Author: pzampino
Date: Fri Jun 22 23:05:38 2018
New Revision: 1834171
URL: http://svn.apache.org/viewvc?rev=1834171&view=rev
Log:
Documented gateway-site properties for dispatch and redirect whitelist
Modified:
knox/site/books/knox-1-1-0/user-guide.html
knox/trunk/books/1.1.0/config.md
knox/trunk/books/1.1.0/config_knox_sso.md
Modified: knox/site/books/knox-1-1-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-1-1-0/user-guide.html?rev=1834171&r1=1834170&r2=1834171&view=diff
==============================================================================
--- knox/site/books/knox-1-1-0/user-guide.html (original)
+++ knox/site/books/knox-1-1-0/user-guide.html Fri Jun 22 23:05:38 2018
@@ -760,6 +760,16 @@ https://{gateway-host}:{gateway-port}/{g
<td>The default discovery cluster name, which is applied if no cluster
name is specified in a descriptor. </td>
<td>null</td>
</tr>
+ <tr>
+ <td>gateway.dispatch.whitelist </td>
+ <td>A semicolon-delimited list of regular expressions for controlling to
which endpoints Knox dispatches and redirects will be permitted. </td>
+ <td>null</td>
+ </tr>
+ <tr>
+ <td>gateway.dispatch.whitelist.services </td>
+ <td>A comma-delimited list of service roles to which the
<em>gateway.dispatch.whitelist</em> will be applied. </td>
+ <td>none</td>
+ </tr>
</tbody>
</table><h4><a id="Topology+Descriptors">Topology Descriptors</a> <a
href="#Topology+Descriptors"><img
src="markbook-section-link.png"/></a></h4><p>The topology descriptor files
provide the gateway with per-cluster configuration information. This includes
configuration for both the providers within the gateway and the services within
the Hadoop cluster. These files are located in
<code>{GATEWAY_HOME}/conf/topologies</code>. The general outline of this
document looks like this.</p>
<pre><code><topology>
@@ -3997,8 +4007,8 @@ APACHE_HOME/bin/apachectl -k stop
</tr>
<tr>
<td>knoxsso.redirect.whitelist.regex </td>
- <td>A semicolon separated list of regex expressions. The incoming
originalUrl must match one of the expressions in order for KnoxSSO to redirect
to it after authentication. Defaults to only relative paths and localhost with
or without SSL for development usecases. This needs to be opened up for
production use and actual participating applications. Note that cookie use is
still constrained to redirect destinations in the same domain as the KnoxSSO
service - regardless of the expressions specified here. </td>
- <td>^/.*$;^https?://localhost:\d{0,9}/.*$</td>
+ <td>A semicolon-delimited list of regular expressions. The incoming
originalUrl must match one of the expressions in order for KnoxSSO to redirect
to it after authentication. Note that cookie use is still constrained to
redirect destinations in the same domain as the KnoxSSO service - regardless of
the expressions specified here. </td>
+ <td>The value of the gateway-site property named
<em>gateway.dispatch.whitelist</em>. If that is not defined, the default allows
only relative paths, localhost or destinations in the same domain as the Knox
host (with or without SSL). This may need to be opened up for production use
and actual participating applications.</td>
</tr>
</tbody>
</table><h3><a id="Participating+Application+Configuration">Participating
Application Configuration</a> <a
href="#Participating+Application+Configuration"><img
src="markbook-section-link.png"/></a></h3><h4><a
id="Hadoop+Configuration+Example">Hadoop Configuration Example</a> <a
href="#Hadoop+Configuration+Example"><img
src="markbook-section-link.png"/></a></h4><p>The following is used as the
KnoxSSO configuration in the Hadoop JWTRedirectAuthenticationHandler
implementation. Any participating application will need similar configuration.
Since JWTRedirectAuthenticationHandler extends the
AltKerberosAuthenticationHandler, the typical Kerberos configuration parameters
for authentication are also required.</p>
Modified: knox/trunk/books/1.1.0/config.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/1.1.0/config.md?rev=1834171&r1=1834170&r2=1834171&view=diff
==============================================================================
--- knox/trunk/books/1.1.0/config.md (original)
+++ knox/trunk/books/1.1.0/config.md Fri Jun 22 23:05:38 2018
@@ -151,7 +151,8 @@ gateway.remote.alias.service.enabled | T
gateway.read.only.override.topologies | A comma-delimited list of topology
names which should be forcibly treated as read-only. | none
gateway.discovery.default.address | The default discovery address, which is
applied if no address is specified in a descriptor. | null
gateway.discovery.default.cluster | The default discovery cluster name, which
is applied if no cluster name is specified in a descriptor. | null
-
+gateway.dispatch.whitelist | A semicolon-delimited list of regular expressions
for controlling to which endpoints Knox dispatches and redirects will be
permitted. | null
+gateway.dispatch.whitelist.services | A comma-delimited list of service roles
to which the *gateway.dispatch.whitelist* will be applied. | none
#### Topology Descriptors ####
Modified: knox/trunk/books/1.1.0/config_knox_sso.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/1.1.0/config_knox_sso.md?rev=1834171&r1=1834170&r2=1834171&view=diff
==============================================================================
--- knox/trunk/books/1.1.0/config_knox_sso.md (original)
+++ knox/trunk/books/1.1.0/config_knox_sso.md Fri Jun 22 23:05:38 2018
@@ -99,7 +99,7 @@ knoxsso.cookie.max.age | optio
knoxsso.cookie.domain.suffix | optional: This indicates the portion of the
request hostname that represents the domain to be used for the cookie domain.
For single host development scenarios the default behavior should be fine. For
production deployments, the expected domain should be set and all configured
URLs that are related to SSO should use this domain. Otherwise, the cookie will
not be presented by the browser to mismatched URLs. | Default cookie domain or
a domain derived from a hostname that includes more than 2 dots.
knoxsso.token.ttl | This indicates the lifespan of the token
within the cookie. Once it expires a new cookie must be acquired from KnoxSSO.
This is in milliseconds. The 36000000 in the topology above gives you 10 hrs. |
30000 That is 30 seconds.
knoxsso.token.audiences | This is a comma separated list of audiences
to add to the JWT token. This is used to ensure that a token received by a
participating application knows that the token was intended for use with that
application. It is optional. In the event that an application has expected
audiences and they are not present the token must be rejected. In the event
where the token has audiences and the application has none expected then the
token is accepted.| empty
-knoxsso.redirect.whitelist.regex | A semicolon separated list of regex
expressions. The incoming originalUrl must match one of the expressions in
order for KnoxSSO to redirect to it after authentication. Defaults to only
relative paths and localhost with or without SSL for development usecases. This
needs to be opened up for production use and actual participating applications.
Note that cookie use is still constrained to redirect destinations in the same
domain as the KnoxSSO service - regardless of the expressions specified here. |
^/.\*$;^https?://localhost:\\d{0,9}/.\*$
+knoxsso.redirect.whitelist.regex | A semicolon-delimited list of regular
expressions. The incoming originalUrl must match one of the expressions in
order for KnoxSSO to redirect to it after authentication. Note that cookie use
is still constrained to redirect destinations in the same domain as the KnoxSSO
service - regardless of the expressions specified here. | The value of the
gateway-site property named *gateway.dispatch.whitelist*. If that is not
defined, the default allows only relative paths, localhost or destinations in
the same domain as the Knox host (with or without SSL). This may need to be
opened up for production use and actual participating applications.
### Participating Application Configuration
