available in HDP 2.1 including data governance, security, operations and data access :
Contact Us
Hortonworks provides enterprise-grade support, services and training. Discuss how to leverage Hadoop in your business with our sales team.
Explore Technology Partners
Hortonworks nurtures an extensive ecosystem of technology partners, from enterprise platform vendors to specialized solutions and systems integrators.