knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1774356 - in /knox: site/ site/books/knox-0-11-0/ trunk/ trunk/books/0.11.0/ trunk/markbook/
Date Thu, 15 Dec 2016 00:01:11 GMT
Author: lmccay
Date: Thu Dec 15 00:01:10 2016
New Revision: 1774356

URL: http://svn.apache.org/viewvc?rev=1774356&view=rev
Log:
hadoop group lookup provider docs and reorg of toc

Modified:
    knox/site/books/knox-0-11-0/user-guide.html
    knox/site/index.html
    knox/site/issue-tracking.html
    knox/site/license.html
    knox/site/mail-lists.html
    knox/site/project-info.html
    knox/site/team-list.html
    knox/trunk/books/0.11.0/book.md
    knox/trunk/books/0.11.0/config_id_assertion.md
    knox/trunk/markbook/pom.xml
    knox/trunk/pom.xml

Modified: knox/site/books/knox-0-11-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-11-0/user-guide.html?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/site/books/knox-0-11-0/user-guide.html (original)
+++ knox/site/books/knox-0-11-0/user-guide.html Thu Dec 15 00:01:10 2016
@@ -13,7 +13,7 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
---><p><link href="book.css" rel="stylesheet"/></p><p><img src="knox-logo.gif"
alt="Knox"/> <!-- <img src="apache-logo.gif" alt="Apache"/> --> <img src="apache-logo.gif"
align="right" alt="Apache"/></p><h1><a id="Apache+Knox+Gateway+0.10.x+User's+Guide">Apache
Knox Gateway 0.10.x User&rsquo;s Guide</a> <a href="#Apache+Knox+Gateway+0.10.x+User's+Guide"><img
src="markbook-section-link.png"/></a></h1><h2><a id="Table+Of+Contents">Table
Of Contents</a> <a href="#Table+Of+Contents"><img src="markbook-section-link.png"/></a></h2>
+--><p><link href="book.css" rel="stylesheet"/></p><p><img src="knox-logo.gif"
alt="Knox"/> <!-- <img src="apache-logo.gif" alt="Apache"/> --> <img src="apache-logo.gif"
align="right" alt="Apache"/></p><h1><a id="Apache+Knox+Gateway+0.11.x+User's+Guide">Apache
Knox Gateway 0.11.x User&rsquo;s Guide</a> <a href="#Apache+Knox+Gateway+0.11.x+User's+Guide"><img
src="markbook-section-link.png"/></a></h1><h2><a id="Table+Of+Contents">Table
Of Contents</a> <a href="#Table+Of+Contents"><img src="markbook-section-link.png"/></a></h2>
 <ul>
   <li><a href="#Introduction">Introduction</a></li>
   <li><a href="#Quick+Start">Quick Start</a></li>
@@ -30,29 +30,39 @@
     <li><a href="#Knox+CLI">Knox CLI</a></li>
     <li><a href="#Admin+API">Admin API</a></li>
     <li><a href="#X-Forwarded-*+Headers+Support">X-Forwarded-* Headers Support</a></li>
-    <li><a href="#Authentication">Authentication</a></li>
+  </ul></li>
+  <li><a href="#Authentication">Authentication</a>
+  <ul>
     <li><a href="#Advanced+LDAP+Authentication">Advanced LDAP Authentication</a></li>
     <li><a href="#LDAP+Authentication+Caching">LDAP Authentication Caching</a></li>
     <li><a href="#LDAP+Group+Lookup">LDAP Group Lookup</a></li>
     <li><a href="#LDAP+Group+Lookup">LDAP Group Lookup</a></li>
     <li><a href="#PAM+based+Authentication">PAM based Authentication</a></li>
-    <li><a href="#Authorization">Authorization</a></li>
-    <li><a href="#Secure+Clusters">Secure Clusters</a></li>
-    <li><a href="#High+Availability">High Availability</a></li>
-    <li><a href="#Web+App+Security+Provider">Web App Security Provider</a>
-    <ul>
-      <li><a href="#CSRF">CSRF</a></li>
-      <li><a href="#CORS">CORS</a></li>
-      <li><a href="#X-Frame-Options">X-Frame-Options</a></li>
-    </ul></li>
     <li><a href="#HadoopAuth+Authentication+Provider">HadoopAuth Authentication
Provider</a></li>
     <li><a href="#Preauthenticated+SSO+Provider">Preauthenticated SSO Provider</a></li>
     <li><a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j
Provider - CAS / OAuth / SAML / OpenID Connect</a></li>
     <li><a href="#KnoxSSO+Setup+and+Configuration">KnoxSSO Setup and Configuration</a></li>
     <li><a href="#Mutual+Authentication+with+SSL">Mutual Authentication with
SSL</a></li>
-    <li><a href="#Websocket+Support">Websocket Support</a></li>
-    <li><a href="#Audit">Audit</a></li>
   </ul></li>
+  <li><a href="#Authorization">Authorization</a></li>
+  <li><a href="#Identity+Assertion">Identity Assertion</a>
+  <ul>
+    <li><a href="#Default+Identity+Assertion+Provider">Default Identity Assertion
Provider</a></li>
+    <li><a href="#Concat+Identity+Assertion+Provider">Concat Identity Assertion
Provider</a></li>
+    <li><a href="#SwitchCase+Identity+Assertion+Provider">SwitchCase Identity
Assertion Provider</a></li>
+    <li><a href="#Regular+Expression+Identity+Assertion+Provider">Regular Expression
Identity Assertion Provider</a></li>
+    <li><a href="#Hadoop+Group+Lookup+Provider">Hadoop Group Lookup Provider</a></li>
+  </ul></li>
+  <li><a href="#Secure+Clusters">Secure Clusters</a></li>
+  <li><a href="#High+Availability">High Availability</a></li>
+  <li><a href="#Web+App+Security+Provider">Web App Security Provider</a>
+  <ul>
+    <li><a href="#CSRF">CSRF</a></li>
+    <li><a href="#CORS">CORS</a></li>
+    <li><a href="#X-Frame-Options">X-Frame-Options</a></li>
+  </ul></li>
+  <li><a href="#Websocket+Support">Websocket Support</a></li>
+  <li><a href="#Audit">Audit</a></li>
   <li><a href="#Client+Details">Client Details</a></li>
   <li><a href="#Service+Details">Service Details</a>
   <ul>
@@ -1811,6 +1821,59 @@ session    optional       pam_mount.so
 url -k --header &quot;SM_USER: nobody@ca.imaginary.tld&quot; &#39;https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY&#39;
 
 {&quot;Path&quot;:&quot;/user/member_CANADA&quot;}
+</code></pre><h3><a id="Hadoop+Group+Lookup+Provider">Hadoop Group
Lookup Provider</a> <a href="#Hadoop+Group+Lookup+Provider"><img src="markbook-section-link.png"/></a></h3><p>An
identity assertion provider that looks up user&rsquo;s &lsquo;group membership&rsquo;
for authenticated users using Hadoop&rsquo;s group mapping service (GroupMappingServiceProvider).</p><p>This
allows existing investments in the Hadoop to be leveraged within Knox and used within the
access control policy enforcement at the perimeter.</p><p>The &lsquo;role&rsquo;
for this provider is &lsquo;identity-assertion&rsquo; and name is &lsquo;HadoopGroupProvider&rsquo;.</p>
+<pre><code>    &lt;provider&gt;
+        &lt;role&gt;identity-assertion&lt;/role&gt;
+        &lt;name&gt;HadoopGroupProvider&lt;/name&gt;
+        &lt;enabled&gt;true&lt;/enabled&gt;
+        &lt;&lt;param&gt; ... &lt;/param&gt;
+    &lt;/provider&gt;
+</code></pre><h3><a id="Configuration">Configuration</a> <a
href="#Configuration"><img src="markbook-section-link.png"/></a></h3><p>All
the configuration for &lsquo;HadoopGroupProvider&rsquo; resides in the provider section
in a gateway topology file. The &lsquo;hadoop.security.group.mapping&rsquo; property
determines the implementation. Some of the valid implementation are as follows </p><h4><a
id="org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback">org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback</a>
<a href="#org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback"><img
src="markbook-section-link.png"/></a></h4><p>This is the default implementation
and will be picked up if &lsquo;hadoop.security.group.mapping&rsquo; is not specified.
This implementation will determine if the Java Native Interface (JNI) is available. If JNI
is available, the implementation will use the API within Hadoop to resolve a list of groups
for a user. If JNI is not av
 ailable then the shell implementation, org.apache.hadoop.security.ShellBasedUnixGroupsMapping,
is used, which shells out with the &lsquo;bash -c groups&rsquo; command (for a Linux/Unix
environment) or the &lsquo;net group&rsquo; command (for a Windows environment) to
resolve a list of groups for a user.</p><h4><a id="org.apache.hadoop.security.LdapGroupsMapping">org.apache.hadoop.security.LdapGroupsMapping</a>
<a href="#org.apache.hadoop.security.LdapGroupsMapping"><img src="markbook-section-link.png"/></a></h4><p>This
implementation connects directly to an LDAP server to resolve the list of groups. However,
this should only be used if the required groups reside exclusively in LDAP, and are not materialized
on the Unix servers.</p><p>For more information on the implementation and properties
refer to Hadoop Group Mapping.</p><h3><a id="Example">Example</a>
<a href="#Example"><img src="markbook-section-link.png"/></a></h3><p>The
following example snippet works with the demo ldap serve
 r that ships with Apache Knox. Replace the existing &lsquo;Default&rsquo; identity-assertion
provider with the one below (HadoopGroupProvider).</p>
+<pre><code>    &lt;provider&gt;
+        &lt;role&gt;identity-assertion&lt;/role&gt;
+        &lt;name&gt;HadoopGroupProvider&lt;/name&gt;
+        &lt;enabled&gt;true&lt;/enabled&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping&lt;/name&gt;
+            &lt;value&gt;org.apache.hadoop.security.LdapGroupsMapping&lt;/value&gt;
+        &lt;/param&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping.ldap.bind.user&lt;/name&gt;
+            &lt;value&gt;uid=tom,ou=people,dc=hadoop,dc=apache,dc=org&lt;/value&gt;
+        &lt;/param&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping.ldap.bind.password&lt;/name&gt;
+            &lt;value&gt;tom-password&lt;/value&gt;
+        &lt;/param&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping.ldap.url&lt;/name&gt;
+            &lt;value&gt;ldap://localhost:33389&lt;/value&gt;
+        &lt;/param&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping.ldap.base&lt;/name&gt;
+            &lt;value&gt;&lt;/value&gt;
+        &lt;/param&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping.ldap.search.filter.user&lt;/name&gt;
+            &lt;value&gt;(&amp;amp;(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))&lt;/value&gt;
+        &lt;/param&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping.ldap.search.filter.group&lt;/name&gt;
+            &lt;value&gt;(objectclass=groupOfNames)&lt;/value&gt;
+        &lt;/param&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping.ldap.search.attr.member&lt;/name&gt;
+            &lt;value&gt;member&lt;/value&gt;
+        &lt;/param&gt;
+        &lt;param&gt;
+            &lt;name&gt;hadoop.security.group.mapping.ldap.search.attr.group.name&lt;/name&gt;
+            &lt;value&gt;cn&lt;/value&gt;
+        &lt;/param&gt;
+    &lt;/provider&gt;
+</code></pre><p>Here, we are working with the demo ldap server running
at &lsquo;<a href="ldap://localhost:33389">ldap://localhost:33389</a>&rsquo;
which populates some dummy users for testing that we will use in this example. This example
uses the user &lsquo;tom&rsquo; for LDAP binding. If you have different LDAP/AD settings
you will have to update the properties accordingly. </p><p>Let&rsquo;s test
our setup using the following command (assuming the gateway is started and listening on localhost:8443).
Note that we are using credentials for the user &lsquo;sam&rsquo; along with the command.
</p>
+<pre><code>    curl -i -k -u sam:sam-password -X GET &#39;https://localhost:8443/gateway/sandbox/webhdfs/v1/?op=LISTSTATUS&#39;

+</code></pre><p>The command should be executed successfully and you should
see the groups &lsquo;scientist&rsquo; and &lsquo;analyst&rsquo; to which
user &lsquo;sam&rsquo; belongs to in gateway-audit.log i.e.</p>
+<pre><code>    ||a99aa0ab-fc06-48f2-8df3-36e6fe37c230|audit|WEBHDFS|sam|||identity-mapping|principal|sam|success|Groups:
[scientist, analyst]
 </code></pre><h3><a id="Authorization">Authorization</a> <a
href="#Authorization"><img src="markbook-section-link.png"/></a></h3><h4><a
id="Service+Level+Authorization">Service Level Authorization</a> <a href="#Service+Level+Authorization"><img
src="markbook-section-link.png"/></a></h4><p>The Knox Gateway has an
out-of-the-box authorization provider that allows administrators to restrict access to the
individual services within a Hadoop cluster.</p><p>This provider utilizes a simple
and familiar pattern of using ACLs to protect Hadoop resources by specifying users, groups
and ip addresses that are permitted access.</p><h4><a id="Configuration">Configuration</a>
<a href="#Configuration"><img src="markbook-section-link.png"/></a></h4><p>ACLs
are bound to services within the topology descriptors by introducing the authorization provider
with configuration like:</p>
 <pre><code>&lt;provider&gt;
     &lt;role&gt;authorization&lt;/role&gt;

Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Thu Dec 15 00:01:10 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-12-13
+ | Generated by Apache Maven Doxia at 2016-12-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20161213" />
+    <meta name="Date-Revision-yyyymmdd" content="20161214" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; REST API Gateway for the Apache Hadoop Ecosystem</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-12-13</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-12-14</li>

             
                             </ul>
       </div>

Modified: knox/site/issue-tracking.html
URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Thu Dec 15 00:01:10 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-12-13
+ | Generated by Apache Maven Doxia at 2016-12-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20161213" />
+    <meta name="Date-Revision-yyyymmdd" content="20161214" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Issue Tracking</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-12-13</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-12-14</li>

             
                             </ul>
       </div>

Modified: knox/site/license.html
URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Thu Dec 15 00:01:10 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-12-13
+ | Generated by Apache Maven Doxia at 2016-12-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20161213" />
+    <meta name="Date-Revision-yyyymmdd" content="20161214" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project License</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-12-13</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-12-14</li>

             
                             </ul>
       </div>

Modified: knox/site/mail-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Thu Dec 15 00:01:10 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-12-13
+ | Generated by Apache Maven Doxia at 2016-12-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20161213" />
+    <meta name="Date-Revision-yyyymmdd" content="20161214" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Mailing Lists</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-12-13</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-12-14</li>

             
                             </ul>
       </div>

Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Thu Dec 15 00:01:10 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-12-13
+ | Generated by Apache Maven Doxia at 2016-12-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20161213" />
+    <meta name="Date-Revision-yyyymmdd" content="20161214" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Information</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-12-13</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-12-14</li>

             
                             </ul>
       </div>

Modified: knox/site/team-list.html
URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Thu Dec 15 00:01:10 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-12-13
+ | Generated by Apache Maven Doxia at 2016-12-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20161213" />
+    <meta name="Date-Revision-yyyymmdd" content="20161214" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Team list</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2016-12-13</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2016-12-14</li>

             
                             </ul>
       </div>
@@ -536,9 +536,9 @@
 <td>IBM</td>
 <td>Contributor</td></tr>
 <tr class="a">
-<td><img src="http://www.gravatar.com/avatar/83e367362531c0af7f3089feddf507ee?d=mm&amp;s=60"
alt="" /></td>
+<td><img src="http://www.gravatar.com/avatar/cf302216e9f1c0d3b6e33553eeb88c61?d=mm&amp;s=60"
alt="" /></td>
 <td>Sandeep More</td>
-<td>comomore(at)gmail(dot)com</td>
+<td>moresandeep(at)gmail(dot)com</td>
 <td>Hortonworks</td>
 <td>Contributor</td></tr></table><script type="text/javascript">
 function offsetDate(id, offset) {

Modified: knox/trunk/books/0.11.0/book.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.11.0/book.md?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/trunk/books/0.11.0/book.md (original)
+++ knox/trunk/books/0.11.0/book.md Thu Dec 15 00:01:10 2016
@@ -21,7 +21,7 @@
 <!-- <img src="apache-logo.gif" alt="Apache"/> -->
 <img src="apache-logo.gif" align="right" alt="Apache"/>
 
-# Apache Knox Gateway 0.10.x User's Guide #
+# Apache Knox Gateway 0.11.x User's Guide #
 
 ## Table Of Contents ##
 
@@ -37,26 +37,32 @@
     * #[Knox CLI]
     * #[Admin API]
     * #[X-Forwarded-* Headers Support]
-    * #[Authentication]
+* #[Authentication]
     * #[Advanced LDAP Authentication]
     * #[LDAP Authentication Caching]
     * #[LDAP Group Lookup]
     * #[LDAP Group Lookup]
     * #[PAM based Authentication]
-    * #[Authorization]
-    * #[Secure Clusters]
-    * #[High Availability]
-    * #[Web App Security Provider]
-    	* #[CSRF]
-    	* #[CORS]
-    	* #[X-Frame-Options]
     * #[HadoopAuth Authentication Provider]
     * #[Preauthenticated SSO Provider]
     * #[Pac4j Provider - CAS / OAuth / SAML / OpenID Connect]
     * #[KnoxSSO Setup and Configuration]
     * #[Mutual Authentication with SSL]
-    * #[Websocket Support]
-    * #[Audit]
+* #[Authorization]
+* #[Identity Assertion]
+    * #[Default Identity Assertion Provider]
+    * #[Concat Identity Assertion Provider]
+    * #[SwitchCase Identity Assertion Provider]
+    * #[Regular Expression Identity Assertion Provider]
+    * #[Hadoop Group Lookup Provider]
+* #[Secure Clusters]
+* #[High Availability]
+* #[Web App Security Provider]
+    * #[CSRF]
+    * #[CORS]
+    * #[X-Frame-Options]
+* #[Websocket Support]
+* #[Audit]
 * #[Client Details]
 * #[Service Details]
     * #[WebHDFS]

Modified: knox/trunk/books/0.11.0/config_id_assertion.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.11.0/config_id_assertion.md?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/trunk/books/0.11.0/config_id_assertion.md (original)
+++ knox/trunk/books/0.11.0/config_id_assertion.md Thu Dec 15 00:01:10 2016
@@ -187,3 +187,89 @@ Using curl with this type of configurati
     url -k --header "SM_USER: nobody@ca.imaginary.tld" 'https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY'
     
     {"Path":"/user/member_CANADA"}
+
+### Hadoop Group Lookup Provider ###
+
+An identity assertion provider that looks up user's 'group membership' for authenticated
users using Hadoop's group mapping service (GroupMappingServiceProvider).
+
+This allows existing investments in the Hadoop to be leveraged within Knox and used within
the access control policy enforcement at the perimeter.
+
+The 'role' for this provider is 'identity-assertion' and name is 'HadoopGroupProvider'.
+
+        <provider>
+            <role>identity-assertion</role>
+            <name>HadoopGroupProvider</name>
+            <enabled>true</enabled>
+            <<param> ... </param>
+        </provider>
+
+### Configuration ###
+
+All the configuration for 'HadoopGroupProvider' resides in the provider section in a gateway
topology file.
+The 'hadoop.security.group.mapping' property determines the implementation. Some of the valid
implementation are as follows 
+#### org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback
+
+This is the default implementation and will be picked up if 'hadoop.security.group.mapping'
is not specified. This implementation will determine if the Java Native Interface (JNI) is
available. If JNI is available, the implementation will use the API within Hadoop to resolve
a list of groups for a user. If JNI is not available then the shell implementation, org.apache.hadoop.security.ShellBasedUnixGroupsMapping,
is used, which shells out with the 'bash -c groups' command (for a Linux/Unix environment)
or the 'net group' command (for a Windows environment) to resolve a list of groups for a user.
+
+#### org.apache.hadoop.security.LdapGroupsMapping
+
+This implementation connects directly to an LDAP server to resolve the list of groups. However,
this should only be used if the required groups reside exclusively in LDAP, and are not materialized
on the Unix servers.
+
+For more information on the implementation and properties refer to Hadoop Group Mapping.
+
+### Example ###
+
+The following example snippet works with the demo ldap server that ships with Apache Knox.
Replace the existing 'Default' identity-assertion provider with the one below (HadoopGroupProvider).
+
+        <provider>
+            <role>identity-assertion</role>
+            <name>HadoopGroupProvider</name>
+            <enabled>true</enabled>
+            <param>
+                <name>hadoop.security.group.mapping</name>
+                <value>org.apache.hadoop.security.LdapGroupsMapping</value>
+            </param>
+            <param>
+                <name>hadoop.security.group.mapping.ldap.bind.user</name>
+                <value>uid=tom,ou=people,dc=hadoop,dc=apache,dc=org</value>
+            </param>
+            <param>
+                <name>hadoop.security.group.mapping.ldap.bind.password</name>
+                <value>tom-password</value>
+            </param>
+            <param>
+                <name>hadoop.security.group.mapping.ldap.url</name>
+                <value>ldap://localhost:33389</value>
+            </param>
+            <param>
+                <name>hadoop.security.group.mapping.ldap.base</name>
+                <value></value>
+            </param>
+            <param>
+                <name>hadoop.security.group.mapping.ldap.search.filter.user</name>
+                <value>(&amp;(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value>
+            </param>
+            <param>
+                <name>hadoop.security.group.mapping.ldap.search.filter.group</name>
+                <value>(objectclass=groupOfNames)</value>
+            </param>
+            <param>
+                <name>hadoop.security.group.mapping.ldap.search.attr.member</name>
+                <value>member</value>
+            </param>
+            <param>
+                <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
+                <value>cn</value>
+            </param>
+        </provider>
+
+
+Here, we are working with the demo ldap server running at 'ldap://localhost:33389' which
populates some dummy users for testing that we will use in this example. This example uses
the user 'tom' for LDAP binding.  If you have different LDAP/AD settings you will have to
update the properties accordingly. 
+
+Let's test our setup using the following command (assuming the gateway is started and listening
on localhost:8443). Note that we are using credentials for the user 'sam' along with the command.

+
+        curl -i -k -u sam:sam-password -X GET 'https://localhost:8443/gateway/sandbox/webhdfs/v1/?op=LISTSTATUS'

+
+The command should be executed successfully and you should see the groups 'scientist' and
'analyst' to which user 'sam' belongs to in gateway-audit.log i.e.
+
+        ||a99aa0ab-fc06-48f2-8df3-36e6fe37c230|audit|WEBHDFS|sam|||identity-mapping|principal|sam|success|Groups:
[scientist, analyst]

Modified: knox/trunk/markbook/pom.xml
URL: http://svn.apache.org/viewvc/knox/trunk/markbook/pom.xml?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/trunk/markbook/pom.xml (original)
+++ knox/trunk/markbook/pom.xml Thu Dec 15 00:01:10 2016
@@ -23,7 +23,7 @@
     <parent>
         <artifactId>gateway-site</artifactId>
         <groupId>org.apache.hadoop.gateway</groupId>
-        <version>0.10.0</version>
+        <version>0.11.0</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

Modified: knox/trunk/pom.xml
URL: http://svn.apache.org/viewvc/knox/trunk/pom.xml?rev=1774356&r1=1774355&r2=1774356&view=diff
==============================================================================
--- knox/trunk/pom.xml (original)
+++ knox/trunk/pom.xml Thu Dec 15 00:01:10 2016
@@ -312,7 +312,7 @@
 
       <contributor>
         <name>Sandeep More</name>
-        <email>comomore(at)gmail(dot)com</email>
+        <email>moresandeep(at)gmail(dot)com</email>
         <roles><role>Contributor</role></roles>
         <organization>Hortonworks</organization>
       </contributor>



Mime
View raw message