knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1717102 - /knox/site/books/knox-0-7-0/user-guide.html
Date Sun, 29 Nov 2015 17:52:58 GMT
Author: lmccay
Date: Sun Nov 29 17:52:58 2015
New Revision: 1717102

URL: http://svn.apache.org/viewvc?rev=1717102&view=rev
Log:
updated knox_sso_config

Modified:
    knox/site/books/knox-0-7-0/user-guide.html

Modified: knox/site/books/knox-0-7-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/user-guide.html?rev=1717102&r1=1717101&r2=1717102&view=diff
==============================================================================
--- knox/site/books/knox-0-7-0/user-guide.html (original)
+++ knox/site/books/knox-0-7-0/user-guide.html Sun Nov 29 17:52:58 2015
@@ -2024,7 +2024,7 @@ APACHE_HOME/bin/apachectl -k stop
 </code></pre><h5><a id="REST+Invocation+for+Tivoli+AM">REST Invocation
for Tivoli AM</a> <a href="#REST+Invocation+for+Tivoli+AM"><img src="markbook-section-link.png"/></a></h5><p>The
following curl command can be used to request a directory listing from HDFS while passing
in the expected headers of iv_user and iv_group. Note that the iv_group value in this command
matches the expected ACL for webhdfs in the above topology file. Changing this from &ldquo;admin&rdquo;
to &ldquo;admin2&rdquo; should result in a 401 unauthorized response.</p>
 <pre><code>curl -k -i --header &quot;iv_user: guest&quot; --header &quot;iv_group:
admin&quot; -v https://localhost:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS
 </code></pre><p>Omitting the &ndash;header &ldquo;iv_user: guest&rdquo;
above will result in a rejected request.</p><h1><a id="KnoxSSO+Setup+and+Configuration">KnoxSSO
Setup and Configuration</a> <a href="#KnoxSSO+Setup+and+Configuration"><img
src="markbook-section-link.png"/></a></h1><h2><a id="Introduction">Introduction</a>
<a href="#Introduction"><img src="markbook-section-link.png"/></a></h2>
-<hr/><p>Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be configured for the
user&rsquo;s browser) and simple/psuedo. This often results in the UIs not being secured
- even in secured clusters. This is where KnoxSSO provides value for through providing WebSSO
capabilities to the Hadoop cluster.</p><p>By leveraging the hadoop-auth module
in Hadoop common, we have introduced the ability to consume a common SSO cookie for web UIs
while retaining the non-web browser authentication through kerberos/SPNEGO. We do this by
extneding the AltKerberosAuthenticationHandler class which provides the useragent based multiplexing.
</p><p>We also provide integration guidance within the developers guide for other
applications to be able to participate in these SSO capabilities.</p><p>The flexibility
of the Apache Knox authentication and federation providers allows KnoxSSO to provide a normalization
of authentica
 tion events through token exchange resulting in a common JWT (JSON WebToken) based token.</p><p>KnoxSSO
provides an abstraction for integrating any number of authentication systems and SSO solutions
and enables participating web applications to scale to those solutions more easily. Without
the token exchange capabilities offered by KnoxSSO each component UI would need to integrate
with each desired solution on its own. With KnoxSSO they only need to integrate with the single
solution and common token.</p><p>This document describes the overall setup requirements
for KnoxSSO and participating applications. [Please see the integration guide for instructions
in adding support for new applications.]</p><h4><a id="KnoxSSO+Setup">KnoxSSO
Setup</a> <a href="#KnoxSSO+Setup"><img src="markbook-section-link.png"/></a></h4><h5><a
id="knoxsso.xml+Topology">knoxsso.xml Topology</a> <a href="#knoxsso.xml+Topology"><img
src="markbook-section-link.png"/></a></h5><p>To enable KnoxSSO, we need
to conf
 igure the KnoxSSO topology. The following is an example of this topology which is configured
to use HTTP Basic Auth against the Knox Demo LDAP server. This is the lowest barrier of entry
for your development environment that actually authenticates against a real user store. What’s
great is if you work against the IdP with Basic Auth then you will work with SAML or anything
else as well. SAML support is provided through our PicketLink federation provider and we will
provide an example configuration for that as well.</p>
+<hr/><p>Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be configured for the
user&rsquo;s browser) and simple/psuedo. This often results in the UIs not being secured
- even in secured clusters. This is where KnoxSSO provides value for through providing WebSSO
capabilities to the Hadoop cluster.</p><p>By leveraging the hadoop-auth module
in Hadoop common, we have introduced the ability to consume a common SSO cookie for web UIs
while retaining the non-web browser authentication through kerberos/SPNEGO. We do this by
extneding the AltKerberosAuthenticationHandler class which provides the useragent based multiplexing.
</p><p>We also provide integration guidance within the developers guide for other
applications to be able to participate in these SSO capabilities.</p><p>The flexibility
of the Apache Knox authentication and federation providers allows KnoxSSO to provide a normalization
of authentica
 tion events through token exchange resulting in a common JWT (JSON WebToken) based token.</p><p>KnoxSSO
provides an abstraction for integrating any number of authentication systems and SSO solutions
and enables participating web applications to scale to those solutions more easily. Without
the token exchange capabilities offered by KnoxSSO each component UI would need to integrate
with each desired solution on its own. With KnoxSSO they only need to integrate with the single
solution and common token.</p><p>This document describes the overall setup requirements
for KnoxSSO and participating applications. [Please see the integration guide for instructions
in adding support for new applications.]</p><h2><a id="KnoxSSO+Setup">KnoxSSO
Setup</a> <a href="#KnoxSSO+Setup"><img src="markbook-section-link.png"/></a></h2><h3><a
id="knoxsso.xml+Topology">knoxsso.xml Topology</a> <a href="#knoxsso.xml+Topology"><img
src="markbook-section-link.png"/></a></h3><p>To enable KnoxSSO, we need
to conf
 igure the KnoxSSO topology. The following is an example of this topology which is configured
to use HTTP Basic Auth against the Knox Demo LDAP server. This is the lowest barrier of entry
for your development environment that actually authenticates against a real user store. What’s
great is if you work against the IdP with Basic Auth then you will work with SAML or anything
else as well. SAML support is provided through our PicketLink federation provider and we will
provide an example configuration for that as well.</p>
 <pre><code>		&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
 		&lt;topology&gt;
     		&lt;gateway&gt;
@@ -2125,7 +2125,7 @@ APACHE_HOME/bin/apachectl -k stop
       <td>^/.*$;^https?://localhost:\d{0,9}/.*$</td>
     </tr>
   </tbody>
-</table><h3><a id="Hadoop+Configuration+Example">Hadoop Configuration Example</a>
<a href="#Hadoop+Configuration+Example"><img src="markbook-section-link.png"/></a></h3><p>The
following is used as the KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration. Since JWTRedirectAuthenticationHandler
extends the AltKerberosAuthenticationHandler, the typical kerberos configuration parameters
for authentication are also required.</p>
+</table><h2><a id="Participating+Application+Configuration">Participating
Application Configuration</a> <a href="#Participating+Application+Configuration"><img
src="markbook-section-link.png"/></a></h2><h3><a id="Hadoop+Configuration+Example">Hadoop
Configuration Example</a> <a href="#Hadoop+Configuration+Example"><img src="markbook-section-link.png"/></a></h3><p>The
following is used as the KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration. Since JWTRedirectAuthenticationHandler
extends the AltKerberosAuthenticationHandler, the typical kerberos configuration parameters
for authentication are also required.</p>
 <pre><code>	&lt;property&gt;
   		&lt;name&gt;hadoop.http.authentication.type&lt;/name&gt;	&lt;value&gt;org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler&lt;/value&gt;
 	&lt;/property&gt;



Mime
View raw message