Repository: knox Updated Branches: refs/heads/master 6f308e524 -> cc2821d70
KNOX-1350 - Complete centralization of manager.xml topology config in gateway-site.xml Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/cc2821d7 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/cc2821d7 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/cc2821d7 Branch: refs/heads/master Commit: cc2821d706cf0a9229eb73d7f53fed2ad379374c Parents: 6f308e5 Author: Larry McCay <[email protected]> Authored: Wed Jun 13 18:31:58 2018 -0400 Committer: Larry McCay <[email protected]> Committed: Wed Jun 13 18:32:12 2018 -0400 ---------------------------------------------------------------------- ...adoopGroupProviderDeploymentContributor.java | 20 +-- gateway-release/home/conf/gateway-site.xml | 44 +++++++ .../home/conf/topologies/manager.xml | 124 ++++++++++--------- gateway-release/home/conf/users.ldif | 8 ++ .../topology/impl/DefaultTopologyService.java | 2 +- 5 files changed, 129 insertions(+), 69 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/cc2821d7/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java index 4fb8465..4d31132 100644 --- a/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java +++ b/gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java @@ -75,22 +75,22 @@ public class HadoopGroupProviderDeploymentContributor @Override public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) { - Map<String, String> p = provider.getParams(); - String prefix = p.get("CENTRAL_GROUP_CONFIG_PREFIX"); - if (prefix != null && !prefix.isEmpty()) { - if (!prefix.endsWith(".")) { - prefix += "."; - } + Map<String, String> p = provider.getParams(); + String prefix = p.get("CENTRAL_GROUP_CONFIG_PREFIX"); + if (prefix != null && !prefix.isEmpty()) { + if (!prefix.endsWith(".")) { + prefix += "."; + } Map<String, String> groupMappingParams = ((Configuration)context.getGatewayConfig()).getPropsWithPrefix(prefix); if (groupMappingParams != null) { params = createParamList(resource, params, groupMappingParams); } } - - if (params == null || params.isEmpty()) { - params = buildFilterInitParms(provider, resource, params); - } + + if (params == null || params.isEmpty()) { + params = buildFilterInitParms(provider, resource, params); + } resource.addFilter().name(getName()).role(getRole()).impl(getFilterClassname()).params(params); } http://git-wip-us.apache.org/repos/asf/knox/blob/cc2821d7/gateway-release/home/conf/gateway-site.xml ---------------------------------------------------------------------- diff --git a/gateway-release/home/conf/gateway-site.xml b/gateway-release/home/conf/gateway-site.xml index fec5e87..64abf16 100644 --- a/gateway-release/home/conf/gateway-site.xml +++ b/gateway-release/home/conf/gateway-site.xml @@ -85,4 +85,48 @@ limitations under the License. <description>The interval (in seconds) for polling Ambari for cluster configuration changes.</description> </property> + <!-- Knox Admin related config --> + <property> + <name>gateway.knox.admin.groups</name> + <value>admin</value> + </property> + + <!-- DEMO LDAP config for Hadoop Group Provider --> + <property> + <name>gateway.group.config.hadoop.security.group.mapping</name> + <value>org.apache.hadoop.security.LdapGroupsMapping</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.bind.user</name> + <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.bind.password</name> + <value>guest-password</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.url</name> + <value>ldap://localhost:33389</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.base</name> + <value></value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.filter.user</name> + <value>(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.filter.group</name> + <value>(objectclass=groupOfNames)</value> + </property> + <property> + <name>hgateway.group.config.adoop.security.group.mapping.ldap.search.attr.member</name> + <value>member</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.attr.group.name</name> + <value>cn</value> + </property> + </configuration> http://git-wip-us.apache.org/repos/asf/knox/blob/cc2821d7/gateway-release/home/conf/topologies/manager.xml ---------------------------------------------------------------------- diff --git a/gateway-release/home/conf/topologies/manager.xml b/gateway-release/home/conf/topologies/manager.xml index 12dffe4..844d857 100644 --- a/gateway-release/home/conf/topologies/manager.xml +++ b/gateway-release/home/conf/topologies/manager.xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="utf-8"?> +<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with @@ -16,61 +16,69 @@ limitations under the License. --> <topology> - - <gateway> - - <provider> - <role>webappsec</role> - <name>WebAppSec</name> - <enabled>true</enabled> - <param><name>csrf.enabled</name><value>true</value></param> - <param><name>csrf.customHeader</name><value>X-XSRF-Header</value></param> - <param><name>csrf.methodsToIgnore</name><value>GET,OPTIONS,HEAD</value></param> - <param><name>xframe.options.enabled</name><value>true</value></param> - <param><name>xss.protection.enabled</name><value>true</value></param> - <param><name>strict.transport.enabled</name><value>true</value></param> - </provider> - - <provider> - <role>federation</role> - <name>SSOCookieProvider</name> - <enabled>true</enabled> - </provider> - - <provider> - <role>authorization</role> - <name>AclsAuthz</name> - <enabled>true</enabled> - <param> - <name>knox.acl</name> - <value>admin;*;*</value> - </param> - </provider> - - <provider> - <role>identity-assertion</role> - <name>Default</name> - <enabled>true</enabled> - </provider> - - <provider> - <role>hostmap</role> - <name>static</name> - <enabled>true</enabled> - <param> - <name>localhost</name> - <value>sandbox,sandbox.hortonworks.com</value> - </param> - </provider> - - </gateway> - - <application> - <role>admin-ui</role> - </application> - - <service> - <role>KNOX</role> - </service> - + <name>manager</name> + <gateway> + <provider> + <role>webappsec</role> + <name>WebAppSec</name> + <enabled>true</enabled> + <param> + <name>csrf.enabled</name> + <value>true</value> + </param> + <param> + <name>csrf.customHeader</name> + <value>X-XSRF-Header</value> + </param> + <param> + <name>csrf.methodsToIgnore</name> + <value>GET,OPTIONS,HEAD</value> + </param> + <param> + <name>xframe.options.enabled</name> + <value>true</value> + </param> + <param> + <name>xss.protection.enabled</name> + <value>true</value> + </param> + <param> + <name>strict.transport.enabled</name> + <value>true</value> + </param> + </provider> + <provider> + <role>federation</role> + <name>SSOCookieProvider</name> + <enabled>true</enabled> + </provider> + <provider> + <role>identity-assertion</role> + <name>HadoopGroupProvider</name> + <enabled>true</enabled> + <param> + <name>CENTRAL_GROUP_CONFIG_PREFIX</name> + <value>gateway.group.config.</value> + </param> + </provider> + <provider> + <role>authorization</role> + <name>AclsAuthz</name> + <enabled>true</enabled> + <param> + <name>knox.acl.mode</name> + <value>OR</value> + </param> + <param> + <name>knox.acl</name> + <value>KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*</value> + </param> + </provider> + </gateway> + <service> + <role>KNOX</role> + </service> + <application> + <name>admin-ui</name> + </application> </topology> http://git-wip-us.apache.org/repos/asf/knox/blob/cc2821d7/gateway-release/home/conf/users.ldif ---------------------------------------------------------------------- diff --git a/gateway-release/home/conf/users.ldif b/gateway-release/home/conf/users.ldif index a39f27c..986704d 100644 --- a/gateway-release/home/conf/users.ldif +++ b/gateway-release/home/conf/users.ldif @@ -100,3 +100,11 @@ cn: scientist description: scientist group member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org +# create the admin group under groups +dn: cn=admin,ou=groups,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass: groupofnames +cn: admin +description: admin group +member: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org + http://git-wip-us.apache.org/repos/asf/knox/blob/cc2821d7/gateway-server/src/main/java/org/apache/knox/gateway/services/topology/impl/DefaultTopologyService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/topology/impl/DefaultTopologyService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/topology/impl/DefaultTopologyService.java index e306d24..d2f6ad0 100644 --- a/gateway-server/src/main/java/org/apache/knox/gateway/services/topology/impl/DefaultTopologyService.java +++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/topology/impl/DefaultTopologyService.java @@ -163,7 +163,7 @@ public class DefaultTopologyService try { TopologyValidator tv = new TopologyValidator(topology); - if(tv.validateTopology()) { + if(!tv.validateTopology()) { throw new SAXException(tv.getErrorString()); }
