knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1719216 - in /knox: site/ site/books/knox-0-4-0/ site/books/knox-0-5-0/ site/books/knox-0-6-0/ site/books/knox-0-7-0/ trunk/books/0.7.0/
Date Thu, 10 Dec 2015 21:25:08 GMT
Author: lmccay
Date: Thu Dec 10 21:25:08 2015
New Revision: 1719216

URL: http://svn.apache.org/viewvc?rev=1719216&view=rev
Log:
added config description for cookie domain in KnoxSSO

Modified:
    knox/site/books/knox-0-4-0/deployment-overview.png
    knox/site/books/knox-0-4-0/deployment-provider.png
    knox/site/books/knox-0-4-0/deployment-service.png
    knox/site/books/knox-0-4-0/runtime-overview.png
    knox/site/books/knox-0-4-0/runtime-request-processing.png
    knox/site/books/knox-0-5-0/deployment-overview.png
    knox/site/books/knox-0-5-0/deployment-provider.png
    knox/site/books/knox-0-5-0/deployment-service.png
    knox/site/books/knox-0-5-0/runtime-overview.png
    knox/site/books/knox-0-5-0/runtime-request-processing.png
    knox/site/books/knox-0-6-0/deployment-overview.png
    knox/site/books/knox-0-6-0/deployment-provider.png
    knox/site/books/knox-0-6-0/deployment-service.png
    knox/site/books/knox-0-6-0/runtime-overview.png
    knox/site/books/knox-0-6-0/runtime-request-processing.png
    knox/site/books/knox-0-7-0/deployment-overview.png
    knox/site/books/knox-0-7-0/deployment-provider.png
    knox/site/books/knox-0-7-0/deployment-service.png
    knox/site/books/knox-0-7-0/general_saml_flow.png
    knox/site/books/knox-0-7-0/runtime-overview.png
    knox/site/books/knox-0-7-0/runtime-request-processing.png
    knox/site/books/knox-0-7-0/user-guide.html
    knox/site/index.html
    knox/site/issue-tracking.html
    knox/site/license.html
    knox/site/mail-lists.html
    knox/site/project-info.html
    knox/site/team-list.html
    knox/trunk/books/0.7.0/config_knox_sso.md

Modified: knox/site/books/knox-0-4-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-provider.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-service.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/general_saml_flow.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/general_saml_flow.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-request-processing.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/user-guide.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/books/knox-0-7-0/user-guide.html (original)
+++ knox/site/books/knox-0-7-0/user-guide.html Thu Dec 10 21:25:08 2015
@@ -2033,8 +2033,8 @@ APACHE_HOME/bin/apachectl -k stop
 </provider>
 </code></pre><h5><a id="REST+Invocation+for+Tivoli+AM">REST Invocation
for Tivoli AM</a> <a href="#REST+Invocation+for+Tivoli+AM"><img src="markbook-section-link.png"/></a></h5><p>The
following curl command can be used to request a directory listing from HDFS while passing
in the expected headers of iv_user and iv_group. Note that the iv_group value in this command
matches the expected ACL for webhdfs in the above topology file. Changing this from &ldquo;admin&rdquo;
to &ldquo;admin2&rdquo; should result in a 401 unauthorized response.</p>
 <pre><code>curl -k -i --header &quot;iv_user: guest&quot; --header &quot;iv_group:
admin&quot; -v https://localhost:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS
-</code></pre><p>Omitting the &ndash;header &ldquo;iv_user: guest&rdquo;
above will result in a rejected request.</p><h1><a id="KnoxSSO+Setup+and+Configuration">KnoxSSO
Setup and Configuration</a> <a href="#KnoxSSO+Setup+and+Configuration"><img
src="markbook-section-link.png"/></a></h1><h2><a id="Introduction">Introduction</a>
<a href="#Introduction"><img src="markbook-section-link.png"/></a></h2>
-<hr/><p>Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be configured for the
user&rsquo;s browser) and simple/psuedo. This often results in the UIs not being secured
- even in secured clusters. This is where KnoxSSO provides value for through providing WebSSO
capabilities to the Hadoop cluster.</p><p>By leveraging the hadoop-auth module
in Hadoop common, we have introduced the ability to consume a common SSO cookie for web UIs
while retaining the non-web browser authentication through kerberos/SPNEGO. We do this by
extneding the AltKerberosAuthenticationHandler class which provides the useragent based multiplexing.
</p><p>We also provide integration guidance within the developers guide for other
applications to be able to participate in these SSO capabilities.</p><p>The flexibility
of the Apache Knox authentication and federation providers allows KnoxSSO to provide a normalization
of authentica
 tion events through token exchange resulting in a common JWT (JSON WebToken) based token.</p><p>KnoxSSO
provides an abstraction for integrating any number of authentication systems and SSO solutions
and enables participating web applications to scale to those solutions more easily. Without
the token exchange capabilities offered by KnoxSSO each component UI would need to integrate
with each desired solution on its own. With KnoxSSO they only need to integrate with the single
solution and common token.</p><p>This document describes the overall setup requirements
for KnoxSSO and participating applications. [Please see the integration guide for instructions
in adding support for new applications.]</p><h2><a id="KnoxSSO+Setup">KnoxSSO
Setup</a> <a href="#KnoxSSO+Setup"><img src="markbook-section-link.png"/></a></h2><h3><a
id="knoxsso.xml+Topology">knoxsso.xml Topology</a> <a href="#knoxsso.xml+Topology"><img
src="markbook-section-link.png"/></a></h3><p>To enable KnoxSSO, we need
to conf
 igure the KnoxSSO topology. The following is an example of this topology which is configured
to use HTTP Basic Auth against the Knox Demo LDAP server. This is the lowest barrier of entry
for your development environment that actually authenticates against a real user store. What’s
great is if you work against the IdP with Basic Auth then you will work with SAML or anything
else as well. SAML support is provided through our PicketLink federation provider and we will
provide an example configuration for that as well.</p>
+</code></pre><p>Omitting the &ndash;header &ldquo;iv_user: guest&rdquo;
above will result in a rejected request.</p><h2><a id="KnoxSSO+Setup+and+Configuration">KnoxSSO
Setup and Configuration</a> <a href="#KnoxSSO+Setup+and+Configuration"><img
src="markbook-section-link.png"/></a></h2><h3><a id="Introduction">Introduction</a>
<a href="#Introduction"><img src="markbook-section-link.png"/></a></h3>
+<hr/><p>Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be configured for the
user&rsquo;s browser) and simple/psuedo. This often results in the UIs not being secured
- even in secured clusters. This is where KnoxSSO provides value for through providing WebSSO
capabilities to the Hadoop cluster.</p><p>By leveraging the hadoop-auth module
in Hadoop common, we have introduced the ability to consume a common SSO cookie for web UIs
while retaining the non-web browser authentication through kerberos/SPNEGO. We do this by
extneding the AltKerberosAuthenticationHandler class which provides the useragent based multiplexing.
</p><p>We also provide integration guidance within the developers guide for other
applications to be able to participate in these SSO capabilities.</p><p>The flexibility
of the Apache Knox authentication and federation providers allows KnoxSSO to provide a normalization
of authentica
 tion events through token exchange resulting in a common JWT (JSON WebToken) based token.</p><p>KnoxSSO
provides an abstraction for integrating any number of authentication systems and SSO solutions
and enables participating web applications to scale to those solutions more easily. Without
the token exchange capabilities offered by KnoxSSO each component UI would need to integrate
with each desired solution on its own. With KnoxSSO they only need to integrate with the single
solution and common token.</p><p>This document describes the overall setup requirements
for KnoxSSO and participating applications. [Please see the integration guide for instructions
in adding support for new applications.]</p><h3><a id="KnoxSSO+Setup">KnoxSSO
Setup</a> <a href="#KnoxSSO+Setup"><img src="markbook-section-link.png"/></a></h3><h4><a
id="knoxsso.xml+Topology">knoxsso.xml Topology</a> <a href="#knoxsso.xml+Topology"><img
src="markbook-section-link.png"/></a></h4><p>To enable KnoxSSO, we need
to conf
 igure the KnoxSSO topology. The following is an example of this topology which is configured
to use HTTP Basic Auth against the Knox Demo LDAP server. This is the lowest barrier of entry
for your development environment that actually authenticates against a real user store. What’s
great is if you work against the IdP with Basic Auth then you will work with SAML or anything
else as well. SAML support is provided through our PicketLink federation provider and we will
provide an example configuration for that as well.</p>
 <pre><code>		&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
 		&lt;topology&gt;
     		&lt;gateway&gt;
@@ -2095,11 +2095,15 @@ APACHE_HOME/bin/apachectl -k stop
           			&lt;name&gt;knoxsso.redirect.whitelist.regex&lt;/name&gt;
           			&lt;value&gt;^/.*$;https?://localhost*$&lt;/value&gt;
         		&lt;/param&gt;
+        		&lt;param&gt;
+          			&lt;name&gt;knoxsso.cookie.domain.suffix&lt;/name&gt;
+          			&lt;value&gt;.novalocal&lt;/value&gt;
+        		&lt;/param&gt;
     		&lt;/service&gt;
 		&lt;/topology&gt;
 </code></pre><p>Just as with any Knox service, the KNOXSSO service is protected
by the gateway providers defined above it. In this case, the ShiroProvider is taking care
of HTTP Basic Auth against LDAP for us. Once the user authenticates the request processing
continues to the KNOXSSO service that will create the required cookie and do the necessary
redirects.</p><p>The authentication/federation provider can be swapped out to
fit your deployment environment.</p><p>This is a good place to start in the setup
of KnoxSSO as it doesn&rsquo;t pull in dependencies on external identity solutions. Once
we have this working, we can switch to a federation provider and integrate a preferred SSO
solution.</p><p>This topology will result in a KnoxSSO URL that looks something
like:</p>
 <pre><code>https://{gateway_host}:{gateway_port}/gateway/knoxsso/api/v1/websso
-</code></pre><p>This URL is needed when configuring applications that participate
in KnoxSSO for a given deployment. We will refer to this as the Provider URL in this document.</p><h3><a
id="KnoxSSO+Configuration+Parameters">KnoxSSO Configuration Parameters</a> <a
href="#KnoxSSO+Configuration+Parameters"><img src="markbook-section-link.png"/></a></h3>
+</code></pre><p>This URL is needed when configuring applications that participate
in KnoxSSO for a given deployment. We will refer to this as the Provider URL in this document.</p><h4><a
id="KnoxSSO+Configuration+Parameters">KnoxSSO Configuration Parameters</a> <a
href="#KnoxSSO+Configuration+Parameters"><img src="markbook-section-link.png"/></a></h4>
 <table>
   <thead>
     <tr>
@@ -2120,6 +2124,11 @@ APACHE_HOME/bin/apachectl -k stop
       <td>session</td>
     </tr>
     <tr>
+      <td>knoxsso.cookie.domain.suffix </td>
+      <td>optional: This indicates the portion of the request hostname that represents
the domain to be used for the cookie domain. For single host development scenarios the default
behavior should be fine. For production deployments, the expected domain should be set and
all configured URLs that are related to SSO should use this domain. Otherwise, the cookie
will not be presented by the browser to mismatched URLs. </td>
+      <td>Default cookie domain or a domain derived from a hostname that includes of
more than 2 dots.</td>
+    </tr>
+    <tr>
       <td>knoxsso.token.ttl </td>
       <td>This indicates the lifespan of the token within the cookie. Once it expires
a new cookie must be acquired from KnoxSSO. This is in milliseconds. The 36000000 in the topology
above gives you 10 hrs. </td>
       <td>30000 That is 30 seconds.</td>
@@ -2135,7 +2144,7 @@ APACHE_HOME/bin/apachectl -k stop
       <td>^/.*$;^https?://localhost:\d{0,9}/.*$</td>
     </tr>
   </tbody>
-</table><h2><a id="Participating+Application+Configuration">Participating
Application Configuration</a> <a href="#Participating+Application+Configuration"><img
src="markbook-section-link.png"/></a></h2><h3><a id="Hadoop+Configuration+Example">Hadoop
Configuration Example</a> <a href="#Hadoop+Configuration+Example"><img src="markbook-section-link.png"/></a></h3><p>The
following is used as the KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration. Since JWTRedirectAuthenticationHandler
extends the AltKerberosAuthenticationHandler, the typical kerberos configuration parameters
for authentication are also required.</p>
+</table><h3><a id="Participating+Application+Configuration">Participating
Application Configuration</a> <a href="#Participating+Application+Configuration"><img
src="markbook-section-link.png"/></a></h3><h4><a id="Hadoop+Configuration+Example">Hadoop
Configuration Example</a> <a href="#Hadoop+Configuration+Example"><img src="markbook-section-link.png"/></a></h4><p>The
following is used as the KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration. Since JWTRedirectAuthenticationHandler
extends the AltKerberosAuthenticationHandler, the typical kerberos configuration parameters
for authentication are also required.</p>
 <pre><code>	&lt;property&gt;
   		&lt;name&gt;hadoop.http.authentication.type&lt;/name&gt;	&lt;value&gt;org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler&lt;/value&gt;
 	&lt;/property&gt;

Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20151129" />
+    <meta name="Date-Revision-yyyymmdd" content="20151210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; REST API Gateway for the Hadoop Ecosystem</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-11-29</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-12-10</li>

             
                             </ul>
       </div>

Modified: knox/site/issue-tracking.html
URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20151129" />
+    <meta name="Date-Revision-yyyymmdd" content="20151210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Issue Tracking</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-11-29</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-12-10</li>

             
                             </ul>
       </div>

Modified: knox/site/license.html
URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20151129" />
+    <meta name="Date-Revision-yyyymmdd" content="20151210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project License</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-11-29</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-12-10</li>

             
                             </ul>
       </div>

Modified: knox/site/mail-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20151129" />
+    <meta name="Date-Revision-yyyymmdd" content="20151210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Mailing Lists</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-11-29</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-12-10</li>

             
                             </ul>
       </div>

Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20151129" />
+    <meta name="Date-Revision-yyyymmdd" content="20151210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Information</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-11-29</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-12-10</li>

             
                             </ul>
       </div>

Modified: knox/site/team-list.html
URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20151129" />
+    <meta name="Date-Revision-yyyymmdd" content="20151210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Team list</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-11-29</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-12-10</li>

             
                             </ul>
       </div>

Modified: knox/trunk/books/0.7.0/config_knox_sso.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.7.0/config_knox_sso.md?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/trunk/books/0.7.0/config_knox_sso.md (original)
+++ knox/trunk/books/0.7.0/config_knox_sso.md Thu Dec 10 21:25:08 2015
@@ -1,6 +1,6 @@
-# KnoxSSO Setup and Configuration
+## KnoxSSO Setup and Configuration
 
-## Introduction
+### Introduction
 ---
 
 Authentication of the Hadoop component UIs, and those of the overall ecosystem, is usually
limited to Kerberos (which requires SPNEGO to be configured for the user's browser) and simple/psuedo.
This often results in the UIs not being secured - even in secured clusters. This is where
KnoxSSO provides value for through providing WebSSO capabilities to the Hadoop cluster.
@@ -15,9 +15,9 @@ KnoxSSO provides an abstraction for inte
 
 This document describes the overall setup requirements for KnoxSSO and participating applications.
[Please see the integration guide for instructions in adding support for new applications.]
 
-## KnoxSSO Setup
+### KnoxSSO Setup
 
-### knoxsso.xml Topology
+#### knoxsso.xml Topology
 To enable KnoxSSO, we need to configure the KnoxSSO topology. The following is an example
of this topology which is configured to use HTTP Basic Auth against the Knox Demo LDAP server.
This is the lowest barrier of entry for your development environment that actually authenticates
against a real user store. What’s great is if you work against the IdP with Basic Auth
then you will work with SAML or anything else as well. SAML support is provided through our
PicketLink federation provider and we will provide an example configuration for that as well.
 
 ```
@@ -81,6 +81,10 @@ To enable KnoxSSO, we need to configure
           			<name>knoxsso.redirect.whitelist.regex</name>
           			<value>^/.*$;https?://localhost*$</value>
         		</param>
+        		<param>
+          			<name>knoxsso.cookie.domain.suffix</name>
+          			<value>.novalocal</value>
+        		</param>
     		</service>
 		</topology>
 ```
@@ -97,19 +101,20 @@ This topology will result in a KnoxSSO U
 
 This URL is needed when configuring applications that participate in KnoxSSO for a given
deployment. We will refer to this as the Provider URL in this document.
 
-### KnoxSSO Configuration Parameters
+#### KnoxSSO Configuration Parameters
 
 Parameter | Description | Default
 --------- |----------- |----------- 
 knoxsso.cookie.secure.only | This determines whether the browser is allowed to send the cookie
over unsecured channels. This should always be set to true in production systems. If during
development a relying party is not running ssl then you can turn this off. Running with it
off exposes the cookie and underlying token for capture and replay by others. | true
 knoxsso.cookie.max.age | optional: This indicates that a cookie can only live for a specified
amount of time - in seconds. This should probably be left to the default which makes it a
session cookie. Session cookies are discarded once the browser session is closed. | session
+knoxsso.cookie.domain.suffix | optional: This indicates the portion of the request hostname
that represents the domain to be used for the cookie domain. For single host development scenarios
the default behavior should be fine. For production deployments, the expected domain should
be set and all configured URLs that are related to SSO should use this domain. Otherwise,
the cookie will not be presented by the browser to mismatched URLs. | Default cookie domain
or a domain derived from a hostname that includes of more than 2 dots.
 knoxsso.token.ttl | This indicates the lifespan of the token within the cookie. Once it expires
a new cookie must be acquired from KnoxSSO. This is in milliseconds. The 36000000 in the topology
above gives you 10 hrs. | 30000 That is 30 seconds.
 knoxsso.token.audiences | This is a comma separated list of audiences to add to the JWT token.
This is used to ensure that a token received by a participating application knows that the
token was intended for use with that application. It is optional. In the event that an application
has expected audiences and they are not present the token must be rejected. In the event where
the token has audiences and the application has none expected then the token is accepted.
OPEN ISSUE - not currently being populated in WebSSOResource. | empty
 knoxsso.redirect.whitelist.regex | A semicolon separated list of regex expressions. The incoming
originalUrl must match one of the expressions in order for KnoxSSO to redirect to it after
authentication. Defaults to only relative paths and localhost with or without SSL for development
usecases. This needs to be opened up for production use and actual participating applications.
Note that cookie use is still constrained to redirect destinations in the same domain as the
KnoxSSO service - regardless of the expressions specified here. | ^/.\*$;^https?://localhost:\\d{0,9}/.\*$
 
 
-## Participating Application Configuration
-### Hadoop Configuration Example
+### Participating Application Configuration
+#### Hadoop Configuration Example
 The following is used as the KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration. Since JWTRedirectAuthenticationHandler
extends the AltKerberosAuthenticationHandler, the typical kerberos configuration parameters
for authentication are also required.
 
 ```



Mime
View raw message