knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject svn commit: r1787131 - in /knox: site/books/knox-0-12-0/user-guide.html trunk/books/0.12.0/config_sso_cookie_provider.md
Date Thu, 16 Mar 2017 06:12:10 GMT
Author: lmccay
Date: Thu Mar 16 06:12:10 2017
New Revision: 1787131

URL: http://svn.apache.org/viewvc?rev=1787131&view=rev
Log:
adding docs for JWTProvider to 0.12.0

Modified:
    knox/site/books/knox-0-12-0/user-guide.html
    knox/trunk/books/0.12.0/config_sso_cookie_provider.md

Modified: knox/site/books/knox-0-12-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-12-0/user-guide.html?rev=1787131&r1=1787130&r2=1787131&view=diff
==============================================================================
--- knox/site/books/knox-0-12-0/user-guide.html (original)
+++ knox/site/books/knox-0-12-0/user-guide.html Thu Mar 16 06:12:10 2017
@@ -2547,10 +2547,10 @@ APACHE_HOME/bin/apachectl -k stop
    <enabled>true</enabled>
    <param>
        <name>knox.token.audiences</name>
-       <value>1234,2345</value>
+       <value>tokenbased</value>
    </param>
 </provider>
-</code></pre><p>The following table describes the configuration options
for the JWT federation provider:</p><h5><a id="Descriptions">Descriptions</a>
<a href="#Descriptions"><img src="markbook-section-link.png"/></a></h5>
+</code></pre><p>The knox.token.audiences parameter above indicates that
any token in an incoming request must contain an audience claim called &ldquo;tokenbased&rdquo;.
In this case, the idea is that the issuing KnoxToken service will be configured to include
such an audience claim and that the resulting token is valid to use in the topology that contains
configuration like above. This would generally be the name of the topology but you can standardize
on anything.</p><p>The following table describes the configuration options for
the JWT federation provider:</p><h5><a id="Descriptions">Descriptions</a>
<a href="#Descriptions"><img src="markbook-section-link.png"/></a></h5>
 <table>
   <thead>
     <tr>
@@ -2562,11 +2562,11 @@ APACHE_HOME/bin/apachectl -k stop
   <tbody>
     <tr>
       <td>knox.token.audiences</td>
-      <td>Optional parameter. This parameter allows the administrator to constrain
the use of tokens on this endpoint to those that have tokens with at least one of the configured
audience claims. These claims have associated configuration within the KnoxToken service as
well. This provides and interesting way to make sure that the token issued based on authentication
to a particular LDAP server or other IdP is accepted but not others.</td>
+      <td>Optional parameter. This parameter allows the administrator to constrain
the use of tokens on this endpoint to those that have tokens with at least one of the configured
audience claims. These claims have associated configuration within the KnoxToken service as
well. This provides an interesting way to make sure that the token issued based on authentication
to a particular LDAP server or other IdP is accepted but not others.</td>
       <td>N/A</td>
     </tr>
   </tbody>
-</table><h3><a id="Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j
Provider - CAS / OAuth / SAML / OpenID Connect</a> <a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect"><img
src="markbook-section-link.png"/></a></h3>
+</table><p>See the documentation for the Knox Token service for related details.</p><h3><a
id="Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j Provider - CAS / OAuth
/ SAML / OpenID Connect</a> <a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect"><img
src="markbook-section-link.png"/></a></h3>
 <p align="center">
   <img src="https://pac4j.github.io/pac4j/img/logo-knox.png" width="300" />
 </p><p><a href="https://github.com/pac4j/pac4j">pac4j</a> is a Java
security engine to authenticate users, get their profiles and manage their authorizations
in order to secure Java web applications.</p><p>It supports many authentication
mechanisms for UI and web services and is implemented by many frameworks and tools.</p><p>For
Knox, it is used as a federation provider to support the OAuth, CAS, SAML and OpenID Connect
protocols. It must be used for SSO, in association with the KnoxSSO service and optionally
with the SSOCookieProvider for access to REST APIs.</p><h4><a id="Configuration">Configuration</a>
<a href="#Configuration"><img src="markbook-section-link.png"/></a></h4><h5><a
id="SSO+topology">SSO topology</a> <a href="#SSO+topology"><img src="markbook-section-link.png"/></a></h5><p>To
enable SSO for REST API access through the Knox gateway, you need to protect your Hadoop services
with the the SSOCookieProvider configured to use the KnoxSSO service (sandbox.xml topology):<
 /p>

Modified: knox/trunk/books/0.12.0/config_sso_cookie_provider.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.12.0/config_sso_cookie_provider.md?rev=1787131&r1=1787130&r2=1787131&view=diff
==============================================================================
--- knox/trunk/books/0.12.0/config_sso_cookie_provider.md (original)
+++ knox/trunk/books/0.12.0/config_sso_cookie_provider.md Thu Mar 16 06:12:10 2017
@@ -89,14 +89,18 @@ The following provider configuration can
        <enabled>true</enabled>
        <param>
            <name>knox.token.audiences</name>
-           <value>1234,2345</value>
+           <value>tokenbased</value>
        </param>
     </provider>
 
+The knox.token.audiences parameter above indicates that any token in an incoming request
must contain an audience claim called "tokenbased". In this case, the idea is that the issuing
KnoxToken service will be configured to include such an audience claim and that the resulting
token is valid to use in the topology that contains configuration like above. This would generally
be the name of the topology but you can standardize on anything.
+
 The following table describes the configuration options for the JWT federation provider:
 
 ##### Descriptions #####
 
 Name | Description | Default
 ---------|-----------
-knox.token.audiences|Optional parameter. This parameter allows the administrator to constrain
the use of tokens on this endpoint to those that have tokens with at least one of the configured
audience claims. These claims have associated configuration within the KnoxToken service as
well. This provides and interesting way to make sure that the token issued based on authentication
to a particular LDAP server or other IdP is accepted but not others.|N/A
\ No newline at end of file
+knox.token.audiences|Optional parameter. This parameter allows the administrator to constrain
the use of tokens on this endpoint to those that have tokens with at least one of the configured
audience claims. These claims have associated configuration within the KnoxToken service as
well. This provides an interesting way to make sure that the token issued based on authentication
to a particular LDAP server or other IdP is accepted but not others.|N/A
+
+See the documentation for the Knox Token service for related details.
\ No newline at end of file



Mime
View raw message