knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1787125 - in /knox: site/books/knox-0-12-0/user-guide.html trunk/books/0.12.0/book.md trunk/books/0.12.0/config_knox_token.md
Date Thu, 16 Mar 2017 05:35:28 GMT
Author: lmccay
Date: Thu Mar 16 05:35:28 2017
New Revision: 1787125

URL: http://svn.apache.org/viewvc?rev=1787125&view=rev
Log:
adding docs for KnoxToken service to 0.12.0

Modified:
    knox/site/books/knox-0-12-0/user-guide.html
    knox/trunk/books/0.12.0/book.md
    knox/trunk/books/0.12.0/config_knox_token.md

Modified: knox/site/books/knox-0-12-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-12-0/user-guide.html?rev=1787125&r1=1787124&r2=1787125&view=diff
==============================================================================
--- knox/site/books/knox-0-12-0/user-guide.html (original)
+++ knox/site/books/knox-0-12-0/user-guide.html Thu Mar 16 05:35:28 2017
@@ -44,7 +44,7 @@
     <li><a href="#SSO+Cookie+Provider">SSO Cookie Provider</a></li>
     <li><a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j
Provider - CAS / OAuth / SAML / OpenID Connect</a></li>
     <li><a href="#KnoxSSO+Setup+and+Configuration">KnoxSSO Setup and Configuration</a></li>
-    <li><a href="#KnoxToken+service">KnoxToken service</a></li>
+    <li><a href="#KnoxToken+Configuration">KnoxToken Configuration</a></li>
     <li><a href="#Mutual+Authentication+with+SSL">Mutual Authentication with
SSL</a></li>
   </ul></li>
   <li><a href="#Authorization">Authorization</a></li>
@@ -2939,8 +2939,14 @@ APACHE_HOME/bin/apachectl -k stop
       <td>n/a</td>
     </tr>
   </tbody>
-</table><p>Adding the KnoxToken configuration show above to a topology that is
protected with the ShrioProvider is a very simple and effective way to expose an endpoint
from which a Knox token can be requested. Once it is acquired it may be used to access resources
at intended endpoints until it expires.</p><p>The following curl example shows
how to add a bearer token to an Authorization header:</p>
-<pre><code>curl -ivku guest:guest-password -H &quot;Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTI3MTM1fQ.HFxcUtg1Id9t7HOjHkxXsfZE1jB1nd2g9l71cFsgWvT3nsrIuHOzfFdhQwQYsrPqA5h2VZ1UuqOqajI0e_gCOlwoslm3ZD9xMkU2g2qGG81Ao3vvmaaLs8EE0_VuFq5ZHt08ls3oyzjWUKlb2VSrNOjzWjHyoHi_k2M04r9grp8&quot;
https://localhost:8443/gateway/tokenbased/webhdfs/v1/tmp?op=LISTSTATUS
+</table><p>Adding the KnoxToken configuration shown above to a topology that
is protected with the ShrioProvider is a very simple and effective way to expose an endpoint
from which a Knox token can be requested. Once it is acquired it may be used to access resources
at intended endpoints until it expires.</p><p>The following curl command can be
used to acquire a token from the Knox Token service as configured in the sandbox topology:</p>
+<pre><code>curl -ivku guest:guest-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
+
+Resulting in a JSON response that contains the token, the expiration and the optional target
endpoint:
+
+  {&quot;access_token&quot;:&quot;eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU&quot;,&quot;target_url&quot;:&quot;https://localhost:8443/gateway/tokenbased&quot;,&quot;token_type&quot;:&quot;Bearer
&quot;,&quot;expires_in&quot;:1489942188233}
+</code></pre><p>The following curl example shows how to add a bearer token
to an Authorization header:</p>
+<pre><code>curl -ivk -H &quot;Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU&quot;
https://localhost:8443/gateway/tokenbased/webhdfs/v1/tmp?op=LISTSTATUS
 </code></pre><p>See documentation in Client Details for KnoxShell init,
list and destroy for commands that leverage this token service for CLI sessions.</p><h3><a
id="Mutual+Authentication+with+SSL">Mutual Authentication with SSL</a> <a href="#Mutual+Authentication+with+SSL"><img
src="markbook-section-link.png"/></a></h3><p>To establish a stronger
trust relationship between client and server, we provide mutual authentication with SSL via
client certs. This is particularly useful in providing additional validation for Preauthenticated
SSO with HTTP Headers. Rather than just ip address validation, connections will only be accepted
by Knox from clients presenting trusted certificates.</p><p>This behavior is configured
for the entire gateway instance within the gateway-site.xml file. All topologies deployed
within the gateway instance with mutual authentication enabled will require incoming connections
to present trusted client certificates during the SSL handshake. Otherwise, connectio
 ns will be refused.</p><p>The following table describes the configuration elements
related to mutual authentication and their defaults:</p>
 <table>
   <thead>

Modified: knox/trunk/books/0.12.0/book.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.12.0/book.md?rev=1787125&r1=1787124&r2=1787125&view=diff
==============================================================================
--- knox/trunk/books/0.12.0/book.md (original)
+++ knox/trunk/books/0.12.0/book.md Thu Mar 16 05:35:28 2017
@@ -49,7 +49,7 @@
     * #[SSO Cookie Provider]
     * #[Pac4j Provider - CAS / OAuth / SAML / OpenID Connect]
     * #[KnoxSSO Setup and Configuration]
-    * #[KnoxToken service]
+    * #[KnoxToken Configuration]
     * #[Mutual Authentication with SSL]
 * #[Authorization]
 * #[Identity Assertion]

Modified: knox/trunk/books/0.12.0/config_knox_token.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.12.0/config_knox_token.md?rev=1787125&r1=1787124&r2=1787125&view=diff
==============================================================================
--- knox/trunk/books/0.12.0/config_knox_token.md (original)
+++ knox/trunk/books/0.12.0/config_knox_token.md Thu Mar 16 05:35:28 2017
@@ -34,10 +34,18 @@ knox.token.ttl                | This ind
 knox.token.audiences          | This is a comma separated list of audiences to add to the
JWT token. This is used to ensure that a token received by a participating application knows
that the token was intended for use with that application. It is optional. In the event that
an endpoint has expected audiences and they are not present the token must be rejected. In
the event where the token has audiences and the endpoint has none expected then the token
is accepted.| empty
 knox.token.target.url         | This is an optional configuration parameter to indicate the
intended endpoint for which the token may be used. The KnoxShell token credential collector
can pull this URL from a knoxtokencache file to be used in scripts. This eliminates the need
to prompt for or hardcode endpoints in your scripts. | n/a
 
-Adding the KnoxToken configuration show above to a topology that is protected with the ShrioProvider
is a very simple and effective way to expose an endpoint from which a Knox token can be requested.
Once it is acquired it may be used to access resources at intended endpoints until it expires.
+Adding the KnoxToken configuration shown above to a topology that is protected with the ShrioProvider
is a very simple and effective way to expose an endpoint from which a Knox token can be requested.
Once it is acquired it may be used to access resources at intended endpoints until it expires.
+
+The following curl command can be used to acquire a token from the Knox Token service as
configured in the sandbox topology:
+
+    curl -ivku guest:guest-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
+    
+    Resulting in a JSON response that contains the token, the expiration and the optional
target endpoint:
+
+      {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU","target_url":"https://localhost:8443/gateway/tokenbased","token_type":"Bearer
","expires_in":1489942188233}
 
 The following curl example shows how to add a bearer token to an Authorization header:
 
-    curl -ivku guest:guest-password -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTI3MTM1fQ.HFxcUtg1Id9t7HOjHkxXsfZE1jB1nd2g9l71cFsgWvT3nsrIuHOzfFdhQwQYsrPqA5h2VZ1UuqOqajI0e_gCOlwoslm3ZD9xMkU2g2qGG81Ao3vvmaaLs8EE0_VuFq5ZHt08ls3oyzjWUKlb2VSrNOjzWjHyoHi_k2M04r9grp8"
https://localhost:8443/gateway/tokenbased/webhdfs/v1/tmp?op=LISTSTATUS
+    curl -ivk -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU"
https://localhost:8443/gateway/tokenbased/webhdfs/v1/tmp?op=LISTSTATUS
 
 See documentation in Client Details for KnoxShell init, list and destroy for commands that
leverage this token service for CLI sessions.
\ No newline at end of file



Mime
View raw message