Hortonworks から最新情報をメールで受け取る






Sandbox をダウンロード


Apache プロジェクト
Apache Knox Gateway

Apache Knox Gateway



Secure entry point for Hadoop clusters

The Apache Knox Gateway (“Knox”) provides perimeter security so that the enterprise can confidently extend Hadoop access to more of those new users while also maintaining compliance with enterprise security policies.

What Knox Does

With YARN as its architectural center, Apache Hadoop continues to attract new engines to run within the data platform, as organizations want to efficiently store their data in a single repository and interact with it for batch, interactive and real-time streaming use cases. More and more independent software vendors (ISVs) are developing applications to run in Hadoop via YARN. This increases the number of users and processing engines that operate simultaneously across a Hadoop cluster, on the same data, at the same time.

The Apache Knox Gateway (“Knox”) provides perimeter security so that the enterprise can confidently extend Hadoop access to more of those new users while also maintaining compliance with enterprise security policies. Knox also simplifies Hadoop security for users who access the cluster data and execute jobs. It integrates with prevalent identity management and SSO systems and allows identities from those enterprise systems to be used for seamless, secure access to Hadoop clusters.

Knox provides perimeter security for Hadoop clusters, with these advantages:

Advantage 説明
Single Point of Access
  • Kerberos Encapsulation
  • Single Hadoop access point
  • REST API hierarchy
  • Consolidated API calls
  • Multi-cluster support
Centralized and Consistent Secure API
  • Eliminates SSH “edge node”
  • Central API management
  • Central audit control
  • Service level authorization
Integrated with Existing IdM Systems
  • SSO – SAMLv2 (Okta), CA Single Sign On
  • LDAP and AD integration
  • SSO for Hadoop UIs (Ranger, Ambari and Atlas)


How Knox Works

A fully secure Hadoop cluster needs Kerberos. Kerberos requires a client side library and complex client side configuration. By encapsulating Kerberos, Knox eliminates the need for client software or client configuration and thus simplifies the access model. In this way, Knox aggregates REST/HTTP calls to various components within the Hadoop ecosystem.

Knox is a stateless reverse proxy framework and can be deployed as a cluster of Knox instances that route requests to Hadoop’s REST APIs. Because Knox is stateless, it scales linearly by adding more Knox nodes as the load increases. A load balancer can route requests to multiple Knox instances.

Knox also intercepts REST/HTTP calls and provides authentication, authorization, audit, URL rewriting, web vulnerability removal and other security services through a series of extensible interceptor pipelines.

Hortonworks Focus for Knox Gateway

The Knox community is working on development efforts to focus on extending the reach of Hadoop services to users outside of the cluster, while further enhancing security.

Focus Planned Enhancements
REST & HTTP services
  • Provide security to all of Hadoop’s REST & HTTP services
  • Support for REST APIs for Apache Ambari, Apache Falcon and Apache Ranger
Enterprise readiness
  • Deeper integration with Apache Ambari to simplify configuration management

Recent Progress in Knox Gateway

Recent releases of Apache Knox Gateway has focused on securely extending access to Apache Hadoop YARNs rich set of APIs and on improving the developer experience in the Apache Knox API Gateway.

Apache Knox Version Progress
Knox 0.9.0*
  • Extends the number of supported services and component UIs that can be proxied through the Gateway
Knox 0.8.0
  • Support for SAML, CAS and other providers for KnoxSSO
Knox 0.7.0
  • Knox CLI diagnostics and testing commands
  • Regex based identity assertion provider
  • JWT/SSO cookie based federation provider
  • CORS support
Knox 0.6.0
  • Configuration-driven facility to add new components  – Knox Stacks
  • Optimized LDAP authentication through caching
  • Support for 2 way SSL queries
Knox 0.5.0
  • HDFS の HA をサポート
  • Installation and configuration with Apache Ambari
  • Apache Ranger によるサービスレベルの権限付与
  • YARN REST API access
Knox 0.4.0
  • Support for ODBC/JDBC calls via Knox to Apache Hive
  • Support for SSL
  • Full support for Kerberized Hadoop Cluster
  • Filter for removing web app vulnerabilities
Knox 0.3.0
  • Support for Apache Hive, HBase, Hive, Oozie and HDFS REST APIs
  • Initial support for Kerberized Hadoop Cluster*Part of HDP 2.5

*Knox 0.9.0 is part of of HDP 2.5


Knox Tutorials

Knox in the Press