Author: lmccay Date: Sun Mar 22 16:47:32 2015 New Revision: 1668408 URL: http://svn.apache.org/r1668408 Log: document the concat identity assertion provider
Modified: knox/site/books/knox-0-6-0/user-guide.html knox/site/index.html knox/site/issue-tracking.html knox/site/license.html knox/site/mail-lists.html knox/site/project-info.html knox/site/team-list.html knox/trunk/books/0.6.0/config_id_assertion.md Modified: knox/site/books/knox-0-6-0/user-guide.html URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/user-guide.html?rev=1668408&r1=1668407&r2=1668408&view=diff ============================================================================== --- knox/site/books/knox-0-6-0/user-guide.html (original) +++ knox/site/books/knox-0-6-0/user-guide.html Sun Mar 22 16:47:32 2015 @@ -969,7 +969,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop <li>determine whether it matches any principal mapping rules and apply them appropriately</li> <li>determine whether it matches any group principal mapping rules and apply them</li> <li>if it is determined that the principal will be impersonating another through a principal mapping rule then a Subject.doAS is required in order for providers farther downstream can determine the appropriate effective principal name and groups for the user</li> -</ol><p>The following configuration is required for asserting the users identity to the Hadoop cluster using Pseudo or Simple “authentication” and for using kerberos/SPNEGO for secure clusters.</p> +</ol><h4><a id="Default+Identity+Assertion+Provider"></a>Default Identity Assertion Provider</h4><p>The following configuration is required for asserting the users identity to the Hadoop cluster using Pseudo or Simple “authentication” and for using kerberos/SPNEGO for secure clusters.</p> <pre><code><provider> <role>identity-assertion</role> <name>Default</name> @@ -1014,7 +1014,17 @@ ldapRealm.userDnTemplate=uid={0},ou=peop <name>group.principal.mapping</name> <value>*=users;hdfs=admin</value> </param> -</code></pre><p>this configuration indicates that all (*) authenticated users are members of the “users” group and that user “hdfs” is a member of the admin group. Group principal mapping has been added along with the authorization provider described in this document.</p><h3><a id="Authorization"></a>Authorization</h3><h4><a id="Service+Level+Authorization"></a>Service Level Authorization</h4><p>The Knox Gateway has an out-of-the-box authorization provider that allows administrators to restrict access to the individual services within a Hadoop cluster.</p><p>This provider utilizes a simple and familiar pattern of using ACLs to protect Hadoop resources by specifying users, groups and ip addresses that are permitted access.</p><p>Note: In the examples below {serviceName} represents a real service name (e.g. WEBHDFS) and would be replaced with these values in an actual configuration.</p><h5><a id="Usecases"></a>Usecases</h5><h6><a id="USECASE-1:+Restrict+access+ to+specific+Hadoop+services+to+specific+Users"></a>USECASE-1: Restrict access to specific Hadoop services to specific Users</h6> +</code></pre><p>this configuration indicates that all (*) authenticated users are members of the “users” group and that user “hdfs” is a member of the admin group. Group principal mapping has been added along with the authorization provider described in this document.</p><h4><a id="Concat+Identity+Assertion+Provider"></a>Concat Identity Assertion Provider</h4><p>The Concat identity assertion provider allows for composition of a new user principal through the concatenation of optionally configured prefix and/or suffix provider parameters. This is a useful assertion provider for converting an incoming identity into a disambiguated identity within the Hadoop cluster based on what topology is used to access Hadoop.</p><p>The following configuration would convert the user principal into a value that represents a domain specific identity where the identities used inside the Hadoop cluster represent this same separation.</p> +<pre><code><provider> + <role>identity-assertion</role> + <name>Concat</name> + <enabled>true</enabled> + <param> + <name>concat.suffix</name> + <value>_domain1</value> + </param> +</provider> +</code></pre><p>The above configuration will result in all user interactions through that topology to have their principal communicated to the Hadoop cluster with a domain designator concatenated to the username. Possibly useful for multi-tenant deployment scenarios.</p><p>In addition to the concat.suffix parameter, the provider supports the setting of a prefix through a concat.prefix parameter.</p><h3><a id="Authorization"></a>Authorization</h3><h4><a id="Service+Level+Authorization"></a>Service Level Authorization</h4><p>The Knox Gateway has an out-of-the-box authorization provider that allows administrators to restrict access to the individual services within a Hadoop cluster.</p><p>This provider utilizes a simple and familiar pattern of using ACLs to protect Hadoop resources by specifying users, groups and ip addresses that are permitted access.</p><p>Note: In the examples below {serviceName} represents a real service name (e.g. WEBHDFS) and would be replaced with these values i n an actual configuration.</p><h5><a id="Usecases"></a>Usecases</h5><h6><a id="USECASE-1:+Restrict+access+to+specific+Hadoop+services+to+specific+Users"></a>USECASE-1: Restrict access to specific Hadoop services to specific Users</h6> <pre><code><param> <name>{serviceName}.acl</name> <value>guest;*;*</value> Modified: knox/site/index.html URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1668408&r1=1668407&r2=1668408&view=diff ============================================================================== --- knox/site/index.html (original) +++ knox/site/index.html Sun Mar 22 16:47:32 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150112" /> + <meta name="Date-Revision-yyyymmdd" content="20150322" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-01-12</span> + | <span id="publishDate">Last Published: 2015-03-22</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/issue-tracking.html URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1668408&r1=1668407&r2=1668408&view=diff ============================================================================== --- knox/site/issue-tracking.html (original) +++ knox/site/issue-tracking.html Sun Mar 22 16:47:32 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150112" /> + <meta name="Date-Revision-yyyymmdd" content="20150322" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-01-12</span> + | <span id="publishDate">Last Published: 2015-03-22</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/license.html URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1668408&r1=1668407&r2=1668408&view=diff ============================================================================== --- knox/site/license.html (original) +++ knox/site/license.html Sun Mar 22 16:47:32 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150112" /> + <meta name="Date-Revision-yyyymmdd" content="20150322" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-01-12</span> + | <span id="publishDate">Last Published: 2015-03-22</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/mail-lists.html URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1668408&r1=1668407&r2=1668408&view=diff ============================================================================== --- knox/site/mail-lists.html (original) +++ knox/site/mail-lists.html Sun Mar 22 16:47:32 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150112" /> + <meta name="Date-Revision-yyyymmdd" content="20150322" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-01-12</span> + | <span id="publishDate">Last Published: 2015-03-22</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/project-info.html URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1668408&r1=1668407&r2=1668408&view=diff ============================================================================== --- knox/site/project-info.html (original) +++ knox/site/project-info.html Sun Mar 22 16:47:32 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150112" /> + <meta name="Date-Revision-yyyymmdd" content="20150322" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-01-12</span> + | <span id="publishDate">Last Published: 2015-03-22</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/team-list.html URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1668408&r1=1668407&r2=1668408&view=diff ============================================================================== --- knox/site/team-list.html (original) +++ knox/site/team-list.html Sun Mar 22 16:47:32 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150112" /> + <meta name="Date-Revision-yyyymmdd" content="20150322" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-01-12</span> + | <span id="publishDate">Last Published: 2015-03-22</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/trunk/books/0.6.0/config_id_assertion.md URL: http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config_id_assertion.md?rev=1668408&r1=1668407&r2=1668408&view=diff ============================================================================== --- knox/trunk/books/0.6.0/config_id_assertion.md (original) +++ knox/trunk/books/0.6.0/config_id_assertion.md Sun Mar 22 16:47:32 2015 @@ -24,6 +24,7 @@ The general responsibilities of the iden 2. determine whether it matches any group principal mapping rules and apply them 3. if it is determined that the principal will be impersonating another through a principal mapping rule then a Subject.doAS is required in order for providers farther downstream can determine the appropriate effective principal name and groups for the user +#### Default Identity Assertion Provider #### The following configuration is required for asserting the users identity to the Hadoop cluster using Pseudo or Simple "authentication" and for using kerberos/SPNEGO for secure clusters. <provider> @@ -97,4 +98,23 @@ For instance: this configuration indicates that all (*) authenticated users are members of the "users" group and that user "hdfs" is a member of the admin group. Group principal mapping has been added along with the authorization provider described in this document. +#### Concat Identity Assertion Provider #### +The Concat identity assertion provider allows for composition of a new user principal through the concatenation of optionally configured prefix and/or suffix provider parameters. This is a useful assertion provider for converting an incoming identity into a disambiguated identity within the Hadoop cluster based on what topology is used to access Hadoop. + +The following configuration would convert the user principal into a value that represents a domain specific identity where the identities used inside the Hadoop cluster represent this same separation. + + <provider> + <role>identity-assertion</role> + <name>Concat</name> + <enabled>true</enabled> + <param> + <name>concat.suffix</name> + <value>_domain1</value> + </param> + </provider> + +The above configuration will result in all user interactions through that topology to have their principal communicated to the Hadoop cluster with a domain designator concatenated to the username. Possibly useful for multi-tenant deployment scenarios. + +In addition to the concat.suffix parameter, the provider supports the setting of a prefix through a concat.prefix parameter. +