Get fresh updates from Hortonworks by email

Once a month, receive latest insights, trends, analytics information and knowledge of Big Data.


Sign up for the Developers Newsletter

Once a month, receive latest insights, trends, analytics information and knowledge of Big Data.


Get Started


Ready to Get Started?

Download sandbox

How can we help you?

* I understand I can unsubscribe at any time. I also acknowledge the additional information found in Hortonworks Privacy Policy.
closeClose button
April 23, 2014
prev slideNext slide

Announcing Apache Knox Gateway 0.4.0 for Hadoop Security

knoxThe Apache Knox Gateway team is pleased to announce Knox’s first release as an Apache top-level project: Apache Knox Gateway 0.4.0. The team resolved approximately 100 JIRAs for this release and Knox Gateway is now better positioned to provide complete security for REST API access to a Hadoop cluster.

The new features in Knox Gateway 0.4.0 are the features that enterprise security officers expect in a gateway solution:

  • Perimeter security for a Hadoop cluster
  • Support for enterprise group lookup
  • Audit log of all gateway activity
  • Command line tooling for CMF provisioning
  • Protection for web application vulnerabilities
  • Pre-authentication via SSO token
  • And many more…

As a top-level project, Apache Knox Gateway is fully endorsed by the Apache Software Foundation, and this improves coordination between development of Knox and the other core Hadoop projects with which it interacts.

You can take Apache Knox for a test-drive with this tutorial for HDP Sandbox.

Here is more detail on some of the specific features in Knox 0.4.0.

Perimeter Security and Group Lookup Through Apache Shiro

We extended the Apache Shiro provider to pull group memberships from the LDAP directory. It also provides support for dynamic groups.

Group memberships, coupled with an ACL-based authorization provider, form a powerful solution for service-level authorization and perimeter security that can be elegantly integrated with the enterprise directory server.

Audit Log of all Gateway Activity

All interactions that pass through the gateway are recorded in an audit log. This includes the IP and principal of the caller and other relevant attributes of the user, service and resource.

Pluggability within the audit mechanism allows for the use of custom audit stores.

Command Line Tooling for Keys and Passwords

The KnoxCLI utility facilitates creation and management of security artifacts. This allows the user to:

  • Create the master secret,
  • Create and manage password/credential aliases and
  • Generate a self-signed certificate for use as the gateway identity certificate.

The KnoxCLI also provides commands for general gateway management services.

Protection for Web Application Vulnerabilities

This release introduces a Web App Security provider. Cross-site-scripting (CSRF) is the first web app vulnerability addressed for REST APIs, but the web app security provider is designed for extension to protect against other future vulnerabilities.

Pre-authentication Via an SSO Token

This feature allows the identity and groups from an external authentication to be propagated and trusted by the Knox Gateway server. It targets integrations with SSO solutions such as CA SiteMinder where HTTP Headers are used to assert the authenticated identity.

The Apache Knox Gateway community is already looking forward to the next release—to improve existing features and to add new protections for Hadoop clusters.

The Knox Gateway project is always looking for more security-savvy developers to contribute to our top-level project within the Apache Software Foundation and to develop the Hadoop ecosystem!




AppValley iOS says:

Very informative article, thanks a lot for writing.

Test Dpc Android says:

Thank you so much for releasing the 0 4 0 version. I liked it a lot.

Tweakbox iOS says:

Thank you so much for the update when is the final version of Apache Knox Gateway is releasing?

Leave a Reply

Your email address will not be published. Required fields are marked *

If you have specific technical questions, please post them in the Forums