This is an automated email from the ASF dual-hosted git repository. more pushed a commit to branch KNOX-3214 in repository https://gitbox.apache.org/repos/asf/knox.git
commit 97fa03e0f2ee42fe28340d9600891a0af8012866 Author: Sandeep Moré <[email protected]> AuthorDate: Wed Nov 19 13:52:14 2025 -0500 initial commit --- .github/workflows/build/Dockerfile | 55 ++++++++ .github/workflows/build/gateway-site.xml | 197 +++++++++++++++++++++++++++ .github/workflows/build/gateway.sh | 7 + .github/workflows/build/ldap.sh | 3 + .github/workflows/build/master | 3 + .github/workflows/build/settings.xml | 30 ++++ .github/workflows/compose/docker-compose.yml | 26 ++++ .github/workflows/tests.yml | 58 ++++++++ 8 files changed, 379 insertions(+) diff --git a/.github/workflows/build/Dockerfile b/.github/workflows/build/Dockerfile new file mode 100644 index 000000000..a5ed1d738 --- /dev/null +++ b/.github/workflows/build/Dockerfile @@ -0,0 +1,55 @@ +FROM maven:3.8.4-openjdk-8 + +MAINTAINER moresandeep + +# Install dependencies +RUN apt-get update + +RUN apt-get install -y git + +RUN useradd -ms /bin/bash gateway + +# Clone our dev branch +ARG knoxurl +ARG branch + +RUN git clone -b $branch $knoxurl knox + +RUN mkdir /knox/knox-temp-artifacts +RUN mkdir /knox/knoxshell-temp-artifacts + +# Update maven settings to ignore jcenter repo +#ADD settings.xml /home/gateway/.m2/settings.xml +#RUN mv /home/gateway/.m2/settings.xml ~/.m2/settings.xml +ADD settings.xml /usr/share/maven/ref/ + +# Skipping tests here for faster turnaround. +RUN cd knox && mvn -settings /usr/share/maven/ref/settings.xml clean -Ppackage,release install -DskipTests && tar -xvzf target/*/knox-*.tar.gz -C knox-temp-artifacts && tar -xvzf /knox/target/*/knoxshell-*.tar.gz -C knoxshell-temp-artifacts + +# move runtime to new location +# See https://github.com/docker/compose/issues/4581#issuecomment-321386605 +# for KnoxShell dance +RUN mkdir /knox-runtime +RUN mkdir /knoxshell +RUN mkdir /knox-runtime/knoxshell +RUN mv /knox/knox-temp-artifacts/*/* /knox-runtime +RUN mv /knox/knoxshell-temp-artifacts/*/* /knox-runtime/knoxshell + +# delete build artifacts +RUN rm -rf /knox + +ADD master /knox-runtime/data/security/master +# Enable websockets +ADD gateway-site.xml /knox-runtime/conf/gateway-site.xml + +RUN chown -R gateway /knox-runtime/ + +# Cleanup +RUN rm -rf /home/gateway/.m2/repository + +ADD ldap.sh /ldap.sh +ADD gateway.sh /gateway.sh + +RUN chmod +x /ldap.sh +RUN chmod +x /gateway.sh + diff --git a/.github/workflows/build/gateway-site.xml b/.github/workflows/build/gateway-site.xml new file mode 100644 index 000000000..694b00c52 --- /dev/null +++ b/.github/workflows/build/gateway-site.xml @@ -0,0 +1,197 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<configuration> + + <property> + <name>gateway.service.alias.impl</name> + <value>org.apache.knox.gateway.services.security.impl.RemoteAliasService</value> + </property> + <property> + <name>gateway.port</name> + <value>8443</value> + <description>The HTTP port for the Gateway.</description> + </property> + + <property> + <name>gateway.path</name> + <value>gateway</value> + <description>The default context path for the gateway.</description> + </property> + + <property> + <name>gateway.gateway.conf.dir</name> + <value>deployments</value> + <description>The directory within GATEWAY_HOME that contains gateway topology files and deployments.</description> + </property> + + <property> + <name>gateway.hadoop.kerberos.secured</name> + <value>false</value> + <description>Boolean flag indicating whether the Hadoop cluster protected by Gateway is secured with Kerberos</description> + </property> + + <property> + <name>java.security.krb5.conf</name> + <value>/etc/knox/conf/krb5.conf</value> + <description>Absolute path to krb5.conf file</description> + </property> + + <property> + <name>java.security.auth.login.config</name> + <value>/etc/knox/conf/krb5JAASLogin.conf</value> + <description>Absolute path to JAAS login config file</description> + </property> + + <property> + <name>sun.security.krb5.debug</name> + <value>false</value> + <description>Boolean flag indicating whether to enable debug messages for krb5 authentication</description> + </property> + + <!-- @since 0.10 Websocket configs --> + <property> + <name>gateway.websocket.feature.enabled</name> + <value>true</value> + <description>Enable/Disable websocket feature.</description> + </property> + + <property> + <name>gateway.scope.cookies.feature.enabled</name> + <value>false</value> + <description>Enable/Disable cookie scoping feature.</description> + </property> + + <property> + <name>gateway.cluster.config.monitor.ambari.enabled</name> + <value>false</value> + <description>Enable/disable Ambari cluster configuration monitoring.</description> + </property> + + <property> + <name>gateway.cluster.config.monitor.ambari.interval</name> + <value>60</value> + <description>The interval (in seconds) for polling Ambari for cluster configuration changes.</description> + </property> + <!-- @since 2.0.0 WebShell configs --> + <!-- must have websocket enabled to use webshell --> + <property> + <name>gateway.webshell.feature.enabled</name> + <value>true</value> + <description>Enable/Disable webshell feature.</description> + </property> + <property> + <name>gateway.webshell.max.concurrent.sessions</name> + <value>20</value> + <description>Maximum number of total concurrent webshell sessions</description> + </property> + <property> + <name>gateway.webshell.audit.logging.enabled</name> + <value>false</value> + <description>[Experimental Feature] Enable/Disable webshell command audit logging. + NOTE: Turning this on might log secrets that might be part of + command line arguments, please consider this before turning this on.</description> + </property> + <property> + <name>gateway.webshell.read.buffer.size</name> + <value>1024</value> + <description>Web Shell buffer size for reading</description> + </property> + + <!-- @since 2.0.0 websocket JWT validation configs --> + <property> + <name>gateway.websocket.JWT.validation.feature.enabled</name> + <value>true</value> + <description>Enable/Disable websocket JWT validation at websocket layer.</description> + </property> + + <!-- @since 1.5.0 homepage logout --> + <property> + <name>knox.homepage.logout.enabled</name> + <value>true</value> + <description>Enable/disable logout from the Knox Homepage.</description> + </property> + + <!-- @since 1.6.0 token management related properties --> + <property> + <name>gateway.knox.token.eviction.grace.period</name> + <value>0</value> + <description>A duration (in seconds) beyond a token’s expiration to wait before evicting its state. This configuration only applies when server-managed token state is enabled either in gateway-site or at the topology level.</description> + </property> + + <!-- Knox Admin related config --> + <property> + <name>gateway.knox.admin.groups</name> + <value>admin</value> + </property> + + <!-- DEMO LDAP config for Hadoop Group Provider --> + <property> + <name>gateway.group.config.hadoop.security.group.mapping</name> + <value>org.apache.hadoop.security.LdapGroupsMapping</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.bind.user</name> + <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.bind.password</name> + <value>guest-password</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.url</name> + <value>ldap://localhost:33389</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.base</name> + <value></value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.filter.user</name> + <value>(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.filter.group</name> + <value>(objectclass=groupOfNames)</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.attr.member</name> + <value>member</value> + </property> + <property> + <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.attr.group.name</name> + <value>cn</value> + </property> + <property> + <name>gateway.dispatch.whitelist.services</name> + <value>DATANODE,HBASEUI,HDFSUI,JOBHISTORYUI,NODEUI,YARNUI,knoxauth</value> + <description>The comma-delimited list of service roles for which the gateway.dispatch.whitelist should be applied.</description> + </property> + <property> + <name>gateway.dispatch.whitelist</name> + <value>^https?:\/\/(www\.local\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> + <description>The whitelist to be applied for dispatches associated with the service roles specified by gateway.dispatch.whitelist.services. + If the value is DEFAULT, a domain-based whitelist will be derived from the Knox host.</description> + </property> + <property> + <name>gateway.xforwarded.header.context.append.servicename</name> + <value>LIVYSERVER</value> + <description>Add service name to x-forward-context header for the list of services defined above.</description> + </property> + +</configuration> diff --git a/.github/workflows/build/gateway.sh b/.github/workflows/build/gateway.sh new file mode 100755 index 000000000..f73d014b4 --- /dev/null +++ b/.github/workflows/build/gateway.sh @@ -0,0 +1,7 @@ +#!/bin/sh +# Move the KnoxShell directory to proper place +# This is vecause of https://github.com/docker/compose/issues/4581#issuecomment-321386605 +mv /knox-runtime/knoxshell/* /knoxshell + +# Start Knox +java -jar /knox-runtime/bin/gateway.jar \ No newline at end of file diff --git a/.github/workflows/build/ldap.sh b/.github/workflows/build/ldap.sh new file mode 100755 index 000000000..f1b3ea42d --- /dev/null +++ b/.github/workflows/build/ldap.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +java -jar /knox-runtime/bin/ldap.jar /knox-runtime/conf \ No newline at end of file diff --git a/.github/workflows/build/master b/.github/workflows/build/master new file mode 100644 index 000000000..3a9f1b4ea --- /dev/null +++ b/.github/workflows/build/master @@ -0,0 +1,3 @@ +#1.0# Tue, Apr 30 2024 14:19:35.337 +RHdXbkpJTXUzcGc9Ojp5WWFSV0JYeG1GaFdjSHhIUEJlYWZ3PT06OmdOWC9CRDJ5dFpQeVExVkM2V2lYRkE9PQ== + diff --git a/.github/workflows/build/settings.xml b/.github/workflows/build/settings.xml new file mode 100644 index 000000000..ea1f0dea4 --- /dev/null +++ b/.github/workflows/build/settings.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 + https://maven.apache.org/xsd/settings-1.0.0.xsd";> + <mirrors> + <mirror> + <id>replace-jcenter-with-central</id> + <mirrorOf>jcenter</mirrorOf> + <url>https://repo.maven.apache.org/maven2</url> + </mirror> + </mirrors> +</settings> diff --git a/.github/workflows/compose/docker-compose.yml b/.github/workflows/compose/docker-compose.yml new file mode 100644 index 000000000..6c633b87d --- /dev/null +++ b/.github/workflows/compose/docker-compose.yml @@ -0,0 +1,26 @@ +version: '3' + +services: + knox-dev: + build: + context: ../build + args: + knoxurl: ${knoxurl:-https://github.com/apache/knox.git} + branch: ${branch:-master} + image: moresandeep/knox-dev:master + + ldap: + image: moresandeep/knox-dev:master + command: /ldap.sh + + knox: + image: moresandeep/knox-dev:master + ports: + - "8443:8443" + command: /gateway.sh + volumes: + - ./topologies:/knox-runtime/conf/topologies + - ./logs:/knox-runtime/logs + - ./knoxshell:/knoxshell + depends_on: + - ldap diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 000000000..06b2f8a5b --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,58 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Apache Knox Docker Compose Tests + +on: + pull_request: + branches: + - '**' # triggers for all PRs + workflow_dispatch: + +jobs: + build-and-test: + runs-on: ubuntu-latest + + env: + KNOX_URL: "https://github.com/apache/knox.git"; + BRANCH: "${{ github.head_ref }}" # PR branch being tested + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Set up Docker Compose + run: docker compose version + + - name: Build Docker Images + run: | + export knoxurl=${KNOX_URL} + export branch=${BRANCH} + docker compose -f ./.github/workflows/compose/docker-compose.yml build + + - name: Start Knox and LDAP Services + run: docker compose -f ./.github/workflows/compose/docker-compose.yml up -d + + - name: Wait for services to stabilize + run: sleep 30 # Adjust as needed for services startup time + + - name: Run Knox Tests + run: | + # Example: Run integration or custom tests here + # docker compose -f ./.github/workflows/compose/docker-compose.yml exec -T knox bash -c "cd /knoxshell && ./run-tests.sh" + + - name: Tear Down Docker Compose + if: always() + run: docker compose -f ./.github/workflows/compose/docker-compose.yml down --volumes
