knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject [1/2] knox git commit: KNOX-702 - Templates for AD and Application Hosting Topologies
Date Sat, 02 Apr 2016 16:47:25 GMT
Repository: knox
Updated Branches:
  refs/heads/master e1ef89a7b -> 148c6adbe


KNOX-702 - Templates for AD and Application Hosting Topologies

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/56615528
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/56615528
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/56615528

Branch: refs/heads/master
Commit: 566155285031dbd8b01527072a586a9ddcb65142
Parents: e1ef89a
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Sat Apr 2 12:45:10 2016 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Sat Apr 2 12:45:10 2016 -0400

----------------------------------------------------------------------
 .../home/conf/topologies/knoxsso.xml            | 23 ++---
 gateway-release/home/templates/ad.xml           | 65 +++++---------
 gateway-release/home/templates/sandbox-apps.xml | 89 ++++++++++++++++++++
 3 files changed, 118 insertions(+), 59 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/56615528/gateway-release/home/conf/topologies/knoxsso.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/conf/topologies/knoxsso.xml b/gateway-release/home/conf/topologies/knoxsso.xml
index 56700dd..7e962cf 100644
--- a/gateway-release/home/conf/topologies/knoxsso.xml
+++ b/gateway-release/home/conf/topologies/knoxsso.xml
@@ -16,8 +16,13 @@
   limitations under the License.
 -->
 <topology>
-
     <gateway>
+      <provider>
+        <role>webappsec</role>
+        <name>WebAppSec</name>
+        <enabled>true</enabled>
+        <param><name>xframe.options.enabled</name><value>true</value></param>
+      </provider>
 
         <provider>
             <role>authentication</role>
@@ -76,22 +81,6 @@
             <enabled>true</enabled>
         </provider>
 
-        <!--
-        Defines rules for mapping host names internal to a Hadoop cluster to externally accessible
host names.
-        For example, a hadoop service running in AWS may return a response that includes
URLs containing the
-        some AWS internal host name.  If the client needs to make a subsequent request to
the host identified
-        in those URLs they need to be mapped to external host names that the client Knox
can use to connect.
-
-        If the external hostname and internal host names are same turn of this provider by
setting the value of
-        enabled parameter as false.
-
-        The name parameter specifies the external host names in a comma separated list.
-        The value parameter specifies corresponding internal host names in a comma separated
list.
-
-        Note that when you are using Sandbox, the external hostname needs to be localhost,
as seen in out
-        of box sandbox.xml.  This is because Sandbox uses port mapping to allow clients to
connect to the
-        Hadoop services using localhost.  In real clusters, external host names would almost
never be localhost.
-        -->
         <provider>
             <role>hostmap</role>
             <name>static</name>

http://git-wip-us.apache.org/repos/asf/knox/blob/56615528/gateway-release/home/templates/ad.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/ad.xml b/gateway-release/home/templates/ad.xml
index 8586a61..3398f13 100644
--- a/gateway-release/home/templates/ad.xml
+++ b/gateway-release/home/templates/ad.xml
@@ -18,52 +18,33 @@
 <topology>
 
     <gateway>
-
         <provider>
             <role>authentication</role>
             <name>ShiroProvider</name>
             <enabled>true</enabled>
-            <param>
-                <!-- 
-                session timeout in minutes,  this is really idle timeout,
-                defaults to 30mins, if the property value is not defined,, 
-                current client authentication would expire if client idles contiuosly for
more than this value
-                -->
-                <name>sessionTimeout</name>
-                <value>30</value>
-            </param>
-            <param>
-                <name>main.ldapRealm</name>
-                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
-            </param>
-            <param>
-                <name>main.ldapContextFactory</name>
-                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
-            </param>
-            <param>
-                <name>main.ldapRealm.contextFactory</name>
-                <value>$ldapContextFactory</value>
-            </param>
-            <param>
-                <name>main.ldapRealm.userDnTemplate</name>
-                <!-- If your AD is configured to authenticate based on just the cn and
password and does not require user DN, 
-                    you do not have to specify value for  main.ldapRealm.userDnTemplate.
-->
-                <!-- ADJUST template for your AD DIT model -->
-                <value>cn={0},cn=users,dc=sample,dc=example,dc=com</value>
-            </param>
-            <param>
-                <name>main.ldapRealm.contextFactory.url</name>
-                <!-- ADJUST host, port for your AD setup-->
-                <value>ldap://ad.example.com:389</value>
-            </param>
-            <param>
-                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
-                <value>simple</value>
-            </param>
-            <param>
-                <name>urls./**</name>
-                <value>authcBasic</value>
-            </param>
+            <param name="main.ldapRealm" value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm"/>
+            <param name="main.ldapContextFactory" value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory"/>
+            <param name="main.ldapRealm.contextFactory" value="$ldapContextFactory"/>
+
+            <param name="main.ldapRealm.contextFactory.url" value="ldap://ad.qa.your-domain.com:389"/>
+            <param name="main.ldapRealm.contextFactory.systemUsername" value="CN=sam,CN=Users,DC=hwqe,DC=hortonworks,DC=com"/>
+            <param name="main.ldapRealm.contextFactory.systemPassword" value="********"/>
+
+            <param name="main.ldapRealm.userSearchBase" value="CN=Users,DC=hwqe,DC=hortonworks,DC=com"/>
+            <param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/>
+            <param name="main.ldapRealm.userObjectClass" value="person"/>
+
+            <param name="main.ldapRealm.authorizationEnabled" value="true"/>
+            <param name="main.ldapRealm.groupSearchBase" value="OU=groups,DC=hwqe,DC=hortonworks,DC=com"/>
+            <param name="main.ldapRealm.groupObjectClass" value="group"/>
+            <param name="main.ldapRealm.groupIdAttribute" value="sAMAccountName"/>
+            <param name="main.ldapRealm.memberAttribute" value="member"/>
+
+            <param name="main.cacheManager" value="org.apache.shiro.cache.ehcache.EhCacheManager"/>
+            <param name="main.securityManager.cacheManager" value="$cacheManager"/>
+            <param name="main.ldapRealm.authenticationCachingEnabled" value="true"/>
+
+            <param name="urls./**" value="authcBasic"/>
         </provider>
 
         <provider>

http://git-wip-us.apache.org/repos/asf/knox/blob/56615528/gateway-release/home/templates/sandbox-apps.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/sandbox-apps.xml b/gateway-release/home/templates/sandbox-apps.xml
new file mode 100644
index 0000000..bed6470
--- /dev/null
+++ b/gateway-release/home/templates/sandbox-apps.xml
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<topology>
+    <provider>
+      <role>webappsec</role>
+      <name>WebAppSec</name>
+      <enabled>true</enabled>
+      <param><name>xframe.options.enabled</name><value>true</value></param>
+      <param><name>csrf.enabled</name><value>true</value></param>
+    </provider>
+
+    <gateway>
+      <provider>
+          <role>federation</role>
+          <name>SSOCookieProvider</name>
+          <enabled>true</enabled>
+          <param>
+              <name>sso.authentication.provider.url</name>
+              <value>https://www.local.com:8443/gateway/knoxsso/knoxauth/login.html</value>
+          </param>
+      </provider>
+
+      <provider>
+          <role>identity-assertion</role>
+          <name>Default</name>
+          <enabled>true</enabled>
+      </provider>
+    </gateway>
+    
+    <!--application>
+      <name>knoxplorer</name>
+    </application-->
+
+    <service>
+        <role>NAMENODE</role>
+        <url>hdfs://localhost:8020</url>
+    </service>
+
+    <service>
+        <role>JOBTRACKER</role>
+        <url>rpc://localhost:8050</url>
+    </service>
+
+    <service>
+        <role>WEBHDFS</role>
+        <url>http://localhost:50070/webhdfs</url>
+    </service>
+
+    <service>
+        <role>WEBHCAT</role>
+        <url>http://localhost:50111/templeton</url>
+    </service>
+
+    <service>
+        <role>OOZIE</role>
+        <url>http://localhost:11000/oozie</url>
+    </service>
+
+    <service>
+        <role>WEBHBASE</role>
+        <url>http://localhost:60080</url>
+    </service>
+
+    <service>
+        <role>HIVE</role>
+        <url>http://localhost:10001/cliservice</url>
+    </service>
+
+    <service>
+        <role>RESOURCEMANAGER</role>
+        <url>http://localhost:8088/ws</url>
+    </service>
+
+</topology>


Mime
View raw message