Author: lmccay Date: Wed Oct 14 16:14:56 2015 New Revision: 1708642 URL: http://svn.apache.org/viewvc?rev=1708642&view=rev Log: added config info section to 0.6.0 book
Modified: knox/site/books/knox-0-6-0/user-guide.html knox/trunk/books/0.6.0/config.md Modified: knox/site/books/knox-0-6-0/user-guide.html URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/user-guide.html?rev=1708642&r1=1708641&r2=1708642&view=diff ============================================================================== --- knox/site/books/knox-0-6-0/user-guide.html (original) +++ knox/site/books/knox-0-6-0/user-guide.html Wed Oct 14 16:14:56 2015 @@ -355,7 +355,12 @@ https://{gateway-host}:{gateway-port}/{g <li>Gateway: jdbc:hive2://{gateway-host}:{gateway-port}/;ssl=true;sslTrustStore={gateway-trust-store-path};trustStorePassword={gateway-trust-store-password}?hive.server2.transport.mode=http;hive.server2.thrift.http.path={gateway-path}/{cluster-name}/hive</li> <li>Cluster: <code>http://{hive-host}:10001/cliservice</code></li> </ul></li> -</ul><p>The values for <code>{gateway-host}</code>, <code>{gateway-port}</code>, <code>{gateway-path}</code> are provided via the gateway configuration file (i.e. <code>{GATEWAY_HOME}/conf/gateway-site.xml</code>).</p><p>The value for <code>{cluster-name}</code> is derived from the file name of the cluster topology descriptor (e.g. <code>{GATEWAY_HOME}/deployments/{cluster-name}.xml</code>).</p><p>The value for <code>{webhdfs-host}</code>, <code>{webhcat-host}</code>, <code>{oozie-host}</code>, <code>{hbase-host}</code> and <code>{hive-host}</code> are provided via the cluster topology descriptor (e.g. <code>{GATEWAY_HOME}/conf/topologies/{cluster-name}.xml</code>).</p><p>Note: The ports 50070, 50111, 11000, 60080 (default 8080) and 10001 are the defaults for WebHDFS, WebHCat, Oozie, Stargate/HBase and Hive respectively. Their values can also be provided via the cluster topology descriptor if your Hadoop cluster uses different ports.</p><h3><a id="Configuration"></a>Configuration</h 3><h3><a id="Related+Cluster+Configuration"></a>Related Cluster Configuration</h3><p>The following configuration changes must be made to your cluster to allow Apache Knox to dispatch requests to the various service components on behalf of end users.</p><h4><a id="Grant+Proxy+privileges+for+Knox+user+in+`core-site.xml`+on+Hadoop+master+nodes"></a>Grant Proxy privileges for Knox user in <code>core-site.xml</code> on Hadoop master nodes</h4><p>Update <code>core-site.xml</code> and add the following lines towards the end of the file.</p><p>Replace FQDN_OF_KNOX_HOST with the fully qualified domain name of the host running the gateway. You can usually find this by running <code>hostname -f</code> on that host.</p><p>You could use * for local developer testing if Knox host does not have static IP.</p> +</ul><p>The values for <code>{gateway-host}</code>, <code>{gateway-port}</code>, <code>{gateway-path}</code> are provided via the gateway configuration file (i.e. <code>{GATEWAY_HOME}/conf/gateway-site.xml</code>).</p><p>The value for <code>{cluster-name}</code> is derived from the file name of the cluster topology descriptor (e.g. <code>{GATEWAY_HOME}/deployments/{cluster-name}.xml</code>).</p><p>The value for <code>{webhdfs-host}</code>, <code>{webhcat-host}</code>, <code>{oozie-host}</code>, <code>{hbase-host}</code> and <code>{hive-host}</code> are provided via the cluster topology descriptor (e.g. <code>{GATEWAY_HOME}/conf/topologies/{cluster-name}.xml</code>).</p><p>Note: The ports 50070, 50111, 11000, 60080 (default 8080) and 10001 are the defaults for WebHDFS, WebHCat, Oozie, Stargate/HBase and Hive respectively. Their values can also be provided via the cluster topology descriptor if your Hadoop cluster uses different ports.</p><h3><a id="Configuration"></a>Configuration</h 3><p>Configuration for Apache Knox includes:</p> +<ol> + <li><a href="#Related+Cluster+Configuration">Related Cluster Configuration</a> that must be done within the Hadoop cluster to allow Knox to communicate with various services</li> + <li><a href="#Gateway+Server+Configuration">Gateway Server Configuration</a> - which is the configurable elements of the server itself which applies to behavior that spans all topologies or managed Hadoop clusters</li> + <li><a href="#Topology+Descriptors">Topology Descriptors</a> which are the descriptors for controlling access to Hadoop clusters in various ways</li> +</ol><h3><a id="Related+Cluster+Configuration"></a>Related Cluster Configuration</h3><p>The following configuration changes must be made to your cluster to allow Apache Knox to dispatch requests to the various service components on behalf of end users.</p><h4><a id="Grant+Proxy+privileges+for+Knox+user+in+`core-site.xml`+on+Hadoop+master+nodes"></a>Grant Proxy privileges for Knox user in <code>core-site.xml</code> on Hadoop master nodes</h4><p>Update <code>core-site.xml</code> and add the following lines towards the end of the file.</p><p>Replace FQDN_OF_KNOX_HOST with the fully qualified domain name of the host running the gateway. You can usually find this by running <code>hostname -f</code> on that host.</p><p>You could use * for local developer testing if Knox host does not have static IP.</p> <pre><code><property> <name>hadoop.proxyuser.knox.groups</name> <value>users</value> @@ -405,7 +410,93 @@ https://{gateway-host}:{gateway-port}/{g <value>cliservice</value> <description>Path component of URL endpoint when in HTTP mode.</description> </property> -</code></pre><h4><a id="Topology+Descriptors"></a>Topology Descriptors</h4><p>The topology descriptor files provide the gateway with per-cluster configuration information. This includes configuration for both the providers within the gateway and the services within the Hadoop cluster. These files are located in <code>{GATEWAY_HOME}/conf/topologies</code>. The general outline of this document looks like this.</p> +</code></pre><h4><a id="Gateway+Server+Configuration"></a>Gateway Server Configuration</h4><p>The following table illustrates the configurable elements of the Apache Knox Gateway at the server level.</p> +<table> + <thead> + <tr> + <th>property </th> + <th>description </th> + <th>default</th> + </tr> + </thead> + <tbody> + <tr> + <td>gateway.deployment.dir</td> + <td>The directory within GATEWAY_HOME that contains gateway topology deployments.</td> + <td>{GATEWAY_HOME}/data/deployments</td> + </tr> + <tr> + <td>gateway.security.dir</td> + <td>The directory within GATEWAY_HOME that contains the required security artifacts</td> + <td>{GATEWAY_HOME}/data/security</td> + </tr> + <tr> + <td>gateway.data.dir</td> + <td>The directory within GATEWAY_HOME that contains the gateway instance data</td> + <td>{GATEWAY_HOME}/data</td> + </tr> + <tr> + <td>gateway.services.dir</td> + <td>The directory within GATEWAY_HOME that contains the gateway services definitions.</td> + <td>{GATEWAY_HOME}/services</td> + </tr> + <tr> + <td>gateway.hadoop.conf.dir</td> + <td>The directory within GATEWAY_HOME that contains the gateway configuration</td> + <td>{GATEWAY_HOME}/conf</td> + </tr> + <tr> + <td>gateway.frontend.url</td> + <td>The URL that should be used during rewriting so that it can rewrite the URLs with the correct “frontend” URL</td> + <td>none</td> + </tr> + <tr> + <td>gateway.xforwarded.enabled</td> + <td>Indicates whether support for some X-Forwarded-* headers is enabled</td> + <td>true</td> + </tr> + <tr> + <td>gateway.trust.all.certs</td> + <td>Indicates whether all presented client certs should establish trust</td> + <td>false</td> + </tr> + <tr> + <td>gateway.client.auth.needed</td> + <td>Indicates whether clients are required to establish a trust relationship with client certificates</td> + <td>false</td> + </tr> + <tr> + <td>gateway.truststore.path</td> + <td>Location of the truststore for client certificates to be trusted</td> + <td>gateway.jks</td> + </tr> + <tr> + <td>gateway.truststore.type</td> + <td>Indicates the type of truststore</td> + <td>JKS</td> + </tr> + <tr> + <td>gateway.keystore.type</td> + <td>Indicates the type of keystore for the identity store</td> + <td>JKS</td> + </tr> + <tr> + <td>gateway.jdk.tls.ephemeralDHKeySize</td> + <td>jdk.tls.ephemeralDHKeySize, is defined to customize the ephemeral DH key sizes. The minimum acceptable DH key size is 1024 bits, except for exportable cipher suites or legacy mode (jdk.tls.ephemeralDHKeySize=legacy)</td> + <td>2048</td> + </tr> + <tr> + <td>ssl.enabled</td> + <td>Indicates whether SSL is enabled for the Gateway</td> + <td>true</td> + </tr> + <tr> + <td>ssl.exclude.protocols</td> + <td>Excludes a comma separated list of protocols to not accept for SSL or “none”</td> + <td>SSLv3</td> + </tr> + </tbody> +</table><h4><a id="Topology+Descriptors"></a>Topology Descriptors</h4><p>The topology descriptor files provide the gateway with per-cluster configuration information. This includes configuration for both the providers within the gateway and the services within the Hadoop cluster. These files are located in <code>{GATEWAY_HOME}/conf/topologies</code>. The general outline of this document looks like this.</p> <pre><code><topology> <gateway> <provider> Modified: knox/trunk/books/0.6.0/config.md URL: http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config.md?rev=1708642&r1=1708641&r2=1708642&view=diff ============================================================================== --- knox/trunk/books/0.6.0/config.md (original) +++ knox/trunk/books/0.6.0/config.md Wed Oct 14 16:14:56 2015 @@ -17,6 +17,12 @@ ### Configuration ### +Configuration for Apache Knox includes: + +1. #[Related Cluster Configuration] that must be done within the Hadoop cluster to allow Knox to communicate with various services +2. #[Gateway Server Configuration] - which is the configurable elements of the server itself which applies to behavior that spans all topologies or managed Hadoop clusters +3. #[Topology Descriptors] which are the descriptors for controlling access to Hadoop clusters in various ways + ### Related Cluster Configuration ### The following configuration changes must be made to your cluster to allow Apache Knox to @@ -101,6 +107,29 @@ Ensure that the values match the ones be <description>Path component of URL endpoint when in HTTP mode.</description> </property> +#### Gateway Server Configuration #### + +The following table illustrates the configurable elements of the Apache Knox Gateway at the server level. + +property | description | default +------------|-----------|----------- +gateway.deployment.dir|The directory within GATEWAY_HOME that contains gateway topology deployments.|{GATEWAY_HOME}/data/deployments +gateway.security.dir|The directory within GATEWAY_HOME that contains the required security artifacts|{GATEWAY_HOME}/data/security +gateway.data.dir|The directory within GATEWAY_HOME that contains the gateway instance data|{GATEWAY_HOME}/data +gateway.services.dir|The directory within GATEWAY_HOME that contains the gateway services definitions.|{GATEWAY_HOME}/services +gateway.hadoop.conf.dir|The directory within GATEWAY_HOME that contains the gateway configuration|{GATEWAY_HOME}/conf +gateway.frontend.url|The URL that should be used during rewriting so that it can rewrite the URLs with the correct "frontend" URL|none +gateway.xforwarded.enabled|Indicates whether support for some X-Forwarded-* headers is enabled|true +gateway.trust.all.certs|Indicates whether all presented client certs should establish trust|false +gateway.client.auth.needed|Indicates whether clients are required to establish a trust relationship with client certificates|false +gateway.truststore.path|Location of the truststore for client certificates to be trusted|gateway.jks +gateway.truststore.type|Indicates the type of truststore|JKS +gateway.keystore.type|Indicates the type of keystore for the identity store|JKS +gateway.jdk.tls.ephemeralDHKeySize|jdk.tls.ephemeralDHKeySize, is defined to customize the ephemeral DH key sizes. The minimum acceptable DH key size is 1024 bits, except for exportable cipher suites or legacy mode (jdk.tls.ephemeralDHKeySize=legacy)|2048 +ssl.enabled|Indicates whether SSL is enabled for the Gateway|true +ssl.exclude.protocols|Excludes a comma separated list of protocols to not accept for SSL or "none"|SSLv3 + + #### Topology Descriptors #### The topology descriptor files provide the gateway with per-cluster configuration information.