Apache Knox Gateway
A single point of secure access for Hadoop clusters
Hortonworks Focus for Knox Gateway
The Knox community is working on development efforts to focus on extending the reach of Hadoop services to users outside of the cluster, while further enhancing security.
|REST & HTTP services||
|Deeper integration for authentication||
Recent Progress in Knox Gateway
Recent releases of Apache Knox Gateway has focused on securely extending access to Apache Hadoop YARNs rich set of APIs and on improving the developer experience in the Apache Knox API Gateway.
|Apache Knox Version||Progress|
What Knox Does
Knox provides perimeter security for Hadoop clusters, with these advantages:
|Simplified access||Entend Hadoop’s REST/HTTP services by encapsulating Kerberos within the cluster|
|Enhanced security||Expose Hadoop’s REST/HTTP services without revealing network details, with SSL provided out of box|
|Centralized control||Centrally enforce REST API security and route requests to multiple Hadoop clusters|
|Enterprise integration||Support LDAP, Active Directory, SSO, SAML and other authentication systems|
How Knox Works
A fully secure Hadoop cluster needs Kerberos. Kerberos requires a client side library and complex client side configuration. By encapsulating Kerberos, Knox eliminates the need for client software or client configuration and thus simplifies the access model. In this way, Knox aggregates REST/HTTP calls to various components within the Hadoop ecosystem.
Knox is a stateless reverse proxy framework and can be deployed as a cluster of Knox instances that route requests to Hadoop’s REST APIs. Because Knox is stateless, it scales linearly by adding more Knox nodes as the load increases. A load balancer can route requests to multiple Knox instances.
Knox also intercepts REST/HTTP calls and provides authentication, authorization, audit, URL rewriting, web vulnerability removal and other security services through a series of extensible interceptor pipelines.