Repository: knox Updated Branches: refs/heads/master e1ef89a7b -> 148c6adbe
KNOX-702 - Templates for AD and Application Hosting Topologies Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/56615528 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/56615528 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/56615528 Branch: refs/heads/master Commit: 566155285031dbd8b01527072a586a9ddcb65142 Parents: e1ef89a Author: Larry McCay <lmc...@hortonworks.com> Authored: Sat Apr 2 12:45:10 2016 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Sat Apr 2 12:45:10 2016 -0400 ---------------------------------------------------------------------- .../home/conf/topologies/knoxsso.xml | 23 ++--- gateway-release/home/templates/ad.xml | 65 +++++--------- gateway-release/home/templates/sandbox-apps.xml | 89 ++++++++++++++++++++ 3 files changed, 118 insertions(+), 59 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/56615528/gateway-release/home/conf/topologies/knoxsso.xml ---------------------------------------------------------------------- diff --git a/gateway-release/home/conf/topologies/knoxsso.xml b/gateway-release/home/conf/topologies/knoxsso.xml index 56700dd..7e962cf 100644 --- a/gateway-release/home/conf/topologies/knoxsso.xml +++ b/gateway-release/home/conf/topologies/knoxsso.xml @@ -16,8 +16,13 @@ limitations under the License. --> <topology> - <gateway> + <provider> + <role>webappsec</role> + <name>WebAppSec</name> + <enabled>true</enabled> + <param><name>xframe.options.enabled</name><value>true</value></param> + </provider> <provider> <role>authentication</role> @@ -76,22 +81,6 @@ <enabled>true</enabled> </provider> - <!-- - Defines rules for mapping host names internal to a Hadoop cluster to externally accessible host names. - For example, a hadoop service running in AWS may return a response that includes URLs containing the - some AWS internal host name. If the client needs to make a subsequent request to the host identified - in those URLs they need to be mapped to external host names that the client Knox can use to connect. - - If the external hostname and internal host names are same turn of this provider by setting the value of - enabled parameter as false. - - The name parameter specifies the external host names in a comma separated list. - The value parameter specifies corresponding internal host names in a comma separated list. - - Note that when you are using Sandbox, the external hostname needs to be localhost, as seen in out - of box sandbox.xml. This is because Sandbox uses port mapping to allow clients to connect to the - Hadoop services using localhost. In real clusters, external host names would almost never be localhost. - --> <provider> <role>hostmap</role> <name>static</name> http://git-wip-us.apache.org/repos/asf/knox/blob/56615528/gateway-release/home/templates/ad.xml ---------------------------------------------------------------------- diff --git a/gateway-release/home/templates/ad.xml b/gateway-release/home/templates/ad.xml index 8586a61..3398f13 100644 --- a/gateway-release/home/templates/ad.xml +++ b/gateway-release/home/templates/ad.xml @@ -18,52 +18,33 @@ <topology> <gateway> - <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> - <param> - <!-- - session timeout in minutes, this is really idle timeout, - defaults to 30mins, if the property value is not defined,, - current client authentication would expire if client idles contiuosly for more than this value - --> - <name>sessionTimeout</name> - <value>30</value> - </param> - <param> - <name>main.ldapRealm</name> - <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> - </param> - <param> - <name>main.ldapContextFactory</name> - <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> - </param> - <param> - <name>main.ldapRealm.contextFactory</name> - <value>$ldapContextFactory</value> - </param> - <param> - <name>main.ldapRealm.userDnTemplate</name> - <!-- If your AD is configured to authenticate based on just the cn and password and does not require user DN, - you do not have to specify value for main.ldapRealm.userDnTemplate. --> - <!-- ADJUST template for your AD DIT model --> - <value>cn={0},cn=users,dc=sample,dc=example,dc=com</value> - </param> - <param> - <name>main.ldapRealm.contextFactory.url</name> - <!-- ADJUST host, port for your AD setup--> - <value>ldap://ad.example.com:389</value> - </param> - <param> - <name>main.ldapRealm.contextFactory.authenticationMechanism</name> - <value>simple</value> - </param> - <param> - <name>urls./**</name> - <value>authcBasic</value> - </param> + <param name="main.ldapRealm" value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm"/> + <param name="main.ldapContextFactory" value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory"/> + <param name="main.ldapRealm.contextFactory" value="$ldapContextFactory"/> + + <param name="main.ldapRealm.contextFactory.url" value="ldap://ad.qa.your-domain.com:389"/> + <param name="main.ldapRealm.contextFactory.systemUsername" value="CN=sam,CN=Users,DC=hwqe,DC=hortonworks,DC=com"/> + <param name="main.ldapRealm.contextFactory.systemPassword" value="********"/> + + <param name="main.ldapRealm.userSearchBase" value="CN=Users,DC=hwqe,DC=hortonworks,DC=com"/> + <param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/> + <param name="main.ldapRealm.userObjectClass" value="person"/> + + <param name="main.ldapRealm.authorizationEnabled" value="true"/> + <param name="main.ldapRealm.groupSearchBase" value="OU=groups,DC=hwqe,DC=hortonworks,DC=com"/> + <param name="main.ldapRealm.groupObjectClass" value="group"/> + <param name="main.ldapRealm.groupIdAttribute" value="sAMAccountName"/> + <param name="main.ldapRealm.memberAttribute" value="member"/> + + <param name="main.cacheManager" value="org.apache.shiro.cache.ehcache.EhCacheManager"/> + <param name="main.securityManager.cacheManager" value="$cacheManager"/> + <param name="main.ldapRealm.authenticationCachingEnabled" value="true"/> + + <param name="urls./**" value="authcBasic"/> </provider> <provider> http://git-wip-us.apache.org/repos/asf/knox/blob/56615528/gateway-release/home/templates/sandbox-apps.xml ---------------------------------------------------------------------- diff --git a/gateway-release/home/templates/sandbox-apps.xml b/gateway-release/home/templates/sandbox-apps.xml new file mode 100644 index 0000000..bed6470 --- /dev/null +++ b/gateway-release/home/templates/sandbox-apps.xml @@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<topology> + <provider> + <role>webappsec</role> + <name>WebAppSec</name> + <enabled>true</enabled> + <param><name>xframe.options.enabled</name><value>true</value></param> + <param><name>csrf.enabled</name><value>true</value></param> + </provider> + + <gateway> + <provider> + <role>federation</role> + <name>SSOCookieProvider</name> + <enabled>true</enabled> + <param> + <name>sso.authentication.provider.url</name> + <value>https://www.local.com:8443/gateway/knoxsso/knoxauth/login.html</value> + </param> + </provider> + + <provider> + <role>identity-assertion</role> + <name>Default</name> + <enabled>true</enabled> + </provider> + </gateway> + + <!--application> + <name>knoxplorer</name> + </application--> + + <service> + <role>NAMENODE</role> + <url>hdfs://localhost:8020</url> + </service> + + <service> + <role>JOBTRACKER</role> + <url>rpc://localhost:8050</url> + </service> + + <service> + <role>WEBHDFS</role> + <url>http://localhost:50070/webhdfs</url> + </service> + + <service> + <role>WEBHCAT</role> + <url>http://localhost:50111/templeton</url> + </service> + + <service> + <role>OOZIE</role> + <url>http://localhost:11000/oozie</url> + </service> + + <service> + <role>WEBHBASE</role> + <url>http://localhost:60080</url> + </service> + + <service> + <role>HIVE</role> + <url>http://localhost:10001/cliservice</url> + </service> + + <service> + <role>RESOURCEMANAGER</role> + <url>http://localhost:8088/ws</url> + </service> + +</topology>