Author: lmccay
Date: Sun Mar 22 16:47:32 2015
New Revision: 1668408
URL: http://svn.apache.org/r1668408
Log:
document the concat identity assertion provider
Modified:
knox/site/books/knox-0-6-0/user-guide.html
knox/site/index.html
knox/site/issue-tracking.html
knox/site/license.html
knox/site/mail-lists.html
knox/site/project-info.html
knox/site/team-list.html
knox/trunk/books/0.6.0/config_id_assertion.md
Modified: knox/site/books/knox-0-6-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/user-guide.html?rev=1668408&r1=1668407&r2=1668408&view=diff
==============================================================================
--- knox/site/books/knox-0-6-0/user-guide.html (original)
+++ knox/site/books/knox-0-6-0/user-guide.html Sun Mar 22 16:47:32 2015
@@ -969,7 +969,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop
<li>determine whether it matches any principal mapping rules and apply them
appropriately</li>
<li>determine whether it matches any group principal mapping rules and apply
them</li>
<li>if it is determined that the principal will be impersonating another
through a principal mapping rule then a Subject.doAS is required in order for
providers farther downstream can determine the appropriate effective principal
name and groups for the user</li>
-</ol><p>The following configuration is required for asserting the users
identity to the Hadoop cluster using Pseudo or Simple
“authentication” and for using kerberos/SPNEGO for secure
clusters.</p>
+</ol><h4><a id="Default+Identity+Assertion+Provider"></a>Default Identity
Assertion Provider</h4><p>The following configuration is required for asserting
the users identity to the Hadoop cluster using Pseudo or Simple
“authentication” and for using kerberos/SPNEGO for secure
clusters.</p>
<pre><code><provider>
<role>identity-assertion</role>
<name>Default</name>
@@ -1014,7 +1014,17 @@ ldapRealm.userDnTemplate=uid={0},ou=peop
<name>group.principal.mapping</name>
<value>*=users;hdfs=admin</value>
</param>
-</code></pre><p>this configuration indicates that all (*) authenticated users
are members of the “users” group and that user “hdfs”
is a member of the admin group. Group principal mapping has been added along
with the authorization provider described in this document.</p><h3><a
id="Authorization"></a>Authorization</h3><h4><a
id="Service+Level+Authorization"></a>Service Level Authorization</h4><p>The
Knox Gateway has an out-of-the-box authorization provider that allows
administrators to restrict access to the individual services within a Hadoop
cluster.</p><p>This provider utilizes a simple and familiar pattern of using
ACLs to protect Hadoop resources by specifying users, groups and ip addresses
that are permitted access.</p><p>Note: In the examples below {serviceName}
represents a real service name (e.g. WEBHDFS) and would be replaced with these
values in an actual configuration.</p><h5><a
id="Usecases"></a>Usecases</h5><h6><a id="USECASE-1:+Restrict+access+
to+specific+Hadoop+services+to+specific+Users"></a>USECASE-1: Restrict access
to specific Hadoop services to specific Users</h6>
+</code></pre><p>this configuration indicates that all (*) authenticated users
are members of the “users” group and that user “hdfs”
is a member of the admin group. Group principal mapping has been added along
with the authorization provider described in this document.</p><h4><a
id="Concat+Identity+Assertion+Provider"></a>Concat Identity Assertion
Provider</h4><p>The Concat identity assertion provider allows for composition
of a new user principal through the concatenation of optionally configured
prefix and/or suffix provider parameters. This is a useful assertion provider
for converting an incoming identity into a disambiguated identity within the
Hadoop cluster based on what topology is used to access Hadoop.</p><p>The
following configuration would convert the user principal into a value that
represents a domain specific identity where the identities used inside the
Hadoop cluster represent this same separation.</p>
+<pre><code><provider>
+ <role>identity-assertion</role>
+ <name>Concat</name>
+ <enabled>true</enabled>
+ <param>
+ <name>concat.suffix</name>
+ <value>_domain1</value>
+ </param>
+</provider>
+</code></pre><p>The above configuration will result in all user interactions
through that topology to have their principal communicated to the Hadoop
cluster with a domain designator concatenated to the username. Possibly useful
for multi-tenant deployment scenarios.</p><p>In addition to the concat.suffix
parameter, the provider supports the setting of a prefix through a
concat.prefix parameter.</p><h3><a
id="Authorization"></a>Authorization</h3><h4><a
id="Service+Level+Authorization"></a>Service Level Authorization</h4><p>The
Knox Gateway has an out-of-the-box authorization provider that allows
administrators to restrict access to the individual services within a Hadoop
cluster.</p><p>This provider utilizes a simple and familiar pattern of using
ACLs to protect Hadoop resources by specifying users, groups and ip addresses
that are permitted access.</p><p>Note: In the examples below {serviceName}
represents a real service name (e.g. WEBHDFS) and would be replaced with these
values i
n an actual configuration.</p><h5><a id="Usecases"></a>Usecases</h5><h6><a
id="USECASE-1:+Restrict+access+to+specific+Hadoop+services+to+specific+Users"></a>USECASE-1:
Restrict access to specific Hadoop services to specific Users</h6>
<pre><code><param>
<name>{serviceName}.acl</name>
<value>guest;*;*</value>
Modified: knox/site/index.html
URL:
http://svn.apache.org/viewvc/knox/site/index.html?rev=1668408&r1=1668407&r2=1668408&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Sun Mar 22 16:47:32 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150112" />
+ <meta name="Date-Revision-yyyymmdd" content="20150322" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-01-12</span>
+ | <span id="publishDate">Last Published:
2015-03-22</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/issue-tracking.html
URL:
http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1668408&r1=1668407&r2=1668408&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Sun Mar 22 16:47:32 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150112" />
+ <meta name="Date-Revision-yyyymmdd" content="20150322" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-01-12</span>
+ | <span id="publishDate">Last Published:
2015-03-22</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/license.html
URL:
http://svn.apache.org/viewvc/knox/site/license.html?rev=1668408&r1=1668407&r2=1668408&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Sun Mar 22 16:47:32 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150112" />
+ <meta name="Date-Revision-yyyymmdd" content="20150322" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-01-12</span>
+ | <span id="publishDate">Last Published:
2015-03-22</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/mail-lists.html
URL:
http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1668408&r1=1668407&r2=1668408&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Sun Mar 22 16:47:32 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150112" />
+ <meta name="Date-Revision-yyyymmdd" content="20150322" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-01-12</span>
+ | <span id="publishDate">Last Published:
2015-03-22</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/project-info.html
URL:
http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1668408&r1=1668407&r2=1668408&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Sun Mar 22 16:47:32 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150112" />
+ <meta name="Date-Revision-yyyymmdd" content="20150322" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-01-12</span>
+ | <span id="publishDate">Last Published:
2015-03-22</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/team-list.html
URL:
http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1668408&r1=1668407&r2=1668408&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Sun Mar 22 16:47:32 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-01-12 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-03-22 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150112" />
+ <meta name="Date-Revision-yyyymmdd" content="20150322" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-01-12</span>
+ | <span id="publishDate">Last Published:
2015-03-22</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/trunk/books/0.6.0/config_id_assertion.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config_id_assertion.md?rev=1668408&r1=1668407&r2=1668408&view=diff
==============================================================================
--- knox/trunk/books/0.6.0/config_id_assertion.md (original)
+++ knox/trunk/books/0.6.0/config_id_assertion.md Sun Mar 22 16:47:32 2015
@@ -24,6 +24,7 @@ The general responsibilities of the iden
2. determine whether it matches any group principal mapping rules and apply
them
3. if it is determined that the principal will be impersonating another
through a principal mapping rule then a Subject.doAS is required in order for
providers farther downstream can determine the appropriate effective principal
name and groups for the user
+#### Default Identity Assertion Provider ####
The following configuration is required for asserting the users identity to
the Hadoop cluster using Pseudo or Simple "authentication" and for using
kerberos/SPNEGO for secure clusters.
<provider>
@@ -97,4 +98,23 @@ For instance:
this configuration indicates that all (*) authenticated users are members of
the "users" group and that user "hdfs" is a member of the admin group. Group
principal mapping has been added along with the authorization provider
described in this document.
+#### Concat Identity Assertion Provider ####
+The Concat identity assertion provider allows for composition of a new user
principal through the concatenation of optionally configured prefix and/or
suffix provider parameters. This is a useful assertion provider for converting
an incoming identity into a disambiguated identity within the Hadoop cluster
based on what topology is used to access Hadoop.
+
+The following configuration would convert the user principal into a value that
represents a domain specific identity where the identities used inside the
Hadoop cluster represent this same separation.
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Concat</name>
+ <enabled>true</enabled>
+ <param>
+ <name>concat.suffix</name>
+ <value>_domain1</value>
+ </param>
+ </provider>
+
+The above configuration will result in all user interactions through that
topology to have their principal communicated to the Hadoop cluster with a
domain designator concatenated to the username. Possibly useful for
multi-tenant deployment scenarios.
+
+In addition to the concat.suffix parameter, the provider supports the setting
of a prefix through a concat.prefix parameter.
+
