knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pzamp...@apache.org
Subject svn commit: r1834171 - in /knox: site/books/knox-1-1-0/user-guide.html trunk/books/1.1.0/config.md trunk/books/1.1.0/config_knox_sso.md
Date Fri, 22 Jun 2018 23:05:38 GMT
Author: pzampino
Date: Fri Jun 22 23:05:38 2018
New Revision: 1834171

URL: http://svn.apache.org/viewvc?rev=1834171&view=rev
Log:
Documented gateway-site properties for dispatch and redirect whitelist

Modified:
    knox/site/books/knox-1-1-0/user-guide.html
    knox/trunk/books/1.1.0/config.md
    knox/trunk/books/1.1.0/config_knox_sso.md

Modified: knox/site/books/knox-1-1-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-1-1-0/user-guide.html?rev=1834171&r1=1834170&r2=1834171&view=diff
==============================================================================
--- knox/site/books/knox-1-1-0/user-guide.html (original)
+++ knox/site/books/knox-1-1-0/user-guide.html Fri Jun 22 23:05:38 2018
@@ -760,6 +760,16 @@ https://{gateway-host}:{gateway-port}/{g
       <td>The default discovery cluster name, which is applied if no cluster name is
specified in a descriptor. </td>
       <td>null</td>
     </tr>
+    <tr>
+      <td>gateway.dispatch.whitelist </td>
+      <td>A semicolon-delimited list of regular expressions for controlling to which
endpoints Knox dispatches and redirects will be permitted. </td>
+      <td>null</td>
+    </tr>
+    <tr>
+      <td>gateway.dispatch.whitelist.services </td>
+      <td>A comma-delimited list of service roles to which the <em>gateway.dispatch.whitelist</em>
will be applied. </td>
+      <td>none</td>
+    </tr>
   </tbody>
 </table><h4><a id="Topology+Descriptors">Topology Descriptors</a>
<a href="#Topology+Descriptors"><img src="markbook-section-link.png"/></a></h4><p>The
topology descriptor files provide the gateway with per-cluster configuration information.
This includes configuration for both the providers within the gateway and the services within
the Hadoop cluster. These files are located in <code>{GATEWAY_HOME}/conf/topologies</code>.
The general outline of this document looks like this.</p>
 <pre><code>&lt;topology&gt;
@@ -3997,8 +4007,8 @@ APACHE_HOME/bin/apachectl -k stop
     </tr>
     <tr>
       <td>knoxsso.redirect.whitelist.regex </td>
-      <td>A semicolon separated list of regex expressions. The incoming originalUrl
must match one of the expressions in order for KnoxSSO to redirect to it after authentication.
Defaults to only relative paths and localhost with or without SSL for development usecases.
This needs to be opened up for production use and actual participating applications. Note
that cookie use is still constrained to redirect destinations in the same domain as the KnoxSSO
service - regardless of the expressions specified here. </td>
-      <td>^/.*$;^https?://localhost:\d{0,9}/.*$</td>
+      <td>A semicolon-delimited list of regular expressions. The incoming originalUrl
must match one of the expressions in order for KnoxSSO to redirect to it after authentication.
Note that cookie use is still constrained to redirect destinations in the same domain as the
KnoxSSO service - regardless of the expressions specified here. </td>
+      <td>The value of the gateway-site property named <em>gateway.dispatch.whitelist</em>.
If that is not defined, the default allows only relative paths, localhost or destinations
in the same domain as the Knox host (with or without SSL). This may need to be opened up for
production use and actual participating applications.</td>
     </tr>
   </tbody>
 </table><h3><a id="Participating+Application+Configuration">Participating
Application Configuration</a> <a href="#Participating+Application+Configuration"><img
src="markbook-section-link.png"/></a></h3><h4><a id="Hadoop+Configuration+Example">Hadoop
Configuration Example</a> <a href="#Hadoop+Configuration+Example"><img src="markbook-section-link.png"/></a></h4><p>The
following is used as the KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration. Since JWTRedirectAuthenticationHandler
extends the AltKerberosAuthenticationHandler, the typical Kerberos configuration parameters
for authentication are also required.</p>

Modified: knox/trunk/books/1.1.0/config.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/1.1.0/config.md?rev=1834171&r1=1834170&r2=1834171&view=diff
==============================================================================
--- knox/trunk/books/1.1.0/config.md (original)
+++ knox/trunk/books/1.1.0/config.md Fri Jun 22 23:05:38 2018
@@ -151,7 +151,8 @@ gateway.remote.alias.service.enabled | T
 gateway.read.only.override.topologies | A comma-delimited list of topology names which should
be forcibly treated as read-only. | none
 gateway.discovery.default.address | The default discovery address, which is applied if no
address is specified in a descriptor. | null
 gateway.discovery.default.cluster | The default discovery cluster name, which is applied
if no cluster name is specified in a descriptor. | null
-
+gateway.dispatch.whitelist | A semicolon-delimited list of regular expressions for controlling
to which endpoints Knox dispatches and redirects will be permitted. | null
+gateway.dispatch.whitelist.services | A comma-delimited list of service roles to which the
*gateway.dispatch.whitelist* will be applied. | none
 
 #### Topology Descriptors ####
 

Modified: knox/trunk/books/1.1.0/config_knox_sso.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/1.1.0/config_knox_sso.md?rev=1834171&r1=1834170&r2=1834171&view=diff
==============================================================================
--- knox/trunk/books/1.1.0/config_knox_sso.md (original)
+++ knox/trunk/books/1.1.0/config_knox_sso.md Fri Jun 22 23:05:38 2018
@@ -99,7 +99,7 @@ knoxsso.cookie.max.age           | optio
 knoxsso.cookie.domain.suffix     | optional: This indicates the portion of the request hostname
that represents the domain to be used for the cookie domain. For single host development scenarios
the default behavior should be fine. For production deployments, the expected domain should
be set and all configured URLs that are related to SSO should use this domain. Otherwise,
the cookie will not be presented by the browser to mismatched URLs. | Default cookie domain
or a domain derived from a hostname that includes more than 2 dots.
 knoxsso.token.ttl                | This indicates the lifespan of the token within the cookie.
Once it expires a new cookie must be acquired from KnoxSSO. This is in milliseconds. The 36000000
in the topology above gives you 10 hrs. | 30000 That is 30 seconds.
 knoxsso.token.audiences          | This is a comma separated list of audiences to add to
the JWT token. This is used to ensure that a token received by a participating application
knows that the token was intended for use with that application. It is optional. In the event
that an application has expected audiences and they are not present the token must be rejected.
In the event where the token has audiences and the application has none expected then the
token is accepted.| empty
-knoxsso.redirect.whitelist.regex | A semicolon separated list of regex expressions. The incoming
originalUrl must match one of the expressions in order for KnoxSSO to redirect to it after
authentication. Defaults to only relative paths and localhost with or without SSL for development
usecases. This needs to be opened up for production use and actual participating applications.
Note that cookie use is still constrained to redirect destinations in the same domain as the
KnoxSSO service - regardless of the expressions specified here. | ^/.\*$;^https?://localhost:\\d{0,9}/.\*$
+knoxsso.redirect.whitelist.regex | A semicolon-delimited list of regular expressions. The
incoming originalUrl must match one of the expressions in order for KnoxSSO to redirect to
it after authentication. Note that cookie use is still constrained to redirect destinations
in the same domain as the KnoxSSO service - regardless of the expressions specified here.
| The value of the gateway-site property named *gateway.dispatch.whitelist*. If that is not
defined, the default allows only relative paths, localhost or destinations in the same domain
as the Knox host (with or without SSL). This may need to be opened up for production use and
actual participating applications.
 
 
 ### Participating Application Configuration



Mime
View raw message