Author: lmccay Date: Sun Apr 24 16:33:46 2016 New Revision: 1740710 URL: http://svn.apache.org/viewvc?rev=1740710&view=rev Log: Updating site for 0.9.0 release
Modified: knox/site/books/knox-0-4-0/deployment-overview.png knox/site/books/knox-0-4-0/deployment-provider.png knox/site/books/knox-0-4-0/deployment-service.png knox/site/books/knox-0-4-0/runtime-overview.png knox/site/books/knox-0-4-0/runtime-request-processing.png knox/site/books/knox-0-5-0/deployment-overview.png knox/site/books/knox-0-5-0/deployment-provider.png knox/site/books/knox-0-5-0/deployment-service.png knox/site/books/knox-0-5-0/runtime-overview.png knox/site/books/knox-0-5-0/runtime-request-processing.png knox/site/books/knox-0-6-0/deployment-overview.png knox/site/books/knox-0-6-0/deployment-provider.png knox/site/books/knox-0-6-0/deployment-service.png knox/site/books/knox-0-6-0/runtime-overview.png knox/site/books/knox-0-6-0/runtime-request-processing.png knox/site/books/knox-0-7-0/deployment-overview.png knox/site/books/knox-0-7-0/deployment-provider.png knox/site/books/knox-0-7-0/deployment-service.png knox/site/books/knox-0-7-0/general_saml_flow.png knox/site/books/knox-0-7-0/runtime-overview.png knox/site/books/knox-0-7-0/runtime-request-processing.png knox/site/books/knox-0-8-0/deployment-overview.png knox/site/books/knox-0-8-0/deployment-provider.png knox/site/books/knox-0-8-0/deployment-service.png knox/site/books/knox-0-8-0/general_saml_flow.png knox/site/books/knox-0-8-0/runtime-overview.png knox/site/books/knox-0-8-0/runtime-request-processing.png knox/site/books/knox-0-9-0/deployment-overview.png knox/site/books/knox-0-9-0/deployment-provider.png knox/site/books/knox-0-9-0/deployment-service.png knox/site/books/knox-0-9-0/general_saml_flow.png knox/site/books/knox-0-9-0/runtime-overview.png knox/site/books/knox-0-9-0/runtime-request-processing.png knox/site/books/knox-0-9-0/user-guide.html knox/site/index.html knox/site/issue-tracking.html knox/site/license.html knox/site/mail-lists.html knox/site/project-info.html knox/site/team-list.html knox/trunk/books/0.9.0/book.md knox/trunk/books/0.9.0/config_webappsec_provider.md knox/trunk/books/pom.xml knox/trunk/pom.xml knox/trunk/src/site/markdown/index.md knox/trunk/src/site/site.xml Modified: knox/site/books/knox-0-4-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-4-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-4-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-4-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-7-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-7-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-provider.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-7-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-service.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-7-0/general_saml_flow.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/general_saml_flow.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-7-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-7-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-request-processing.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-8-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/deployment-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-8-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/deployment-provider.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-8-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/deployment-service.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-8-0/general_saml_flow.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/general_saml_flow.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-8-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/runtime-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-8-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/runtime-request-processing.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-9-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/deployment-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-9-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/deployment-provider.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-9-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/deployment-service.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-9-0/general_saml_flow.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/general_saml_flow.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-9-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/runtime-overview.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-9-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/runtime-request-processing.png?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-9-0/user-guide.html URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/user-guide.html?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/site/books/knox-0-9-0/user-guide.html (original) +++ knox/site/books/knox-0-9-0/user-guide.html Sun Apr 24 16:33:46 2016 @@ -13,7 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ---><p><link href="book.css" rel="stylesheet"/></p><p><img src="knox-logo.gif" alt="Knox"/> <!-- <img src="apache-logo.gif" alt="Apache"/> --> <img src="apache-logo.gif" align="right" alt="Apache"/></p><h1><a id="Apache+Knox+Gateway+0.8.x+User's+Guide">Apache Knox Gateway 0.8.x User’s Guide</a> <a href="#Apache+Knox+Gateway+0.8.x+User's+Guide"><img src="markbook-section-link.png"/></a></h1><h2><a id="Table+Of+Contents">Table Of Contents</a> <a href="#Table+Of+Contents"><img src="markbook-section-link.png"/></a></h2> +--><p><link href="book.css" rel="stylesheet"/></p><p><img src="knox-logo.gif" alt="Knox"/> <!-- <img src="apache-logo.gif" alt="Apache"/> --> <img src="apache-logo.gif" align="right" alt="Apache"/></p><h1><a id="Apache+Knox+Gateway+0.9.x+User's+Guide">Apache Knox Gateway 0.9.x User’s Guide</a> <a href="#Apache+Knox+Gateway+0.9.x+User's+Guide"><img src="markbook-section-link.png"/></a></h1><h2><a id="Table+Of+Contents">Table Of Contents</a> <a href="#Table+Of+Contents"><img src="markbook-section-link.png"/></a></h2> <ul> <li><a href="#Introduction">Introduction</a></li> <li><a href="#Quick+Start">Quick Start</a></li> @@ -38,7 +38,12 @@ <li><a href="#Authorization">Authorization</a></li> <li><a href="#Secure+Clusters">Secure Clusters</a></li> <li><a href="#High+Availability">High Availability</a></li> - <li><a href="#Web+App+Security+Provider">Web App Security Provider</a></li> + <li><a href="#Web+App+Security+Provider">Web App Security Provider</a> + <ul> + <li><a href="#CSRF">CSRF</a></li> + <li><a href="#CORS">CORS</a></li> + <li><a href="#X-Frame-Options">X-Frame-Options</a></li> + </ul></li> <li><a href="#Preauthenticated+SSO+Provider">Preauthenticated SSO Provider</a></li> <li><a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j Provider - CAS / OAuth / SAML / OpenID Connect</a></li> <li><a href="#KnoxSSO+Setup+and+Configuration">KnoxSSO Setup and Configuration</a></li> @@ -2056,6 +2061,7 @@ APACHE_HOME/bin/apachectl -k stop <param><name>csrf.customHeader</name><value>X-XSRF-Header</value></param> <param><name>csrf.methodsToIgnore</name><value>GET,OPTIONS,HEAD</value></param> <param><name>cors.enabled</name><value>true</value></param> + <param><name>xframe-options.enabled</name><value>true</value></param> </provider> </code></pre><h4><a id="Descriptions">Descriptions</a> <a href="#Descriptions"><img src="markbook-section-link.png"/></a></h4><p>The following tables describes the configuration options for the web app security provider:</p><h5><a id="CSRF">CSRF</a> <a href="#CSRF"><img src="markbook-section-link.png"/></a></h5><h6><a id="Config">Config</a> <a href="#Config"><img src="markbook-section-link.png"/></a></h6> <table> @@ -2146,6 +2152,27 @@ APACHE_HOME/bin/apachectl -k stop <td>false</td> </tr> </tbody> +</table><h5><a id="X-Frame-Options">X-Frame-Options</a> <a href="#X-Frame-Options"><img src="markbook-section-link.png"/></a></h5><p>Cross Frame Scripting and Clickjacking are attackes that can be prevented by controlling the ability for a third-party to embed an application or resource within a Frame, IFrame or Object html element. This can be done adding the X-Frame-Options HTTP header to responses.</p><h6><a id="Config">Config</a> <a href="#Config"><img src="markbook-section-link.png"/></a></h6> +<table> + <thead> + <tr> + <th>Name </th> + <th>Description </th> + <th>Default</th> + </tr> + </thead> + <tbody> + <tr> + <td>xframe-options.enabled </td> + <td>This param enables the X-Frame-Options capabilities</td> + <td>false</td> + </tr> + <tr> + <td>xframe-options.value </td> + <td>This param specifies a particular value for the X-Frame-Options header. Most often the default value of DENY will be most appropriate. You can also use SAMEORIGIN or ALLOW-FROM uri</td> + <td>DENY</td> + </tr> + </tbody> </table><h3><a id="Preauthenticated+SSO+Provider">Preauthenticated SSO Provider</a> <a href="#Preauthenticated+SSO+Provider"><img src="markbook-section-link.png"/></a></h3><p>A number of SSO solutions provide mechanisms for federating an authenticated identity across applications. These mechanisms are at times simple HTTP Header type tokens that can be used to propagate the identity across process boundaries.</p><p>Knox Gateway needs a pluggable mechanism for consuming these tokens and federating the asserted identity through an interaction with the Hadoop cluster. </p><p><strong>CAUTION: The use of this provider requires that proper network security and identity provider configuration and deployment does not allow requests directly to the Knox gateway. Otherwise, this provider will leave the gateway exposed to identity spoofing.</strong></p><h4><a id="Configuration">Configuration</a> <a href="#Configuration"><img src="markbook-section-link.png"/></a></h4><h5><a id="Overview">Overvi ew</a> <a href="#Overview"><img src="markbook-section-link.png"/></a></h5><p>This provider was designed for use with identity solutions such as those provided by CA’s SiteMinder and IBM’s Tivoli Access Manager. While direct testing with these products has not been done, there has been extensive unit and functional testing that ensure that it should work with such providers.</p><p>The HeaderPreAuth provider is configured within the topology file and has a minimal configuration that assumes SM_USER for CA SiteMinder. The following example is the bare minimum configuration for SiteMinder (with no IP address validation).</p> <pre><code><provider> <role>federation</role> Modified: knox/site/index.html URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/site/index.html (original) +++ knox/site/index.html Sun Apr 24 16:33:46 2016 @@ -1,13 +1,13 @@ <!DOCTYPE html> <!-- - | Generated by Apache Maven Doxia at 2016-03-24 + | Generated by Apache Maven Doxia at 2016-04-24 | Rendered using Apache Maven Fluido Skin 1.3.0 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> - <meta name="Date-Revision-yyyymmdd" content="20160324" /> + <meta name="Date-Revision-yyyymmdd" content="20160424" /> <meta http-equiv="Content-Language" content="en" /> <title>Knox Gateway – REST API Gateway for the Hadoop Ecosystem</title> <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" /> @@ -54,11 +54,11 @@ <ul class="breadcrumb"> - <li id="projectVersion">Version: 0.8.0</li> + <li id="projectVersion">Version: 0.9.0</li> - <li id="publishDate" class="pull-right">Last Published: 2016-03-24</li> + <li id="publishDate" class="pull-right">Last Published: 2016-04-24</li> </ul> </div> @@ -94,21 +94,21 @@ <li> - <a href="books/knox-0-8-0/user-guide.html" title="User's Guide"> + <a href="books/knox-0-9-0/user-guide.html" title="User's Guide"> <i class="none"></i> User's Guide</a> </li> <li> - <a href="books/knox-0-8-0/dev-guide.html" title="Developer's Guide"> + <a href="books/knox-0-9-0/dev-guide.html" title="Developer's Guide"> <i class="none"></i> Developer's Guide</a> </li> <li> - <a href="books/knox-0-8-0/user-guide.html#Quick+Start" title="Quick Start"> + <a href="books/knox-0-9-0/user-guide.html#Quick+Start" title="Quick Start"> <i class="none"></i> Quick Start</a> </li> @@ -130,6 +130,13 @@ <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.9.0" class="externalLink" title="0.9.0"> + <i class="none"></i> + 0.9.0</a> + </li> + + <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.8.0" class="externalLink" title="0.8.0"> <i class="none"></i> 0.8.0</a> @@ -355,7 +362,12 @@ limitations under the License. --><div c <div class="section"> <h2><a name="Supported_Hadoop_Services"></a>Supported Hadoop Services</h2> <p>The following Hadoop services have integrations with the Knox Gateway:</p> -<p>WebHDFS (HDFS)<br /> Templeton (HCatalog)<br /> Stargate (HBase)<br /> Oozie<br /> Hive/JDBC<br /> Yarn RM<br /> Storm<br /></p> +<p>Ambari<br /> WebHDFS (HDFS)<br /> Templeton (HCatalog)<br /> Stargate (HBase)<br /> Oozie<br /> Hive/JDBC<br /> Yarn RM<br /> Storm<br /></p></div> +<div class="section"> +<h2><a name="Supported_Hadoop_UIs"></a>Supported Hadoop UIs</h2> +<p>Name Node UI<br /> Job History UI<br /> Oozie UI<br /> HBase UI<br /> Yarn UI<br /> Spark UI<br /> Ambari UI<br /> Ranger Admin Console<br /></p></div> +<div class="section"> +<h2><a name="Configuring_Support_for_new_services_and_UIs"></a>Configuring Support for new services and UIs</h2> <p>Apache Knox provides a configuration driven method of adding new routing services.<br /> This enables for new Hadoop REST APIs to come on board very quickly and easily. It also enables<br /> users and developers to add support for custom REST APIs to the Knox gateway as well.<br /> This capability was added in release 0.6.0 and furthers the Knox commitment to extensibility and integration.</p></div> <div class="section"> <h2><a name="Authentication"></a>Authentication</h2> @@ -363,7 +375,20 @@ limitations under the License. --><div c <p>Out of the box, the Knox Gateway provides the Shiro authentication provider. This is a provider that leverages<br /> the Apache Shiro project for authenticating BASIC credentials against an LDAP user store. There is support for<br /> OpenLDAP, ApacheDS and Microsoft Active Directory.</p></div> <div class="section"> <h2><a name="FederationSSO"></a>Federation/SSO</h2> -<p>For customers that require credentials to be presented to a limited set of trusted entities within the enterprise,<br /> the Knox Gateway may be configured to federate the authenticated identity from an external authentication event.<br /> This is done through providers with the role of federation. The out of the box federation provider is a simple<br /> mechanism for propagating the identity through HTTP Headers that specify the username and group for the authenticated<br /> user. This has been built with vendor usecases such as SiteMinder and IBM Tivoli Access Manager.</p></div> +<p>For customers that require credentials to be presented to a limited set of trusted entities within the enterprise,<br /> the Knox Gateway may be configured to federate the authenticated identity from an external authentication event.<br /> This is done through providers with the role of federation. The set of out-of-the-box federation providers include:<br /></p> +<div class="section"> +<div class="section"> +<h4><a name="KnoxSSO_Default_Form-based_IDP_-"></a>KnoxSSO Default Form-based IDP -</h4> +<p>The default configuration of KnoxSSO provides a form-based authentication mechanism that leverages the Shiro authentication<br /> to authenticate against LDAP/AD with credentials collected from a form-based challenge.</p></div> +<div class="section"> +<h4><a name="Pac4J_-"></a>Pac4J -</h4> +<p>The pac4j provider adds numerous authentication and federation capabilities including: SAML, CAS, OpenID Connect, Google,<br /> Twitter, etc.</p></div> +<div class="section"> +<h4><a name="HeaderPreAuth_-"></a>HeaderPreAuth -</h4> +<p>A simple mechanism for propagating the identity through HTTP Headers that specify the username and group for the<br /> authenticated user. This has been built with vendor usecases such as SiteMinder and IBM Tivoli Access Manager.</p></div></div></div> +<div class="section"> +<h2><a name="KnoxSSO"></a>KnoxSSO</h2> +<p>The KnoxSSO service is an integration service that provides a normalized SSO token for representing the authenticated user.<br /> This token is generally used for WebSSO capabilities for participating UIs and their consumption of the Hadoop REST APIs.<br /> KnoxSSO abstracts the actual identity provider integration away from participating applications so that they only need to<br /> be aware of the KnoxSSO cookie. The token is presented by the browser as a cookie and applications that are participating in<br /> the KnoxSSO integration are able to cryptographically validate the presented token and remain agnostic to the underlying<br /> SSO integration.</p></div> <div class="section"> <h2><a name="Authorization"></a>Authorization</h2> <p>The authorization role is used by providers that make access decisions for the requested resources based on the<br /> effective user identity context. This identity context is determined by the authentication provider and the identity<br /> assertion provider mapping rules. Evaluation of the identity context’s user and group principals against a set of<br /> access policies is done by the authorization provider in order to determine whether access should be granted to<br /> the effective user for the requested resource.</p> @@ -395,7 +420,7 @@ limitations under the License. --><div c </div> <?xml version="1.0" encoding="UTF-8"?> <div align="right" class="row span12"> - <img vertical-align="middle" alt="Generic placeholder image" src="images/apache-logo.gif"/> + <img src="images/apache-logo.gif" vertical-align="middle" alt="Generic placeholder image"/> </div> Modified: knox/site/issue-tracking.html URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/site/issue-tracking.html (original) +++ knox/site/issue-tracking.html Sun Apr 24 16:33:46 2016 @@ -1,13 +1,13 @@ <!DOCTYPE html> <!-- - | Generated by Apache Maven Doxia at 2016-03-24 + | Generated by Apache Maven Doxia at 2016-04-24 | Rendered using Apache Maven Fluido Skin 1.3.0 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> - <meta name="Date-Revision-yyyymmdd" content="20160324" /> + <meta name="Date-Revision-yyyymmdd" content="20160424" /> <meta http-equiv="Content-Language" content="en" /> <title>Knox Gateway – Issue Tracking</title> <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" /> @@ -54,11 +54,11 @@ <ul class="breadcrumb"> - <li id="projectVersion">Version: 0.8.0</li> + <li id="projectVersion">Version: 0.9.0</li> - <li id="publishDate" class="pull-right">Last Published: 2016-03-24</li> + <li id="publishDate" class="pull-right">Last Published: 2016-04-24</li> </ul> </div> @@ -96,21 +96,21 @@ <li> - <a href="books/knox-0-8-0/user-guide.html" title="User's Guide"> + <a href="books/knox-0-9-0/user-guide.html" title="User's Guide"> <i class="none"></i> User's Guide</a> </li> <li> - <a href="books/knox-0-8-0/dev-guide.html" title="Developer's Guide"> + <a href="books/knox-0-9-0/dev-guide.html" title="Developer's Guide"> <i class="none"></i> Developer's Guide</a> </li> <li> - <a href="books/knox-0-8-0/user-guide.html#Quick+Start" title="Quick Start"> + <a href="books/knox-0-9-0/user-guide.html#Quick+Start" title="Quick Start"> <i class="none"></i> Quick Start</a> </li> @@ -132,6 +132,13 @@ <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.9.0" class="externalLink" title="0.9.0"> + <i class="none"></i> + 0.9.0</a> + </li> + + <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.8.0" class="externalLink" title="0.8.0"> <i class="none"></i> 0.8.0</a> @@ -336,7 +343,7 @@ </div> <?xml version="1.0" encoding="UTF-8"?> <div align="right" class="row span12"> - <img vertical-align="middle" alt="Generic placeholder image" src="images/apache-logo.gif"/> + <img src="images/apache-logo.gif" vertical-align="middle" alt="Generic placeholder image"/> </div> Modified: knox/site/license.html URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/site/license.html (original) +++ knox/site/license.html Sun Apr 24 16:33:46 2016 @@ -1,13 +1,13 @@ <!DOCTYPE html> <!-- - | Generated by Apache Maven Doxia at 2016-03-24 + | Generated by Apache Maven Doxia at 2016-04-24 | Rendered using Apache Maven Fluido Skin 1.3.0 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> - <meta name="Date-Revision-yyyymmdd" content="20160324" /> + <meta name="Date-Revision-yyyymmdd" content="20160424" /> <meta http-equiv="Content-Language" content="en" /> <title>Knox Gateway – Project License</title> <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" /> @@ -54,11 +54,11 @@ <ul class="breadcrumb"> - <li id="projectVersion">Version: 0.8.0</li> + <li id="projectVersion">Version: 0.9.0</li> - <li id="publishDate" class="pull-right">Last Published: 2016-03-24</li> + <li id="publishDate" class="pull-right">Last Published: 2016-04-24</li> </ul> </div> @@ -94,21 +94,21 @@ <li> - <a href="books/knox-0-8-0/user-guide.html" title="User's Guide"> + <a href="books/knox-0-9-0/user-guide.html" title="User's Guide"> <i class="none"></i> User's Guide</a> </li> <li> - <a href="books/knox-0-8-0/dev-guide.html" title="Developer's Guide"> + <a href="books/knox-0-9-0/dev-guide.html" title="Developer's Guide"> <i class="none"></i> Developer's Guide</a> </li> <li> - <a href="books/knox-0-8-0/user-guide.html#Quick+Start" title="Quick Start"> + <a href="books/knox-0-9-0/user-guide.html#Quick+Start" title="Quick Start"> <i class="none"></i> Quick Start</a> </li> @@ -130,6 +130,13 @@ <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.9.0" class="externalLink" title="0.9.0"> + <i class="none"></i> + 0.9.0</a> + </li> + + <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.8.0" class="externalLink" title="0.8.0"> <i class="none"></i> 0.8.0</a> @@ -538,7 +545,7 @@ </div> <?xml version="1.0" encoding="UTF-8"?> <div align="right" class="row span12"> - <img vertical-align="middle" alt="Generic placeholder image" src="images/apache-logo.gif"/> + <img src="images/apache-logo.gif" vertical-align="middle" alt="Generic placeholder image"/> </div> Modified: knox/site/mail-lists.html URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/site/mail-lists.html (original) +++ knox/site/mail-lists.html Sun Apr 24 16:33:46 2016 @@ -1,13 +1,13 @@ <!DOCTYPE html> <!-- - | Generated by Apache Maven Doxia at 2016-03-24 + | Generated by Apache Maven Doxia at 2016-04-24 | Rendered using Apache Maven Fluido Skin 1.3.0 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> - <meta name="Date-Revision-yyyymmdd" content="20160324" /> + <meta name="Date-Revision-yyyymmdd" content="20160424" /> <meta http-equiv="Content-Language" content="en" /> <title>Knox Gateway – Project Mailing Lists</title> <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" /> @@ -54,11 +54,11 @@ <ul class="breadcrumb"> - <li id="projectVersion">Version: 0.8.0</li> + <li id="projectVersion">Version: 0.9.0</li> - <li id="publishDate" class="pull-right">Last Published: 2016-03-24</li> + <li id="publishDate" class="pull-right">Last Published: 2016-04-24</li> </ul> </div> @@ -96,21 +96,21 @@ <li> - <a href="books/knox-0-8-0/user-guide.html" title="User's Guide"> + <a href="books/knox-0-9-0/user-guide.html" title="User's Guide"> <i class="none"></i> User's Guide</a> </li> <li> - <a href="books/knox-0-8-0/dev-guide.html" title="Developer's Guide"> + <a href="books/knox-0-9-0/dev-guide.html" title="Developer's Guide"> <i class="none"></i> Developer's Guide</a> </li> <li> - <a href="books/knox-0-8-0/user-guide.html#Quick+Start" title="Quick Start"> + <a href="books/knox-0-9-0/user-guide.html#Quick+Start" title="Quick Start"> <i class="none"></i> Quick Start</a> </li> @@ -132,6 +132,13 @@ <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.9.0" class="externalLink" title="0.9.0"> + <i class="none"></i> + 0.9.0</a> + </li> + + <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.8.0" class="externalLink" title="0.8.0"> <i class="none"></i> 0.8.0</a> @@ -356,7 +363,7 @@ </div> <?xml version="1.0" encoding="UTF-8"?> <div align="right" class="row span12"> - <img vertical-align="middle" alt="Generic placeholder image" src="images/apache-logo.gif"/> + <img src="images/apache-logo.gif" vertical-align="middle" alt="Generic placeholder image"/> </div> Modified: knox/site/project-info.html URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/site/project-info.html (original) +++ knox/site/project-info.html Sun Apr 24 16:33:46 2016 @@ -1,13 +1,13 @@ <!DOCTYPE html> <!-- - | Generated by Apache Maven Doxia at 2016-03-24 + | Generated by Apache Maven Doxia at 2016-04-24 | Rendered using Apache Maven Fluido Skin 1.3.0 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> - <meta name="Date-Revision-yyyymmdd" content="20160324" /> + <meta name="Date-Revision-yyyymmdd" content="20160424" /> <meta http-equiv="Content-Language" content="en" /> <title>Knox Gateway – Project Information</title> <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" /> @@ -54,11 +54,11 @@ <ul class="breadcrumb"> - <li id="projectVersion">Version: 0.8.0</li> + <li id="projectVersion">Version: 0.9.0</li> - <li id="publishDate" class="pull-right">Last Published: 2016-03-24</li> + <li id="publishDate" class="pull-right">Last Published: 2016-04-24</li> </ul> </div> @@ -96,21 +96,21 @@ <li> - <a href="books/knox-0-8-0/user-guide.html" title="User's Guide"> + <a href="books/knox-0-9-0/user-guide.html" title="User's Guide"> <i class="none"></i> User's Guide</a> </li> <li> - <a href="books/knox-0-8-0/dev-guide.html" title="Developer's Guide"> + <a href="books/knox-0-9-0/dev-guide.html" title="Developer's Guide"> <i class="none"></i> Developer's Guide</a> </li> <li> - <a href="books/knox-0-8-0/user-guide.html#Quick+Start" title="Quick Start"> + <a href="books/knox-0-9-0/user-guide.html#Quick+Start" title="Quick Start"> <i class="none"></i> Quick Start</a> </li> @@ -132,6 +132,13 @@ <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.9.0" class="externalLink" title="0.9.0"> + <i class="none"></i> + 0.9.0</a> + </li> + + <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.8.0" class="externalLink" title="0.8.0"> <i class="none"></i> 0.8.0</a> @@ -354,7 +361,7 @@ </div> <?xml version="1.0" encoding="UTF-8"?> <div align="right" class="row span12"> - <img vertical-align="middle" alt="Generic placeholder image" src="images/apache-logo.gif"/> + <img src="images/apache-logo.gif" vertical-align="middle" alt="Generic placeholder image"/> </div> Modified: knox/site/team-list.html URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/site/team-list.html (original) +++ knox/site/team-list.html Sun Apr 24 16:33:46 2016 @@ -1,13 +1,13 @@ <!DOCTYPE html> <!-- - | Generated by Apache Maven Doxia at 2016-03-24 + | Generated by Apache Maven Doxia at 2016-04-24 | Rendered using Apache Maven Fluido Skin 1.3.0 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> - <meta name="Date-Revision-yyyymmdd" content="20160324" /> + <meta name="Date-Revision-yyyymmdd" content="20160424" /> <meta http-equiv="Content-Language" content="en" /> <title>Knox Gateway – Team list</title> <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" /> @@ -54,11 +54,11 @@ <ul class="breadcrumb"> - <li id="projectVersion">Version: 0.8.0</li> + <li id="projectVersion">Version: 0.9.0</li> - <li id="publishDate" class="pull-right">Last Published: 2016-03-24</li> + <li id="publishDate" class="pull-right">Last Published: 2016-04-24</li> </ul> </div> @@ -96,21 +96,21 @@ <li> - <a href="books/knox-0-8-0/user-guide.html" title="User's Guide"> + <a href="books/knox-0-9-0/user-guide.html" title="User's Guide"> <i class="none"></i> User's Guide</a> </li> <li> - <a href="books/knox-0-8-0/dev-guide.html" title="Developer's Guide"> + <a href="books/knox-0-9-0/dev-guide.html" title="Developer's Guide"> <i class="none"></i> Developer's Guide</a> </li> <li> - <a href="books/knox-0-8-0/user-guide.html#Quick+Start" title="Quick Start"> + <a href="books/knox-0-9-0/user-guide.html#Quick+Start" title="Quick Start"> <i class="none"></i> Quick Start</a> </li> @@ -132,6 +132,13 @@ <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.9.0" class="externalLink" title="0.9.0"> + <i class="none"></i> + 0.9.0</a> + </li> + + <li> + <a href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.8.0" class="externalLink" title="0.8.0"> <i class="none"></i> 0.8.0</a> @@ -553,7 +560,7 @@ window.onLoad = init(); </div> <?xml version="1.0" encoding="UTF-8"?> <div align="right" class="row span12"> - <img vertical-align="middle" alt="Generic placeholder image" src="images/apache-logo.gif"/> + <img src="images/apache-logo.gif" vertical-align="middle" alt="Generic placeholder image"/> </div> Modified: knox/trunk/books/0.9.0/book.md URL: http://svn.apache.org/viewvc/knox/trunk/books/0.9.0/book.md?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/trunk/books/0.9.0/book.md (original) +++ knox/trunk/books/0.9.0/book.md Sun Apr 24 16:33:46 2016 @@ -21,7 +21,7 @@ <!-- <img src="apache-logo.gif" alt="Apache"/> --> <img src="apache-logo.gif" align="right" alt="Apache"/> -# Apache Knox Gateway 0.8.x User's Guide # +# Apache Knox Gateway 0.9.x User's Guide # ## Table Of Contents ## @@ -46,6 +46,9 @@ * #[Secure Clusters] * #[High Availability] * #[Web App Security Provider] + * #[CSRF] + * #[CORS] + * #[X-Frame-Options] * #[Preauthenticated SSO Provider] * #[Pac4j Provider - CAS / OAuth / SAML / OpenID Connect] * #[KnoxSSO Setup and Configuration] Modified: knox/trunk/books/0.9.0/config_webappsec_provider.md URL: http://svn.apache.org/viewvc/knox/trunk/books/0.9.0/config_webappsec_provider.md?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/trunk/books/0.9.0/config_webappsec_provider.md (original) +++ knox/trunk/books/0.9.0/config_webappsec_provider.md Sun Apr 24 16:33:46 2016 @@ -51,6 +51,7 @@ Because of this one-to-many provider/fil <param><name>csrf.customHeader</name><value>X-XSRF-Header</value></param> <param><name>csrf.methodsToIgnore</name><value>GET,OPTIONS,HEAD</value></param> <param><name>cors.enabled</name><value>true</value></param> + <param><name>xframe-options.enabled</name><value>true</value></param> </provider> #### Descriptions #### @@ -92,3 +93,14 @@ cors.supportsCredentials | {true\|fa cors.maxAge | {int} defaults to -1 (unspecified). Indicates how long the results of a preflight request can be cached by the web browser, in seconds. If -1 unspecified. This information is passed to the browser via the Access-Control-Max-Age header.| -1 cors.tagRequests | {true\|false} defaults to false (no tagging). Enables HTTP servlet request tagging to provide CORS information to downstream handlers (filters and/or servlets).| false +##### X-Frame-Options + +Cross Frame Scripting and Clickjacking are attackes that can be prevented by controlling the ability for a third-party to embed an application or resource within a Frame, IFrame or Object html element. This can be done adding the X-Frame-Options HTTP header to responses. + +###### Config + +Name | Description | Default +-----------------------------|-------------|--------- +xframe-options.enabled | This param enables the X-Frame-Options capabilities|false +xframe-options.value | This param specifies a particular value for the X-Frame-Options header. Most often the default value of DENY will be most appropriate. You can also use SAMEORIGIN or ALLOW-FROM uri|DENY + Modified: knox/trunk/books/pom.xml URL: http://svn.apache.org/viewvc/knox/trunk/books/pom.xml?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/trunk/books/pom.xml (original) +++ knox/trunk/books/pom.xml Sun Apr 24 16:33:46 2016 @@ -5,7 +5,7 @@ <parent> <artifactId>gateway-site-books</artifactId> <groupId>org.apache.hadoop</groupId> - <version>0.8.0</version> + <version>0.9.0</version> </parent> <modelVersion>4.0.0</modelVersion> Modified: knox/trunk/pom.xml URL: http://svn.apache.org/viewvc/knox/trunk/pom.xml?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/trunk/pom.xml (original) +++ knox/trunk/pom.xml Sun Apr 24 16:33:46 2016 @@ -25,7 +25,7 @@ <groupId>org.apache.hadoop.gateway</groupId> <artifactId>gateway-site</artifactId> <packaging>pom</packaging> - <version>0.8.0</version> + <version>0.9.0</version> <modules> <module>markbook</module> Modified: knox/trunk/src/site/markdown/index.md URL: http://svn.apache.org/viewvc/knox/trunk/src/site/markdown/index.md?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/trunk/src/site/markdown/index.md (original) +++ knox/trunk/src/site/markdown/index.md Sun Apr 24 16:33:46 2016 @@ -66,6 +66,7 @@ context path is made available for use b ## Supported Hadoop Services The following Hadoop services have integrations with the Knox Gateway: +Ambari<br/> WebHDFS (HDFS)<br/> Templeton (HCatalog)<br/> Stargate (HBase)<br/> @@ -74,6 +75,17 @@ Hive/JDBC<br/> Yarn RM<br/> Storm<br/> +## Supported Hadoop UIs +Name Node UI<br/> +Job History UI<br/> +Oozie UI<br/> +HBase UI<br/> +Yarn UI<br/> +Spark UI<br/> +Ambari UI<br/> +Ranger Admin Console<br/> + +## Configuring Support for new services and UIs Apache Knox provides a configuration driven method of adding new routing services.<br/> This enables for new Hadoop REST APIs to come on board very quickly and easily. It also enables<br/> users and developers to add support for custom REST APIs to the Knox gateway as well.<br/> @@ -91,9 +103,27 @@ OpenLDAP, ApacheDS and Microsoft Active ## Federation/SSO For customers that require credentials to be presented to a limited set of trusted entities within the enterprise,<br/> the Knox Gateway may be configured to federate the authenticated identity from an external authentication event.<br/> -This is done through providers with the role of federation. The out of the box federation provider is a simple<br/> -mechanism for propagating the identity through HTTP Headers that specify the username and group for the authenticated<br/> -user. This has been built with vendor usecases such as SiteMinder and IBM Tivoli Access Manager. +This is done through providers with the role of federation. The set of out-of-the-box federation providers include:<br/> + +#### KnoxSSO Default Form-based IDP - +The default configuration of KnoxSSO provides a form-based authentication mechanism that leverages the Shiro authentication<br/> +to authenticate against LDAP/AD with credentials collected from a form-based challenge. + +#### Pac4J - +The pac4j provider adds numerous authentication and federation capabilities including: SAML, CAS, OpenID Connect, Google,<br/> +Twitter, etc. + +#### HeaderPreAuth - +A simple mechanism for propagating the identity through HTTP Headers that specify the username and group for the<br/> +authenticated user. This has been built with vendor usecases such as SiteMinder and IBM Tivoli Access Manager. + +## KnoxSSO +The KnoxSSO service is an integration service that provides a normalized SSO token for representing the authenticated user.<br/> +This token is generally used for WebSSO capabilities for participating UIs and their consumption of the Hadoop REST APIs.<br/> +KnoxSSO abstracts the actual identity provider integration away from participating applications so that they only need to<br/> +be aware of the KnoxSSO cookie. The token is presented by the browser as a cookie and applications that are participating in<br/> +the KnoxSSO integration are able to cryptographically validate the presented token and remain agnostic to the underlying<br/> +SSO integration. ## Authorization The authorization role is used by providers that make access decisions for the requested resources based on the<br/> Modified: knox/trunk/src/site/site.xml URL: http://svn.apache.org/viewvc/knox/trunk/src/site/site.xml?rev=1740710&r1=1740709&r2=1740710&view=diff ============================================================================== --- knox/trunk/src/site/site.xml (original) +++ knox/trunk/src/site/site.xml Sun Apr 24 16:33:46 2016 @@ -93,14 +93,15 @@ </menu> <menu name="Documentation"> - <item name="User's Guide" href="books/knox-0-8-0/user-guide.html"/> - <item name="Developer's Guide" href="books/knox-0-8-0/dev-guide.html"/> - <item name="Quick Start" href="books/knox-0-8-0/user-guide.html#Quick+Start"/> + <item name="User's Guide" href="books/knox-0-9-0/user-guide.html"/> + <item name="Developer's Guide" href="books/knox-0-9-0/dev-guide.html"/> + <item name="Quick Start" href="books/knox-0-9-0/user-guide.html#Quick+Start"/> <item name="Dependencies" href="https://cwiki.apache.org/confluence/display/KNOX/Dependencies"/> <item name="Wiki" href="https://cwiki.apache.org/confluence/display/KNOX/Index"/> </menu> <menu name="Releases"> + <item name="0.9.0" href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.9.0"/> <item name="0.8.0" href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.8.0"/> <item name="0.7.0" href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.7.0"/> <item name="0.6.0" href="https://cwiki.apache.org/confluence/display/KNOX/Release+0.6.0"/>