knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1755108 - in /knox: site/ site/books/knox-0-4-0/ site/books/knox-0-5-0/ site/books/knox-0-6-0/ site/books/knox-0-7-0/ site/books/knox-0-8-0/ site/books/knox-0-9-0/ trunk/ trunk/books/0.9.0/
Date Wed, 03 Aug 2016 19:42:23 GMT
Author: lmccay
Date: Wed Aug  3 19:42:22 2016
New Revision: 1755108

URL: http://svn.apache.org/viewvc?rev=1755108&view=rev
Log:
updating knoxsso and 0.9.1 book

Modified:
    knox/site/books/knox-0-4-0/deployment-overview.png
    knox/site/books/knox-0-4-0/deployment-provider.png
    knox/site/books/knox-0-4-0/deployment-service.png
    knox/site/books/knox-0-4-0/runtime-overview.png
    knox/site/books/knox-0-4-0/runtime-request-processing.png
    knox/site/books/knox-0-5-0/deployment-overview.png
    knox/site/books/knox-0-5-0/deployment-provider.png
    knox/site/books/knox-0-5-0/deployment-service.png
    knox/site/books/knox-0-5-0/runtime-overview.png
    knox/site/books/knox-0-5-0/runtime-request-processing.png
    knox/site/books/knox-0-6-0/deployment-overview.png
    knox/site/books/knox-0-6-0/deployment-provider.png
    knox/site/books/knox-0-6-0/deployment-service.png
    knox/site/books/knox-0-6-0/runtime-overview.png
    knox/site/books/knox-0-6-0/runtime-request-processing.png
    knox/site/books/knox-0-7-0/deployment-overview.png
    knox/site/books/knox-0-7-0/deployment-provider.png
    knox/site/books/knox-0-7-0/deployment-service.png
    knox/site/books/knox-0-7-0/general_saml_flow.png
    knox/site/books/knox-0-7-0/runtime-overview.png
    knox/site/books/knox-0-7-0/runtime-request-processing.png
    knox/site/books/knox-0-8-0/deployment-overview.png
    knox/site/books/knox-0-8-0/deployment-provider.png
    knox/site/books/knox-0-8-0/deployment-service.png
    knox/site/books/knox-0-8-0/general_saml_flow.png
    knox/site/books/knox-0-8-0/runtime-overview.png
    knox/site/books/knox-0-8-0/runtime-request-processing.png
    knox/site/books/knox-0-9-0/deployment-overview.png
    knox/site/books/knox-0-9-0/deployment-provider.png
    knox/site/books/knox-0-9-0/deployment-service.png
    knox/site/books/knox-0-9-0/general_saml_flow.png
    knox/site/books/knox-0-9-0/runtime-overview.png
    knox/site/books/knox-0-9-0/runtime-request-processing.png
    knox/site/books/knox-0-9-0/user-guide.html
    knox/site/index.html
    knox/site/issue-tracking.html
    knox/site/license.html
    knox/site/mail-lists.html
    knox/site/project-info.html
    knox/site/team-list.html
    knox/trunk/books/0.9.0/config_knox_sso.md
    knox/trunk/build.xml

Modified: knox/site/books/knox-0-4-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-provider.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-service.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/general_saml_flow.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/general_saml_flow.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-request-processing.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-8-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/deployment-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-8-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/deployment-provider.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-8-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/deployment-service.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-8-0/general_saml_flow.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/general_saml_flow.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-8-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/runtime-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-8-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-8-0/runtime-request-processing.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-9-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/deployment-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-9-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/deployment-provider.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-9-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/deployment-service.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-9-0/general_saml_flow.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/general_saml_flow.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-9-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/runtime-overview.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-9-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/runtime-request-processing.png?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-9-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-9-0/user-guide.html?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/site/books/knox-0-9-0/user-guide.html (original)
+++ knox/site/books/knox-0-9-0/user-guide.html Wed Aug  3 19:42:22 2016
@@ -2460,76 +2460,9 @@ APACHE_HOME/bin/apachectl -k stop
 </table>
 <blockquote><p>Get more details on the <a href="https://github.com/pac4j/pac4j/wiki/Clients#openid-connect-support">pac4j
wiki</a>.</p>
 </blockquote><p>In fact, you can even define several identity providers at the
same time, the first being chosen by default unless you define a <code>client_name</code>
parameter to specify it (<code>FacebookClient</code>, <code>TwitterClient</code>,
<code>CasClient</code>, <code>SAML2Client</code> or <code>OidcClient</code>).</p><h5><a
id="UI+invocation">UI invocation</a> <a href="#UI+invocation"><img src="markbook-section-link.png"/></a></h5><p>In
a browser, when calling your Hadoop service (for example: <code>https://127.0.0.1:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS</code>),
you are redirected to the identity provider for login. Then, after a successful authentication,
your are redirected back to your originally requested url and your KnoxSSO session is initialized.</p><h2><a
id="KnoxSSO+Setup+and+Configuration">KnoxSSO Setup and Configuration</a> <a href="#KnoxSSO+Setup+and+Configuration"><img
src="markbook-section-link.png"/></a></h2><h3><a id="Introduction">Introduct
 ion</a> <a href="#Introduction"><img src="markbook-section-link.png"/></a></h3>
-<hr/><p>Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be configured for the
user&rsquo;s browser) and simple/psuedo. This often results in the UIs not being secured
- even in secured clusters. This is where KnoxSSO provides value by providing WebSSO capabilities
to the Hadoop cluster.</p><p>By leveraging the hadoop-auth module in Hadoop common,
we have introduced the ability to consume a common SSO cookie for web UIs while retaining
the non-web browser authentication through kerberos/SPNEGO. We do this by extending the AltKerberosAuthenticationHandler
class which provides the useragent based multiplexing. </p><p>We also provide
integration guidance within the developers guide for other applications to be able to participate
in these SSO capabilities.</p><p>The flexibility of the Apache Knox authentication
and federation providers allows KnoxSSO to provide a normalization of authentication even
 ts through token exchange resulting in a common JWT (JSON WebToken) based token.</p><p>KnoxSSO
provides an abstraction for integrating any number of authentication systems and SSO solutions
and enables participating web applications to scale to those solutions more easily. Without
the token exchange capabilities offered by KnoxSSO each component UI would need to integrate
with each desired solution on its own. With KnoxSSO they only need to integrate with the single
solution and common token.</p><p>This document describes the overall setup requirements
for KnoxSSO and participating applications.</p><h3><a id="KnoxSSO+Setup">KnoxSSO
Setup</a> <a href="#KnoxSSO+Setup"><img src="markbook-section-link.png"/></a></h3><h4><a
id="knoxsso.xml+Topology">knoxsso.xml Topology</a> <a href="#knoxsso.xml+Topology"><img
src="markbook-section-link.png"/></a></h4><p>To enable KnoxSSO, we need
to configure the KnoxSSO topology. The following is an example of this topology which is configured
to use H
 TTP Basic Auth against the Knox Demo LDAP server. This is the lowest barrier of entry for
your development environment that actually authenticates against a real user store. What&rsquo;s
great is if you work against the IdP with Basic Auth then you will work with SAML or anything
else as well. SAML support is provided through our PicketLink federation provider and we will
provide an example configuration for that as well.</p>
-<pre><code>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
-&lt;topology&gt;
-    &lt;gateway&gt;
-        &lt;provider&gt;
-            &lt;role&gt;authentication&lt;/role&gt;
-            &lt;name&gt;ShiroProvider&lt;/name&gt;
-            &lt;enabled&gt;true&lt;/enabled&gt;
-            &lt;param&gt;
-                &lt;name&gt;sessionTimeout&lt;/name&gt;
-                &lt;value&gt;30&lt;/value&gt;
-            &lt;/param&gt;
-            &lt;param&gt;
-                &lt;name&gt;main.ldapRealm&lt;/name&gt;
-                &lt;value&gt;org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm&lt;/value&gt;
-            &lt;/param&gt;
-            &lt;param&gt;
-                &lt;name&gt;main.ldapContextFactory&lt;/name&gt;
-                &lt;value&gt;org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory&lt;/value&gt;
-            &lt;/param&gt;
-            &lt;param&gt;
-                &lt;name&gt;main.ldapRealm.contextFactory&lt;/name&gt;
-                &lt;value&gt;$ldapContextFactory&lt;/value&gt;
-            &lt;/param&gt;
-            &lt;param&gt;
-                &lt;name&gt;main.ldapRealm.userDnTemplate&lt;/name&gt;
-                &lt;value&gt;uid={0},ou=people,dc=hadoop,dc=apache,dc=org&lt;/value&gt;
-            &lt;/param&gt;
-            &lt;param&gt;
-                &lt;name&gt;main.ldapRealm.contextFactory.url&lt;/name&gt;
-                &lt;value&gt;ldap://localhost:33389&lt;/value&gt;
-            &lt;/param&gt;
-            &lt;param&gt;
-                &lt;name&gt;main.ldapRealm.contextFactory.authenticationMechanism&lt;/name&gt;
-                &lt;value&gt;simple&lt;/value&gt;
-            &lt;/param&gt;
-            &lt;param&gt;
-                &lt;name&gt;urls./**&lt;/name&gt;
-                &lt;value&gt;authcBasic&lt;/value&gt;
-            &lt;/param&gt;
-        &lt;/provider&gt;
-        &lt;provider&gt;
-            &lt;role&gt;identity-assertion&lt;/role&gt;
-            &lt;name&gt;Default&lt;/name&gt;
-            &lt;enabled&gt;true&lt;/enabled&gt;
-        &lt;/provider&gt;
-    &lt;/gateway&gt;
-    &lt;service&gt;
-        &lt;role&gt;KNOXSSO&lt;/role&gt;
-        &lt;param&gt;
-            &lt;name&gt;knoxsso.cookie.secure.only&lt;/name&gt;
-            &lt;value&gt;true&lt;/value&gt;
-        &lt;/param&gt;
-        &lt;param&gt;
-            &lt;name&gt;knoxsso.token.ttl&lt;/name&gt;
-            &lt;value&gt;100000&lt;/value&gt;
-        &lt;/param&gt;
-        &lt;param&gt;
-            &lt;name&gt;knoxsso.redirect.whitelist.regex&lt;/name&gt;
-            &lt;value&gt;^/.*$;https?://localhost*$&lt;/value&gt;
-        &lt;/param&gt;
-        &lt;param&gt;
-            &lt;name&gt;knoxsso.cookie.domain.suffix&lt;/name&gt;
-            &lt;value&gt;.novalocal&lt;/value&gt;
-        &lt;/param&gt;
-    &lt;/service&gt;
-&lt;/topology&gt;
-</code></pre><p>Just as with any Knox service, the KNOXSSO service is protected
by the gateway providers defined above it. In this case, the ShiroProvider is taking care
of HTTP Basic Auth against LDAP for us. Once the user authenticates the request processing
continues to the KNOXSSO service that will create the required cookie and do the necessary
redirects.</p><p>The authentication/federation provider can be swapped out to
fit your deployment environment.</p><p>This is a good place to start in the setup
of KnoxSSO as it doesn&rsquo;t pull in dependencies on external identity solutions. Once
we have this working, we can switch to a federation provider and integrate a preferred SSO
solution.</p><p>This topology will result in a KnoxSSO URL that looks something
like:</p>
+<hr/><p>Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be configured for the
user&rsquo;s browser) and simple/psuedo. This often results in the UIs not being secured
- even in secured clusters. This is where KnoxSSO provides value by providing WebSSO capabilities
to the Hadoop cluster.</p><p>By leveraging the hadoop-auth module in Hadoop common,
we have introduced the ability to consume a common SSO cookie for web UIs while retaining
the non-web browser authentication through kerberos/SPNEGO. We do this by extending the AltKerberosAuthenticationHandler
class which provides the useragent based multiplexing. </p><p>We also provide
integration guidance within the developers guide for other applications to be able to participate
in these SSO capabilities.</p><p>The flexibility of the Apache Knox authentication
and federation providers allows KnoxSSO to provide a normalization of authentication even
 ts through token exchange resulting in a common JWT (JSON WebToken) based token.</p><p>KnoxSSO
provides an abstraction for integrating any number of authentication systems and SSO solutions
and enables participating web applications to scale to those solutions more easily. Without
the token exchange capabilities offered by KnoxSSO each component UI would need to integrate
with each desired solution on its own. With KnoxSSO they only need to integrate with the single
solution and common token.</p><p>This document describes the overall setup requirements
for KnoxSSO and participating applications.</p><h3><a id="KnoxSSO+Setup">KnoxSSO
Setup</a> <a href="#KnoxSSO+Setup"><img src="markbook-section-link.png"/></a></h3><h4><a
id="knoxsso.xml+Topology">knoxsso.xml Topology</a> <a href="#knoxsso.xml+Topology"><img
src="markbook-section-link.png"/></a></h4><p>To enable KnoxSSO, we use
the KnoxSSO topology for exposing an API that can be used to abstract the use of any number
of enterprise or 
 customer IDPs. By default, the knoxsso.xml file is configured for using the simple KnoxAuth
application for form-based authentication against LDAP/AD. By swapping the Shiro authentication
provider that is there out-of-the-box with another authentication or federation provider,
an admin may leverage many of the existing providers for SSO for the UI components that participate
in KnoxSSO.</p><p>Just as with any Knox service, the KNOXSSO service is protected
by the gateway providers defined above it. In this case, the ShiroProvider is taking care
of HTTP Basic Auth against LDAP for us. Once the user authenticates the request processing
continues to the KNOXSSO service that will create the required cookie and do the necessary
redirects.</p><p>The knoxsso.xml topology will result in a KnoxSSO URL that looks
something like:</p>
 <pre><code>https://{gateway_host}:{gateway_port}/gateway/knoxsso/api/v1/websso
-</code></pre><p>This URL is needed when configuring applications that participate
in KnoxSSO for a given deployment. We will refer to this as the Provider URL in this document.</p><h4><a
id="KnoxSSO+Configuration+Parameters">KnoxSSO Configuration Parameters</a> <a
href="#KnoxSSO+Configuration+Parameters"><img src="markbook-section-link.png"/></a></h4>
+</code></pre><p>This URL is needed when configuring applications that participate
in KnoxSSO for a given deployment. We will refer to this as the Provider URL.</p><h4><a
id="KnoxSSO+Configuration+Parameters">KnoxSSO Configuration Parameters</a> <a
href="#KnoxSSO+Configuration+Parameters"><img src="markbook-section-link.png"/></a></h4>
 <table>
   <thead>
     <tr>
@@ -2578,7 +2511,7 @@ APACHE_HOME/bin/apachectl -k stop
 </code></pre><p>This is the handler classname in Hadoop auth for JWT token
(KnoxSSO) support.</p>
 <pre><code>&lt;property&gt;
     &lt;name&gt;hadoop.http.authentication.authentication.provider.url&lt;/name&gt;
-    &lt;value&gt;http://c6401.ambari.apache.org:8888/knoxsso&lt;/value&gt;
+    &lt;value&gt;https://c6401.ambari.apache.org:8443/gateway/knoxsso/api/v1/websso&lt;/value&gt;
 &lt;/property&gt;
 </code></pre><p>The above property is the SSO provider URL that points
to the knoxsso endpoint.</p>
 <pre><code>&lt;property&gt;
@@ -2597,7 +2530,7 @@ APACHE_HOME/bin/apachectl -k stop
   wUpEdVKzOQd4V7vRxpdANxtbG/XXrJAAcY/S+eMy1eDK73cmaVPnxPUGWmMnQXUi
   TLab+w8tBQhNbq6BOQ42aOrLxA8k/M4cV1A=&lt;/value&gt;
 &lt;/property&gt;
-</code></pre><p>The above property holds the KnoxSSO server&rsquo;s
public key for signature verification. Adding it directly to the config like this is convenient
and is easily done through Ambari to existing config files that take custom properties. Config
is generally protected as root access only as well - so it is a pretty good solution.</p><h3><a
id="Mutual+Authentication+with+SSL">Mutual Authentication with SSL</a> <a href="#Mutual+Authentication+with+SSL"><img
src="markbook-section-link.png"/></a></h3><p>To establish a stronger
trust relationship between client and server, we provide mutual authentication with SSL via
client certs. This is particularly useful in providing additional validation for Preauthenticated
SSO with HTTP Headers. Rather than just ip address validation, connections will only be accepted
by Knox from clients presenting trusted certificates.</p><p>This behavior is configured
for the entire gateway instance within the gateway-site.xml file. All topologies
  deployed within the gateway instance with mutual authentication enabled will require incoming
connections to present trusted client certificates during the SSL handshake. Otherwise, connections
will be refused.</p><p>The following table describes the configuration elements
related to mutual authentication and their defaults:</p>
+</code></pre><p>The above property holds the KnoxSSO server&rsquo;s
public key for signature verification. Adding it directly to the config like this is convenient
and is easily done through Ambari to existing config files that take custom properties. Config
is generally protected as root access only as well - so it is a pretty good solution.</p><p>Individual
UIs within the Hadoop ecosystem will have similar configuration for participating in the KnoxSSO
websso capabilities.</p><p>Blogs will be provided on the Apache Knox project site
for these usecases as they become available.</p><h3><a id="Mutual+Authentication+with+SSL">Mutual
Authentication with SSL</a> <a href="#Mutual+Authentication+with+SSL"><img
src="markbook-section-link.png"/></a></h3><p>To establish a stronger
trust relationship between client and server, we provide mutual authentication with SSL via
client certs. This is particularly useful in providing additional validation for Preauthenticated
SSO with HTTP Headers. R
 ather than just ip address validation, connections will only be accepted by Knox from clients
presenting trusted certificates.</p><p>This behavior is configured for the entire
gateway instance within the gateway-site.xml file. All topologies deployed within the gateway
instance with mutual authentication enabled will require incoming connections to present trusted
client certificates during the SSL handshake. Otherwise, connections will be refused.</p><p>The
following table describes the configuration elements related to mutual authentication and
their defaults:</p>
 <table>
   <thead>
     <tr>

Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Wed Aug  3 19:42:22 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-07-21
+ | Generated by Apache Maven Doxia at 2016-08-03
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160721" />
+    <meta name="Date-Revision-yyyymmdd" content="20160803" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; REST API Gateway for the Apache Hadoop Ecosystem</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-07-21</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-08-03</li>

             
                             </ul>
       </div>

Modified: knox/site/issue-tracking.html
URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Wed Aug  3 19:42:22 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-07-21
+ | Generated by Apache Maven Doxia at 2016-08-03
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160721" />
+    <meta name="Date-Revision-yyyymmdd" content="20160803" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Issue Tracking</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-07-21</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-08-03</li>

             
                             </ul>
       </div>

Modified: knox/site/license.html
URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Wed Aug  3 19:42:22 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-07-21
+ | Generated by Apache Maven Doxia at 2016-08-03
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160721" />
+    <meta name="Date-Revision-yyyymmdd" content="20160803" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project License</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-07-21</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-08-03</li>

             
                             </ul>
       </div>

Modified: knox/site/mail-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Wed Aug  3 19:42:22 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-07-21
+ | Generated by Apache Maven Doxia at 2016-08-03
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160721" />
+    <meta name="Date-Revision-yyyymmdd" content="20160803" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Mailing Lists</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-07-21</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-08-03</li>

             
                             </ul>
       </div>

Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Wed Aug  3 19:42:22 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-07-21
+ | Generated by Apache Maven Doxia at 2016-08-03
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160721" />
+    <meta name="Date-Revision-yyyymmdd" content="20160803" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Information</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-07-21</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-08-03</li>

             
                             </ul>
       </div>

Modified: knox/site/team-list.html
URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Wed Aug  3 19:42:22 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-07-21
+ | Generated by Apache Maven Doxia at 2016-08-03
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160721" />
+    <meta name="Date-Revision-yyyymmdd" content="20160803" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Team list</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-07-21</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-08-03</li>

             
                             </ul>
       </div>

Modified: knox/trunk/books/0.9.0/config_knox_sso.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.9.0/config_knox_sso.md?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/trunk/books/0.9.0/config_knox_sso.md (original)
+++ knox/trunk/books/0.9.0/config_knox_sso.md Wed Aug  3 19:42:22 2016
@@ -18,86 +18,15 @@ This document describes the overall setu
 ### KnoxSSO Setup
 
 #### knoxsso.xml Topology
-To enable KnoxSSO, we need to configure the KnoxSSO topology. The following is an example
of this topology which is configured to use HTTP Basic Auth against the Knox Demo LDAP server.
This is the lowest barrier of entry for your development environment that actually authenticates
against a real user store. What's great is if you work against the IdP with Basic Auth then
you will work with SAML or anything else as well. SAML support is provided through our PicketLink
federation provider and we will provide an example configuration for that as well.
-
-    <?xml version="1.0" encoding="utf-8"?>
-    <topology>
-        <gateway>
-            <provider>
-                <role>authentication</role>
-                <name>ShiroProvider</name>
-                <enabled>true</enabled>
-                <param>
-                    <name>sessionTimeout</name>
-                    <value>30</value>
-                </param>
-                <param>
-                    <name>main.ldapRealm</name>
-                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
-                </param>
-                <param>
-                    <name>main.ldapContextFactory</name>
-                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
-                </param>
-                <param>
-                    <name>main.ldapRealm.contextFactory</name>
-                    <value>$ldapContextFactory</value>
-                </param>
-                <param>
-                    <name>main.ldapRealm.userDnTemplate</name>
-                    <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
-                </param>
-                <param>
-                    <name>main.ldapRealm.contextFactory.url</name>
-                    <value>ldap://localhost:33389</value>
-                </param>
-                <param>
-                    <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
-                    <value>simple</value>
-                </param>
-                <param>
-                    <name>urls./**</name>
-                    <value>authcBasic</value>
-                </param>
-            </provider>
-            <provider>
-                <role>identity-assertion</role>
-                <name>Default</name>
-                <enabled>true</enabled>
-            </provider>
-        </gateway>
-        <service>
-            <role>KNOXSSO</role>
-            <param>
-                <name>knoxsso.cookie.secure.only</name>
-                <value>true</value>
-            </param>
-            <param>
-                <name>knoxsso.token.ttl</name>
-                <value>100000</value>
-            </param>
-            <param>
-                <name>knoxsso.redirect.whitelist.regex</name>
-                <value>^/.*$;https?://localhost*$</value>
-            </param>
-            <param>
-                <name>knoxsso.cookie.domain.suffix</name>
-                <value>.novalocal</value>
-            </param>
-        </service>
-    </topology>
+To enable KnoxSSO, we use the KnoxSSO topology for exposing an API that can be used to abstract
the use of any number of enterprise or customer IDPs. By default, the knoxsso.xml file is
configured for using the simple KnoxAuth application for form-based authentication against
LDAP/AD. By swapping the Shiro authentication provider that is there out-of-the-box with another
authentication or federation provider, an admin may leverage many of the existing providers
for SSO for the UI components that participate in KnoxSSO.
 
 Just as with any Knox service, the KNOXSSO service is protected by the gateway providers
defined above it. In this case, the ShiroProvider is taking care of HTTP Basic Auth against
LDAP for us. Once the user authenticates the request processing continues to the KNOXSSO service
that will create the required cookie and do the necessary redirects.
 
-The authentication/federation provider can be swapped out to fit your deployment environment.
-
-This is a good place to start in the setup of KnoxSSO as it doesn't pull in dependencies
on external identity solutions. Once we have this working, we can switch to a federation provider
and integrate a preferred SSO solution.
-
-This topology will result in a KnoxSSO URL that looks something like:
+The knoxsso.xml topology will result in a KnoxSSO URL that looks something like:
 
     https://{gateway_host}:{gateway_port}/gateway/knoxsso/api/v1/websso
 
-This URL is needed when configuring applications that participate in KnoxSSO for a given
deployment. We will refer to this as the Provider URL in this document.
+This URL is needed when configuring applications that participate in KnoxSSO for a given
deployment. We will refer to this as the Provider URL.
 
 #### KnoxSSO Configuration Parameters
 
@@ -127,7 +56,7 @@ This is the handler classname in Hadoop
 
     <property>
         <name>hadoop.http.authentication.authentication.provider.url</name>
-        <value>http://c6401.ambari.apache.org:8888/knoxsso</value>
+        <value>https://c6401.ambari.apache.org:8443/gateway/knoxsso/api/v1/websso</value>
     </property>
 
 
@@ -150,4 +79,8 @@ The above property is the SSO provider U
       TLab+w8tBQhNbq6BOQ42aOrLxA8k/M4cV1A=</value>
     </property>
 
-The above property holds the KnoxSSO server's public key for signature verification. Adding
it directly to the config like this is convenient and is easily done through Ambari to existing
config files that take custom properties. Config is generally protected as root access only
as well - so it is a pretty good solution.
\ No newline at end of file
+The above property holds the KnoxSSO server's public key for signature verification. Adding
it directly to the config like this is convenient and is easily done through Ambari to existing
config files that take custom properties. Config is generally protected as root access only
as well - so it is a pretty good solution.
+
+Individual UIs within the Hadoop ecosystem will have similar configuration for participating
in the KnoxSSO websso capabilities.
+
+Blogs will be provided on the Apache Knox project site for these usecases as they become
available.
\ No newline at end of file

Modified: knox/trunk/build.xml
URL: http://svn.apache.org/viewvc/knox/trunk/build.xml?rev=1755108&r1=1755107&r2=1755108&view=diff
==============================================================================
--- knox/trunk/build.xml (original)
+++ knox/trunk/build.xml Wed Aug  3 19:42:22 2016
@@ -36,6 +36,7 @@
     <property name="book-0-7-0-dir" value="${book-target}/${gateway-artifact}-0-7-0"/>
     <property name="book-0-8-0-dir" value="${book-target}/${gateway-artifact}-0-8-0"/>
     <property name="book-0-9-0-dir" value="${book-target}/${gateway-artifact}-0-9-0"/>
+    <property name="book-0-9-1-dir" value="${book-target}/${gateway-artifact}-0-9-1"/>
 
     <property name="svn.release.path" value="https://dist.apache.org/repos/dist/release/incubator/${gateway-project}"
/>
     <property name="svn.staging.path" value="https://dist.apache.org/repos/dist/dev/incubator/${gateway-project}"
/>
@@ -84,7 +85,7 @@
     </target>
 
     <target name="books" depends="markbook,_books"/>
-    <target name="_books" depends="_book-0-3-0,_book-0-4-0,_book-0-5-0,_book-0-6-0,_book-0-7-0,_book-0-8-0,_book-0-9-0"/>
+    <target name="_books" depends="_book-0-3-0,_book-0-4-0,_book-0-5-0,_book-0-6-0,_book-0-7-0,_book-0-8-0,_book-0-9-0,_book-0-9-1"/>
     <target name="_book-0-3-0" depends="init">
         <delete dir="${book-target}/${gateway-artifact}-0-3-0" includes="**/*.html,**/*.css,**/*.png"/>
         <java jar="markbook/target/markbook.jar" fork="true" failonerror="true">
@@ -191,6 +192,24 @@
             <fileset dir="books/static"/>
         </copy>
     </target>
+    <target name="_book-0-9-1" depends="init">
+        <delete dir="${book-target}/${gateway-artifact}-0-9-1" includes="**/*.html,**/*.css,**/*.png"/>
+        <java jar="markbook/target/markbook.jar" fork="true" failonerror="true">
+            <arg value="-i"/><arg value="books/0.9.1/book.md"/>
+            <arg value="-o"/><arg value="${book-0-9-1-dir}/user-guide.html"/>
+        </java>
+        <java jar="markbook/target/markbook.jar" fork="true" failonerror="true">
+            <arg value="-i"/><arg value="books/0.9.1/dev-guide/book.md"/>
+            <arg value="-o"/><arg value="${book-0-9-1-dir}/dev-guide.html"/>
+        </java>
+        <java jar="markbook/target/markbook.jar" fork="true" failonerror="true">
+            <arg value="-i"/><arg value="books/0.9.1/dev-guide/knoxsso_integration.md"/>
+            <arg value="-o"/><arg value="${book-0-9-1-dir}/knoxsso_integration.html"/>
+        </java>
+        <copy todir="${book-target}/${gateway-artifact}-0-9-1">
+            <fileset dir="books/static"/>
+        </copy>
+    </target>
 
     <target name="markbook" depends="init" description="Build and package markbook tool.">
         <exec executable="${mvn.cmd}">
@@ -203,10 +222,10 @@
 
     <target name="review-book" depends="init" description="Open the default book in the
default browser.">
         <exec executable="${browser.cmd}">
-            <arg line="${book-0-9-0-dir}/user-guide.html" />
+            <arg line="${book-0-9-1-dir}/user-guide.html" />
         </exec>
         <exec executable="${browser.cmd}">
-            <arg line="${book-0-9-0-dir}/dev-guide.html" />
+            <arg line="${book-0-9-1-dir}/dev-guide.html" />
         </exec>
     </target>
 




Mime
View raw message