Larry McCay created AMBARI-24118:
------------------------------------
Summary: Update KNOX Service Config to Better Integrate the Knox
Admin UI
Key: AMBARI-24118
URL: https://issues.apache.org/jira/browse/AMBARI-24118
Project: Ambari
Issue Type: Bug
Components: ambari-sever
Reporter: Larry McCay
Assignee: Larry McCay
Fix For: 2.7.0
The manager.xml topology in Apache Knox hosts the endpoint for the Knox Admin
UI. In order to provide management of the configuration for access to the UI we
need to be able to manage the LDAP configuration for authentication, group
lookup and the ACLs for constraining access to admin users and groups.
We have taken a couple actions in Knox to facilitate this:
# Moved the authentication in manager.xml to leverage KnoxSSO as the
authentication mechanism. Will also buy us seamless SSO between Ambari and Knox
UIs.
# Made the group look up manageable from the gateway-site.xml and the
admin.xml and manager.xml topologies auto-redeploy on startup of the Knox
server to pick up gateway-site changes.
# Made the list of admin users and admin groups configurable in
gateway-site.xml
This patch will default the KNOX_ADMIN_USERS to "admin" and the
KNOX_ADMIN_GROUPS to "admin". These values will work with the Knox DEMO LDAP
server that can be used for demos and testing but will need to be adjusted to
the enterprise LDAP users/groups that require access to the Knox Admin UI.
The HadoopGroupProvider will assume the default configuration but when there
are no local OS accounts, the admin will be able to configure LDAP or other
group mapping mechanisms in gateway-site.xml via advanced params.
Lastly, the patch adds the admin group to the DEMO LDAP users.ldif file to
facilitate group lookup if needed. It will actually use no lookup by default
and will grant access to a user named "admin" only but can be configured to use
the admin group.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
