Configuring Proxy with Apache Knox
Also available as:
PDF
loading table of contents...

Configuring the Knox Gateway

This section describes how to configure the Knox Gateway (proxy).

Knox Master Secret Overview

The master secret is required to start the gateway. The secret protects artifacts used by the gateway instance, such as the keystore, trust stores and credential stores.

You configure the gateway to persist the master secret, which is saved in the $gatewaydir/data/security/master file. Ensure that this directory has the appropriate permissions set for your environment.

Note
Note
Ensure that the security directory, $gatewaydir/data/security, and its contents are readable and writable only by the knox user. This is the most important layer of defense for master secret. Do not assume that the encryption is sufficient protection.

You may persist the master secret by supplying the -persist-master switch at startup. This will result in a warning indicating that persisting the secret is less secure than providing it at startup. We do make some provisions in order to protect the persisted password.

It is encrypted with AES 128 bit encryption and where possible the file permissions are set to only be accessible by the user that the gateway is running as.

After persisting the secret, ensure that the file at config/security/master has the appropriate permissions set for your environment. This is probably the most important layer of defense for master secret. Do not assume that the encryption if sufficient protection.

A specific user should be created to run the gateway this user will be the only user with permissions for the persisted master file.

You set the master secret during Knox installation.

Knox-Supported Services with Proxy

Table 1. Knox Supported Components
Component Proxy (API) Proxy (UI)
Ambari
Ambari Metrics/Grafana
Atlas
HBase 1 2
HDFS
Hive (via JDBC)
Hive (via WebHCat)
Livy
Log Search
MapReduce2
Oozie
Ranger 3
SmartSense
Spark 2/SHS
WebHCat/Templeton
WebHDFS
YARN
Zeppelin
Note
Note

APIs, UIs, and SSO in the Apache Knox project that are not listed above are considered Community Features.

Community Features are developed and tested by the Apache Knox community but are not officially supported by Hortonworks. These features are excluded for a variety of reasons, including insufficient reliability or incomplete test case coverage, declaration of non-production readiness by the community at large, and feature deviation from Hortonworks best practices. Do not use these features in your production environments.​

1 Stargate
2 Thrift server
3 Admin Console