[ https://issues.apache.org/jira/browse/AMBARI-24118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Larry McCay updated AMBARI-24118: --------------------------------- Attachment: AMBARI-24118-001.patch > Update KNOX Service Config to Better Integrate the Knox Admin UI > ---------------------------------------------------------------- > > Key: AMBARI-24118 > URL: https://issues.apache.org/jira/browse/AMBARI-24118 > Project: Ambari > Issue Type: Bug > Components: ambari-sever > Reporter: Larry McCay > Assignee: Larry McCay > Priority: Major > Fix For: 2.7.0 > > Attachments: AMBARI-24118-001.patch > > > The manager.xml topology in Apache Knox hosts the endpoint for the Knox Admin > UI. In order to provide management of the configuration for access to the UI > we need to be able to manage the LDAP configuration for authentication, group > lookup and the ACLs for constraining access to admin users and groups. > We have taken a couple actions in Knox to facilitate this: > # Moved the authentication in manager.xml to leverage KnoxSSO as the > authentication mechanism. Will also buy us seamless SSO between Ambari and > Knox UIs. > # Made the group look up manageable from the gateway-site.xml and the > admin.xml and manager.xml topologies auto-redeploy on startup of the Knox > server to pick up gateway-site changes. > # Made the list of admin users and admin groups configurable in > gateway-site.xml > This patch will default the KNOX_ADMIN_USERS to "admin" and the > KNOX_ADMIN_GROUPS to "admin". These values will work with the Knox DEMO LDAP > server that can be used for demos and testing but will need to be adjusted to > the enterprise LDAP users/groups that require access to the Knox Admin UI. > The HadoopGroupProvider will assume the default configuration but when there > are no local OS accounts, the admin will be able to configure LDAP or other > group mapping mechanisms in gateway-site.xml via advanced params. > Lastly, the patch adds the admin group to the DEMO LDAP users.ldif file to > facilitate group lookup if needed. It will actually use no lookup by default > and will grant access to a user named "admin" only but can be configured to > use the admin group. -- This message was sent by Atlassian JIRA (v7.6.3#76005)