knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1787130 - in /knox: site/books/knox-0-12-0/user-guide.html trunk/books/0.12.0/book.md trunk/books/0.12.0/book_client-details.md trunk/books/0.12.0/config_sso_cookie_provider.md
Date Thu, 16 Mar 2017 06:05:00 GMT
Author: lmccay
Date: Thu Mar 16 06:05:00 2017
New Revision: 1787130

URL: http://svn.apache.org/viewvc?rev=1787130&view=rev
Log:
adding docs for JWTProvider to 0.12.0

Modified:
    knox/site/books/knox-0-12-0/user-guide.html
    knox/trunk/books/0.12.0/book.md
    knox/trunk/books/0.12.0/book_client-details.md
    knox/trunk/books/0.12.0/config_sso_cookie_provider.md

Modified: knox/site/books/knox-0-12-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-12-0/user-guide.html?rev=1787130&r1=1787129&r2=1787130&view=diff
==============================================================================
--- knox/site/books/knox-0-12-0/user-guide.html (original)
+++ knox/site/books/knox-0-12-0/user-guide.html Thu Mar 16 06:05:00 2017
@@ -42,6 +42,7 @@
     <li><a href="#HadoopAuth+Authentication+Provider">HadoopAuth Authentication
Provider</a></li>
     <li><a href="#Preauthenticated+SSO+Provider">Preauthenticated SSO Provider</a></li>
     <li><a href="#SSO+Cookie+Provider">SSO Cookie Provider</a></li>
+    <li><a href="#JWT+Provider">JWT Provider</a></li>
     <li><a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j
Provider - CAS / OAuth / SAML / OpenID Connect</a></li>
     <li><a href="#KnoxSSO+Setup+and+Configuration">KnoxSSO Setup and Configuration</a></li>
     <li><a href="#KnoxToken+Configuration">KnoxToken Configuration</a></li>
@@ -2523,7 +2524,7 @@ APACHE_HOME/bin/apachectl -k stop
       &lt;url&gt;http://localhost:50111/templeton&lt;/url&gt;
   &lt;/service&gt;
 &lt;/topology&gt;
-</code></pre><p>The following table describes the configuration options
for the web app security provider:</p><h5><a id="Descriptions">Descriptions</a>
<a href="#Descriptions"><img src="markbook-section-link.png"/></a></h5>
+</code></pre><p>The following table describes the configuration options
for the sso cookie provider:</p><h5><a id="Descriptions">Descriptions</a>
<a href="#Descriptions"><img src="markbook-section-link.png"/></a></h5>
 <table>
   <thead>
     <tr>
@@ -2539,6 +2540,32 @@ APACHE_HOME/bin/apachectl -k stop
       <td>N/A</td>
     </tr>
   </tbody>
+</table><h3><a id="JWT+Provider">JWT Provider</a> <a href="#JWT+Provider"><img
src="markbook-section-link.png"/></a></h3><h4><a id="Overview">Overview</a>
<a href="#Overview"><img src="markbook-section-link.png"/></a></h4><p>The
JWT federation provider accepts JWT tokens as Bearer tokens within the Authorization header
of the incoming request. Upon successfully extracting and verify the token, the request is
then processed on behalf of the user represented by the JWT token.</p><p>This
provider is closely related to the Knox Token Service and is essentially the provider that
is used to consume the tokens issued by the Knox Token Service.</p><p>Typical
deployments have the KnoxToken service defined in a topology such as sandbox.xml that authenticates
users based on username and password which as with the ShiroProvider. They also have a topology
dedicated to clients that wish to use KnoxTokens to access Hadoop resources through Knox.
</p><p>The following provider configuration can be u
 sed within such a topology.</p>
+<pre><code>&lt;provider&gt;
+   &lt;role&gt;federation&lt;/role&gt;
+   &lt;name&gt;JWTProvider&lt;/name&gt;
+   &lt;enabled&gt;true&lt;/enabled&gt;
+   &lt;param&gt;
+       &lt;name&gt;knox.token.audiences&lt;/name&gt;
+       &lt;value&gt;1234,2345&lt;/value&gt;
+   &lt;/param&gt;
+&lt;/provider&gt;
+</code></pre><p>The following table describes the configuration options
for the JWT federation provider:</p><h5><a id="Descriptions">Descriptions</a>
<a href="#Descriptions"><img src="markbook-section-link.png"/></a></h5>
+<table>
+  <thead>
+    <tr>
+      <th>Name </th>
+      <th>Description </th>
+      <th>Default</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>knox.token.audiences</td>
+      <td>Optional parameter. This parameter allows the administrator to constrain
the use of tokens on this endpoint to those that have tokens with at least one of the configured
audience claims. These claims have associated configuration within the KnoxToken service as
well. This provides and interesting way to make sure that the token issued based on authentication
to a particular LDAP server or other IdP is accepted but not others.</td>
+      <td>N/A</td>
+    </tr>
+  </tbody>
 </table><h3><a id="Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j
Provider - CAS / OAuth / SAML / OpenID Connect</a> <a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect"><img
src="markbook-section-link.png"/></a></h3>
 <p align="center">
   <img src="https://pac4j.github.io/pac4j/img/logo-knox.png" width="300" />
@@ -3090,7 +3117,7 @@ APACHE_HOME/bin/apachectl -k stop
 </table><h4><a id="Audit+log+rotation">Audit log rotation</a> <a
href="#Audit+log+rotation"><img src="markbook-section-link.png"/></a></h4><p>Audit
logging is preconfigured with <code>org.apache.log4j.DailyRollingFileAppender</code>.
<a href="http://logging.apache.org/log4j/1.2/">Apache log4j</a> contains information
about other Appenders.</p><h4><a id="How+to+change+the+audit+level+or+disable+it">How
to change the audit level or disable it</a> <a href="#How+to+change+the+audit+level+or+disable+it"><img
src="markbook-section-link.png"/></a></h4><p>All audit messages are logged
at <code>INFO</code> level and this behavior can&rsquo;t be changed.</p><p>Disabling
auditing can be done by decreasing the log level for the Audit appender or setting it to <code>OFF</code>.</p><h2><a
id="Client+Details">Client Details</a> <a href="#Client+Details"><img src="markbook-section-link.png"/></a></h2><p>Hadoop
requires a client that can be used to interact remotely with the services provided by Had
 oop cluster. This will also be true when using the Apache Knox Gateway to provide perimeter
security and centralized access for these services. The two primary existing clients for Hadoop
are the CLI (i.e. Command Line Interface, hadoop) and <a href="http://gethue.com/">Hue</a>
(i.e. Hadoop User Experience). For several reasons however, neither of these clients can <em>currently</em>
be used to access Hadoop services via the Apache Knox Gateway.</p><p>This led
to thinking about a very simple client that could help people use and evaluate the gateway.
The list below outlines the general requirements for such a client.</p>
 <ul>
   <li>Promote the evaluation and adoption of the Apache Knox Gateway</li>
-  <li>Simple to deploy and use on data worker desktops to access to remote Hadoop clusters</li>
+  <li>Simple to deploy and use on data worker desktops for access to remote Hadoop
clusters</li>
   <li>Simple to extend with new commands both by other Hadoop projects and by the end
user</li>
   <li>Support the notion of a SSO session for multiple Hadoop interactions</li>
   <li>Support the multiple authentication and federation token capabilities of the
Apache Knox Gateway</li>

Modified: knox/trunk/books/0.12.0/book.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.12.0/book.md?rev=1787130&r1=1787129&r2=1787130&view=diff
==============================================================================
--- knox/trunk/books/0.12.0/book.md (original)
+++ knox/trunk/books/0.12.0/book.md Thu Mar 16 06:05:00 2017
@@ -47,6 +47,7 @@
     * #[HadoopAuth Authentication Provider]
     * #[Preauthenticated SSO Provider]
     * #[SSO Cookie Provider]
+    * #[JWT Provider]
     * #[Pac4j Provider - CAS / OAuth / SAML / OpenID Connect]
     * #[KnoxSSO Setup and Configuration]
     * #[KnoxToken Configuration]

Modified: knox/trunk/books/0.12.0/book_client-details.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.12.0/book_client-details.md?rev=1787130&r1=1787129&r2=1787130&view=diff
==============================================================================
--- knox/trunk/books/0.12.0/book_client-details.md (original)
+++ knox/trunk/books/0.12.0/book_client-details.md Thu Mar 16 06:05:00 2017
@@ -26,7 +26,7 @@ This led to thinking about a very simple
 The list below outlines the general requirements for such a client.
 
 * Promote the evaluation and adoption of the Apache Knox Gateway
-* Simple to deploy and use on data worker desktops to access to remote Hadoop clusters
+* Simple to deploy and use on data worker desktops for access to remote Hadoop clusters
 * Simple to extend with new commands both by other Hadoop projects and by the end user
 * Support the notion of a SSO session for multiple Hadoop interactions
 * Support the multiple authentication and federation token capabilities of the Apache Knox
Gateway
@@ -47,7 +47,6 @@ _Note: The variables `session`, `localFi
 A note of thanks to [REST-assured](https://code.google.com/p/rest-assured/) which provides
a [Fluent interface](http://en.wikipedia.org/wiki/Fluent_interface) style DSL for testing
REST services.
 It served as the initial inspiration for the creation of this DSL.
 
-
 ### Assumptions ###
 
 This document assumes a few things about your environment in order to simplify the examples.

Modified: knox/trunk/books/0.12.0/config_sso_cookie_provider.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.12.0/config_sso_cookie_provider.md?rev=1787130&r1=1787129&r2=1787130&view=diff
==============================================================================
--- knox/trunk/books/0.12.0/config_sso_cookie_provider.md (original)
+++ knox/trunk/books/0.12.0/config_sso_cookie_provider.md Thu Mar 16 06:05:00 2017
@@ -64,7 +64,7 @@ Configuring one of the cluster topologie
 </topology>
 ```
 
-The following table describes the configuration options for the web app security provider:
+The following table describes the configuration options for the sso cookie provider:
 
 ##### Descriptions #####
 
@@ -72,3 +72,31 @@ Name | Description | Default
 ---------|-----------
 sso.authentication.provider.url|Required parameter that indicates the location of the KnoxSSO
endpoint and where to redirect the useragent when no SSO cookie is found in the incoming request.|N/A
 
+### JWT Provider ###
+
+#### Overview ####
+The JWT federation provider accepts JWT tokens as Bearer tokens within the Authorization
header of the incoming request. Upon successfully extracting and verify the token, the request
is then processed on behalf of the user represented by the JWT token.
+
+This provider is closely related to the Knox Token Service and is essentially the provider
that is used to consume the tokens issued by the Knox Token Service.
+
+Typical deployments have the KnoxToken service defined in a topology such as sandbox.xml
that authenticates users based on username and password which as with the ShiroProvider. They
also have a topology dedicated to clients that wish to use KnoxTokens to access Hadoop resources
through Knox. 
+
+The following provider configuration can be used within such a topology.
+
+    <provider>
+       <role>federation</role>
+       <name>JWTProvider</name>
+       <enabled>true</enabled>
+       <param>
+           <name>knox.token.audiences</name>
+           <value>1234,2345</value>
+       </param>
+    </provider>
+
+The following table describes the configuration options for the JWT federation provider:
+
+##### Descriptions #####
+
+Name | Description | Default
+---------|-----------
+knox.token.audiences|Optional parameter. This parameter allows the administrator to constrain
the use of tokens on this endpoint to those that have tokens with at least one of the configured
audience claims. These claims have associated configuration within the KnoxToken service as
well. This provides and interesting way to make sure that the token issued based on authentication
to a particular LDAP server or other IdP is accepted but not others.|N/A
\ No newline at end of file



Mime
View raw message