Author: lmccay
Date: Thu Dec 10 21:25:08 2015
New Revision: 1719216
URL: http://svn.apache.org/viewvc?rev=1719216&view=rev
Log:
added config description for cookie domain in KnoxSSO
Modified:
knox/site/books/knox-0-4-0/deployment-overview.png
knox/site/books/knox-0-4-0/deployment-provider.png
knox/site/books/knox-0-4-0/deployment-service.png
knox/site/books/knox-0-4-0/runtime-overview.png
knox/site/books/knox-0-4-0/runtime-request-processing.png
knox/site/books/knox-0-5-0/deployment-overview.png
knox/site/books/knox-0-5-0/deployment-provider.png
knox/site/books/knox-0-5-0/deployment-service.png
knox/site/books/knox-0-5-0/runtime-overview.png
knox/site/books/knox-0-5-0/runtime-request-processing.png
knox/site/books/knox-0-6-0/deployment-overview.png
knox/site/books/knox-0-6-0/deployment-provider.png
knox/site/books/knox-0-6-0/deployment-service.png
knox/site/books/knox-0-6-0/runtime-overview.png
knox/site/books/knox-0-6-0/runtime-request-processing.png
knox/site/books/knox-0-7-0/deployment-overview.png
knox/site/books/knox-0-7-0/deployment-provider.png
knox/site/books/knox-0-7-0/deployment-service.png
knox/site/books/knox-0-7-0/general_saml_flow.png
knox/site/books/knox-0-7-0/runtime-overview.png
knox/site/books/knox-0-7-0/runtime-request-processing.png
knox/site/books/knox-0-7-0/user-guide.html
knox/site/index.html
knox/site/issue-tracking.html
knox/site/license.html
knox/site/mail-lists.html
knox/site/project-info.html
knox/site/team-list.html
knox/trunk/books/0.7.0/config_knox_sso.md
Modified: knox/site/books/knox-0-4-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-7-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-7-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-provider.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-7-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-service.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-7-0/general_saml_flow.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/general_saml_flow.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-7-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-overview.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-7-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-request-processing.png?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-7-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/user-guide.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/books/knox-0-7-0/user-guide.html (original)
+++ knox/site/books/knox-0-7-0/user-guide.html Thu Dec 10 21:25:08 2015
@@ -2033,8 +2033,8 @@ APACHE_HOME/bin/apachectl -k stop
</provider>
</code></pre><h5><a id="REST+Invocation+for+Tivoli+AM">REST Invocation for
Tivoli AM</a> <a href="#REST+Invocation+for+Tivoli+AM"><img
src="markbook-section-link.png"/></a></h5><p>The following curl command can be
used to request a directory listing from HDFS while passing in the expected
headers of iv_user and iv_group. Note that the iv_group value in this command
matches the expected ACL for webhdfs in the above topology file. Changing this
from “admin” to “admin2” should result in a 401
unauthorized response.</p>
<pre><code>curl -k -i --header "iv_user: guest" --header
"iv_group: admin" -v
https://localhost:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS
-</code></pre><p>Omitting the –header “iv_user: guest” above
will result in a rejected request.</p><h1><a
id="KnoxSSO+Setup+and+Configuration">KnoxSSO Setup and Configuration</a> <a
href="#KnoxSSO+Setup+and+Configuration"><img
src="markbook-section-link.png"/></a></h1><h2><a
id="Introduction">Introduction</a> <a href="#Introduction"><img
src="markbook-section-link.png"/></a></h2>
-<hr/><p>Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be
configured for the user’s browser) and simple/psuedo. This often results
in the UIs not being secured - even in secured clusters. This is where KnoxSSO
provides value for through providing WebSSO capabilities to the Hadoop
cluster.</p><p>By leveraging the hadoop-auth module in Hadoop common, we have
introduced the ability to consume a common SSO cookie for web UIs while
retaining the non-web browser authentication through kerberos/SPNEGO. We do
this by extneding the AltKerberosAuthenticationHandler class which provides the
useragent based multiplexing. </p><p>We also provide integration guidance
within the developers guide for other applications to be able to participate in
these SSO capabilities.</p><p>The flexibility of the Apache Knox authentication
and federation providers allows KnoxSSO to provide a normalization of authentica
tion events through token exchange resulting in a common JWT (JSON WebToken)
based token.</p><p>KnoxSSO provides an abstraction for integrating any number
of authentication systems and SSO solutions and enables participating web
applications to scale to those solutions more easily. Without the token
exchange capabilities offered by KnoxSSO each component UI would need to
integrate with each desired solution on its own. With KnoxSSO they only need to
integrate with the single solution and common token.</p><p>This document
describes the overall setup requirements for KnoxSSO and participating
applications. [Please see the integration guide for instructions in adding
support for new applications.]</p><h2><a id="KnoxSSO+Setup">KnoxSSO Setup</a>
<a href="#KnoxSSO+Setup"><img src="markbook-section-link.png"/></a></h2><h3><a
id="knoxsso.xml+Topology">knoxsso.xml Topology</a> <a
href="#knoxsso.xml+Topology"><img
src="markbook-section-link.png"/></a></h3><p>To enable KnoxSSO, we need to conf
igure the KnoxSSO topology. The following is an example of this topology which
is configured to use HTTP Basic Auth against the Knox Demo LDAP server. This is
the lowest barrier of entry for your development environment that actually
authenticates against a real user store. Whatâs great is if you work against
the IdP with Basic Auth then you will work with SAML or anything else as well.
SAML support is provided through our PicketLink federation provider and we will
provide an example configuration for that as well.</p>
+</code></pre><p>Omitting the –header “iv_user: guest” above
will result in a rejected request.</p><h2><a
id="KnoxSSO+Setup+and+Configuration">KnoxSSO Setup and Configuration</a> <a
href="#KnoxSSO+Setup+and+Configuration"><img
src="markbook-section-link.png"/></a></h2><h3><a
id="Introduction">Introduction</a> <a href="#Introduction"><img
src="markbook-section-link.png"/></a></h3>
+<hr/><p>Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be
configured for the user’s browser) and simple/psuedo. This often results
in the UIs not being secured - even in secured clusters. This is where KnoxSSO
provides value for through providing WebSSO capabilities to the Hadoop
cluster.</p><p>By leveraging the hadoop-auth module in Hadoop common, we have
introduced the ability to consume a common SSO cookie for web UIs while
retaining the non-web browser authentication through kerberos/SPNEGO. We do
this by extneding the AltKerberosAuthenticationHandler class which provides the
useragent based multiplexing. </p><p>We also provide integration guidance
within the developers guide for other applications to be able to participate in
these SSO capabilities.</p><p>The flexibility of the Apache Knox authentication
and federation providers allows KnoxSSO to provide a normalization of authentica
tion events through token exchange resulting in a common JWT (JSON WebToken)
based token.</p><p>KnoxSSO provides an abstraction for integrating any number
of authentication systems and SSO solutions and enables participating web
applications to scale to those solutions more easily. Without the token
exchange capabilities offered by KnoxSSO each component UI would need to
integrate with each desired solution on its own. With KnoxSSO they only need to
integrate with the single solution and common token.</p><p>This document
describes the overall setup requirements for KnoxSSO and participating
applications. [Please see the integration guide for instructions in adding
support for new applications.]</p><h3><a id="KnoxSSO+Setup">KnoxSSO Setup</a>
<a href="#KnoxSSO+Setup"><img src="markbook-section-link.png"/></a></h3><h4><a
id="knoxsso.xml+Topology">knoxsso.xml Topology</a> <a
href="#knoxsso.xml+Topology"><img
src="markbook-section-link.png"/></a></h4><p>To enable KnoxSSO, we need to conf
igure the KnoxSSO topology. The following is an example of this topology which
is configured to use HTTP Basic Auth against the Knox Demo LDAP server. This is
the lowest barrier of entry for your development environment that actually
authenticates against a real user store. Whatâs great is if you work against
the IdP with Basic Auth then you will work with SAML or anything else as well.
SAML support is provided through our PicketLink federation provider and we will
provide an example configuration for that as well.</p>
<pre><code> <?xml version="1.0"
encoding="utf-8"?>
<topology>
<gateway>
@@ -2095,11 +2095,15 @@ APACHE_HOME/bin/apachectl -k stop
<name>knoxsso.redirect.whitelist.regex</name>
<value>^/.*$;https?://localhost*$</value>
</param>
+ <param>
+
<name>knoxsso.cookie.domain.suffix</name>
+ <value>.novalocal</value>
+ </param>
</service>
</topology>
</code></pre><p>Just as with any Knox service, the KNOXSSO service is
protected by the gateway providers defined above it. In this case, the
ShiroProvider is taking care of HTTP Basic Auth against LDAP for us. Once the
user authenticates the request processing continues to the KNOXSSO service that
will create the required cookie and do the necessary redirects.</p><p>The
authentication/federation provider can be swapped out to fit your deployment
environment.</p><p>This is a good place to start in the setup of KnoxSSO as it
doesn’t pull in dependencies on external identity solutions. Once we have
this working, we can switch to a federation provider and integrate a preferred
SSO solution.</p><p>This topology will result in a KnoxSSO URL that looks
something like:</p>
<pre><code>https://{gateway_host}:{gateway_port}/gateway/knoxsso/api/v1/websso
-</code></pre><p>This URL is needed when configuring applications that
participate in KnoxSSO for a given deployment. We will refer to this as the
Provider URL in this document.</p><h3><a
id="KnoxSSO+Configuration+Parameters">KnoxSSO Configuration Parameters</a> <a
href="#KnoxSSO+Configuration+Parameters"><img
src="markbook-section-link.png"/></a></h3>
+</code></pre><p>This URL is needed when configuring applications that
participate in KnoxSSO for a given deployment. We will refer to this as the
Provider URL in this document.</p><h4><a
id="KnoxSSO+Configuration+Parameters">KnoxSSO Configuration Parameters</a> <a
href="#KnoxSSO+Configuration+Parameters"><img
src="markbook-section-link.png"/></a></h4>
<table>
<thead>
<tr>
@@ -2120,6 +2124,11 @@ APACHE_HOME/bin/apachectl -k stop
<td>session</td>
</tr>
<tr>
+ <td>knoxsso.cookie.domain.suffix </td>
+ <td>optional: This indicates the portion of the request hostname that
represents the domain to be used for the cookie domain. For single host
development scenarios the default behavior should be fine. For production
deployments, the expected domain should be set and all configured URLs that are
related to SSO should use this domain. Otherwise, the cookie will not be
presented by the browser to mismatched URLs. </td>
+ <td>Default cookie domain or a domain derived from a hostname that
includes of more than 2 dots.</td>
+ </tr>
+ <tr>
<td>knoxsso.token.ttl </td>
<td>This indicates the lifespan of the token within the cookie. Once it
expires a new cookie must be acquired from KnoxSSO. This is in milliseconds.
The 36000000 in the topology above gives you 10 hrs. </td>
<td>30000 That is 30 seconds.</td>
@@ -2135,7 +2144,7 @@ APACHE_HOME/bin/apachectl -k stop
<td>^/.*$;^https?://localhost:\d{0,9}/.*$</td>
</tr>
</tbody>
-</table><h2><a id="Participating+Application+Configuration">Participating
Application Configuration</a> <a
href="#Participating+Application+Configuration"><img
src="markbook-section-link.png"/></a></h2><h3><a
id="Hadoop+Configuration+Example">Hadoop Configuration Example</a> <a
href="#Hadoop+Configuration+Example"><img
src="markbook-section-link.png"/></a></h3><p>The following is used as the
KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration.
Since JWTRedirectAuthenticationHandler extends the
AltKerberosAuthenticationHandler, the typical kerberos configuration parameters
for authentication are also required.</p>
+</table><h3><a id="Participating+Application+Configuration">Participating
Application Configuration</a> <a
href="#Participating+Application+Configuration"><img
src="markbook-section-link.png"/></a></h3><h4><a
id="Hadoop+Configuration+Example">Hadoop Configuration Example</a> <a
href="#Hadoop+Configuration+Example"><img
src="markbook-section-link.png"/></a></h4><p>The following is used as the
KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration.
Since JWTRedirectAuthenticationHandler extends the
AltKerberosAuthenticationHandler, the typical kerberos configuration parameters
for authentication are also required.</p>
<pre><code> <property>
<name>hadoop.http.authentication.type</name>
<value>org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler</value>
</property>
Modified: knox/site/index.html
URL:
http://svn.apache.org/viewvc/knox/site/index.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20151129" />
+ <meta name="Date-Revision-yyyymmdd" content="20151210" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – REST API Gateway for the Hadoop
Ecosystem</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2015-11-29</li>
+ <li id="publishDate" class="pull-right">Last Published:
2015-12-10</li>
</ul>
</div>
Modified: knox/site/issue-tracking.html
URL:
http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20151129" />
+ <meta name="Date-Revision-yyyymmdd" content="20151210" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Issue Tracking</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2015-11-29</li>
+ <li id="publishDate" class="pull-right">Last Published:
2015-12-10</li>
</ul>
</div>
Modified: knox/site/license.html
URL:
http://svn.apache.org/viewvc/knox/site/license.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20151129" />
+ <meta name="Date-Revision-yyyymmdd" content="20151210" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project License</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2015-11-29</li>
+ <li id="publishDate" class="pull-right">Last Published:
2015-12-10</li>
</ul>
</div>
Modified: knox/site/mail-lists.html
URL:
http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20151129" />
+ <meta name="Date-Revision-yyyymmdd" content="20151210" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Mailing Lists</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2015-11-29</li>
+ <li id="publishDate" class="pull-right">Last Published:
2015-12-10</li>
</ul>
</div>
Modified: knox/site/project-info.html
URL:
http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20151129" />
+ <meta name="Date-Revision-yyyymmdd" content="20151210" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Information</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2015-11-29</li>
+ <li id="publishDate" class="pull-right">Last Published:
2015-12-10</li>
</ul>
</div>
Modified: knox/site/team-list.html
URL:
http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Thu Dec 10 21:25:08 2015
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2015-11-29
+ | Generated by Apache Maven Doxia at 2015-12-10
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20151129" />
+ <meta name="Date-Revision-yyyymmdd" content="20151210" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Team list</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2015-11-29</li>
+ <li id="publishDate" class="pull-right">Last Published:
2015-12-10</li>
</ul>
</div>
Modified: knox/trunk/books/0.7.0/config_knox_sso.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.7.0/config_knox_sso.md?rev=1719216&r1=1719215&r2=1719216&view=diff
==============================================================================
--- knox/trunk/books/0.7.0/config_knox_sso.md (original)
+++ knox/trunk/books/0.7.0/config_knox_sso.md Thu Dec 10 21:25:08 2015
@@ -1,6 +1,6 @@
-# KnoxSSO Setup and Configuration
+## KnoxSSO Setup and Configuration
-## Introduction
+### Introduction
---
Authentication of the Hadoop component UIs, and those of the overall
ecosystem, is usually limited to Kerberos (which requires SPNEGO to be
configured for the user's browser) and simple/psuedo. This often results in the
UIs not being secured - even in secured clusters. This is where KnoxSSO
provides value for through providing WebSSO capabilities to the Hadoop cluster.
@@ -15,9 +15,9 @@ KnoxSSO provides an abstraction for inte
This document describes the overall setup requirements for KnoxSSO and
participating applications. [Please see the integration guide for instructions
in adding support for new applications.]
-## KnoxSSO Setup
+### KnoxSSO Setup
-### knoxsso.xml Topology
+#### knoxsso.xml Topology
To enable KnoxSSO, we need to configure the KnoxSSO topology. The following is
an example of this topology which is configured to use HTTP Basic Auth against
the Knox Demo LDAP server. This is the lowest barrier of entry for your
development environment that actually authenticates against a real user store.
Whatâs great is if you work against the IdP with Basic Auth then you will
work with SAML or anything else as well. SAML support is provided through our
PicketLink federation provider and we will provide an example configuration for
that as well.
```
@@ -81,6 +81,10 @@ To enable KnoxSSO, we need to configure
<name>knoxsso.redirect.whitelist.regex</name>
<value>^/.*$;https?://localhost*$</value>
</param>
+ <param>
+ <name>knoxsso.cookie.domain.suffix</name>
+ <value>.novalocal</value>
+ </param>
</service>
</topology>
```
@@ -97,19 +101,20 @@ This topology will result in a KnoxSSO U
This URL is needed when configuring applications that participate in KnoxSSO
for a given deployment. We will refer to this as the Provider URL in this
document.
-### KnoxSSO Configuration Parameters
+#### KnoxSSO Configuration Parameters
Parameter | Description | Default
--------- |----------- |-----------
knoxsso.cookie.secure.only | This determines whether the browser is allowed to
send the cookie over unsecured channels. This should always be set to true in
production systems. If during development a relying party is not running ssl
then you can turn this off. Running with it off exposes the cookie and
underlying token for capture and replay by others. | true
knoxsso.cookie.max.age | optional: This indicates that a cookie can only live
for a specified amount of time - in seconds. This should probably be left to
the default which makes it a session cookie. Session cookies are discarded once
the browser session is closed. | session
+knoxsso.cookie.domain.suffix | optional: This indicates the portion of the
request hostname that represents the domain to be used for the cookie domain.
For single host development scenarios the default behavior should be fine. For
production deployments, the expected domain should be set and all configured
URLs that are related to SSO should use this domain. Otherwise, the cookie will
not be presented by the browser to mismatched URLs. | Default cookie domain or
a domain derived from a hostname that includes of more than 2 dots.
knoxsso.token.ttl | This indicates the lifespan of the token within the
cookie. Once it expires a new cookie must be acquired from KnoxSSO. This is in
milliseconds. The 36000000 in the topology above gives you 10 hrs. | 30000 That
is 30 seconds.
knoxsso.token.audiences | This is a comma separated list of audiences to add
to the JWT token. This is used to ensure that a token received by a
participating application knows that the token was intended for use with that
application. It is optional. In the event that an application has expected
audiences and they are not present the token must be rejected. In the event
where the token has audiences and the application has none expected then the
token is accepted. OPEN ISSUE - not currently being populated in
WebSSOResource. | empty
knoxsso.redirect.whitelist.regex | A semicolon separated list of regex
expressions. The incoming originalUrl must match one of the expressions in
order for KnoxSSO to redirect to it after authentication. Defaults to only
relative paths and localhost with or without SSL for development usecases. This
needs to be opened up for production use and actual participating applications.
Note that cookie use is still constrained to redirect destinations in the same
domain as the KnoxSSO service - regardless of the expressions specified here. |
^/.\*$;^https?://localhost:\\d{0,9}/.\*$
-## Participating Application Configuration
-### Hadoop Configuration Example
+### Participating Application Configuration
+#### Hadoop Configuration Example
The following is used as the KnoxSSO configuration in the Hadoop
JWTRedirectAuthenticationHandler implementation. Any participating application
will need similar configuration. Since JWTRedirectAuthenticationHandler extends
the AltKerberosAuthenticationHandler, the typical kerberos configuration
parameters for authentication are also required.
```
