This is an automated email from the ASF dual-hosted git repository.
rmerriman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/metron.git
The following commit(s) were added to refs/heads/master by this push:
new 309ce65 METRON-1945 Metron MPack support for Knox SSO setup
(merrimanr) closes apache/metron#1308
309ce65 is described below
commit 309ce65f863d2532ca29a1c779bda02c1d42ee4d
Author: merrimanr <[email protected]>
AuthorDate: Thu Jan 3 17:05:25 2019 -0600
METRON-1945 Metron MPack support for Knox SSO setup (merrimanr) closes
apache/metron#1308
---
.../CURRENT/configuration/metron-security-env.xml | 43 +++++++++
.../common-services/METRON/CURRENT/metainfo.xml | 3 +
.../CURRENT/package/scripts/alerts_ui_master.py | 10 +++
.../package/scripts/management_ui_master.py | 10 +++
.../CURRENT/package/scripts/metron_client.py | 21 +++++
.../CURRENT/package/scripts/metron_service.py | 39 ++++++++
.../CURRENT/package/scripts/params/params_linux.py | 47 +++++++---
.../package/scripts/params/status_params.py | 6 +-
.../METRON/CURRENT/package/scripts/rest_master.py | 4 +
.../package/templates/alerts-ui-app-config.json.j2 | 4 +
.../templates/management-ui-app-config.json.j2 | 4 +
.../METRON/CURRENT/package/templates/metron.xml.j2 | 56 ++++++++++++
.../CURRENT/package/templates/metronsso.xml.j2 | 100 +++++++++++++++++++++
.../METRON/CURRENT/themes/metron_theme.json | 51 ++++++++++-
metron-interface/README.md | 78 ++++++++++++++++
.../src/main/scripts/install_metron_knox.sh | 32 ++++---
16 files changed, 485 insertions(+), 23 deletions(-)
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
index ab1fe6c..ab3e532 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
@@ -182,5 +182,48 @@
</value-attributes>
<on-ambari-upgrade add="true"/>
</property>
+ <property>
+ <name>metron.knox.enabled</name>
+ <display-name>Knox Enabled</display-name>
+ <value>false</value>
+ <description>Enable Knox</description>
+ <value-attributes>
+ <type>value-list</type>
+ <entries>
+ <entry>
+ <value>true</value>
+ <label>On</label>
+ </entry>
+ <entry>
+ <value>false</value>
+ <label>Off</label>
+ </entry>
+ </entries>
+ <selection-cardinality>1</selection-cardinality>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>metron.knox.sso.pubkey</name>
+ <display-name>Knox SSO Public Key</display-name>
+ <value></value>
+ <description>Knox public key used to verify Knox SSO tokens.</description>
+ <on-ambari-upgrade add="true"/>
+ <value-attributes>
+ <overridable>false</overridable>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+ <property>
+ <name>metron.knox.sso.token.ttl</name>
+ <display-name>Knox SSO Token Time to live</display-name>
+ <value>300000</value>
+ <description>Controls the time to live for Knox SSO tokens in Metron.
Units are in milliseconds.</description>
+ <on-ambari-upgrade add="true"/>
+ <value-attributes>
+ <overridable>false</overridable>
+ </value-attributes>
+ </property>
</configuration>
\ No newline at end of file
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml
index 9516014..99e9325 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml
@@ -416,6 +416,9 @@
<scriptType>PYTHON</scriptType>
<timeout>1200</timeout>
</commandScript>
+ <configuration-dependencies>
+ <config-type>metron-security-env</config-type>
+ </configuration-dependencies>
</component>
</components>
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_master.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_master.py
index 85c3be3..7cc2c31 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_master.py
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_master.py
@@ -19,6 +19,7 @@ limitations under the License.
from resource_management.core.exceptions import ComponentIsNotRunning
from resource_management.core.exceptions import ExecutionFailed
+from resource_management.core.exceptions import Fail
from resource_management.core.resources.system import Directory
from resource_management.core.resources.system import File
from resource_management.core.source import Template
@@ -51,6 +52,15 @@ class AlertsUIMaster(Script):
group=params.metron_group
)
+ File(format("{metron_alerts_ui_path}/assets/app-config.json"),
+ content=Template("alerts-ui-app-config.json.j2"),
+ owner=params.metron_user,
+ group=params.metron_group
+ )
+
+ if params.metron_knox_enabled and not params.metron_ldap_enabled:
+ raise Fail("Enabling Metron with Knox requires LDAP
authentication. Please set 'LDAP Enabled' to true in the Metron Security tab.")
+
def start(self, env, upgrade_type=None):
from params import params
env.set_params(params)
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_master.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_master.py
index dad8f12..c50b09c 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_master.py
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_master.py
@@ -24,6 +24,7 @@ from resource_management.libraries.functions.format import
format
from resource_management.libraries.script import Script
from resource_management.core.resources.system import Execute
from resource_management.core.logger import Logger
+from resource_management.core.exceptions import Fail
from management_ui_commands import ManagementUICommands
@@ -49,6 +50,12 @@ class ManagementUIMaster(Script):
group=params.metron_group
)
+ File(format("{metron_management_ui_path}/assets/app-config.json"),
+ content=Template("management-ui-app-config.json.j2"),
+ owner=params.metron_user,
+ group=params.metron_group
+ )
+
Directory('/var/run/metron',
create_parents=False,
mode=0755,
@@ -56,6 +63,9 @@ class ManagementUIMaster(Script):
group=params.metron_group
)
+ if params.metron_knox_enabled and not params.metron_ldap_enabled:
+ raise Fail("Enabling Metron with Knox requires LDAP
authentication. Please set 'LDAP Enabled' to true in the Metron Security tab.")
+
def start(self, env, upgrade_type=None):
from params import params
env.set_params(params)
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_client.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_client.py
index 32fe0e9..e65d62e 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_client.py
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_client.py
@@ -19,8 +19,13 @@ limitations under the License.
from resource_management.libraries.script.script import Script
from resource_management.core.exceptions import ClientComponentHasNoStatus
+from resource_management.core.exceptions import Fail
from resource_management.core.resources.system import Directory
from metron_security import storm_security_setup
+from metron_service import install_metron_knox
+from metron_service import metron_knox_topology_setup
+from metron_service import is_metron_knox_installed
+from metron_service import set_metron_knox_installed
class MetronClient(Script):
@@ -34,14 +39,30 @@ class MetronClient(Script):
env.set_params(params)
storm_security_setup(params)
+ if params.metron_knox_enabled and not params.metron_ldap_enabled:
+ raise Fail("Enabling Metron with Knox requires LDAP
authentication. Please set 'LDAP Enabled' to true in the Metron Security tab.")
+
+ if params.metron_knox_enabled:
+ if not is_metron_knox_installed(params):
+ install_metron_knox(params)
+ set_metron_knox_installed(params)
+ metron_knox_topology_setup(params)
+
def start(self, env, upgrade_type=None):
from params import params
env.set_params(params)
+ self.configure(env)
def stop(self, env, upgrade_type=None):
from params import params
env.set_params(params)
+ def restart(self, env):
+ from params import params
+ env.set_params(params)
+ self.configure(env)
+
+
def status(self, env):
raise ClientComponentHasNoStatus()
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_service.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_service.py
index a7074da..f538122 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_service.py
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_service.py
@@ -24,6 +24,7 @@ from resource_management.core.exceptions import
ComponentIsNotRunning
from resource_management.core.exceptions import Fail
from resource_management.core.resources.system import Directory, File
from resource_management.core.resources.system import Execute
+from resource_management.core.source import Template
from resource_management.core.source import InlineTemplate
from resource_management.libraries.functions import format as ambari_format
from resource_management.libraries.functions.get_user_call_output import
get_user_call_output
@@ -588,3 +589,41 @@ def check_indexer_parameters():
if len(missing) > 0:
raise Fail("Missing required indexing parameters(s): indexer={0},
missing={1}".format(indexer, missing))
+
+def install_metron_knox(params):
+ if os.path.exists(params.knox_home):
+ template = """export KNOX_HOME={0}; \
+ export KNOX_USER={1}; \
+ export KNOX_GROUP={2}; \
+ {3}/bin/install_metron_knox.sh; \
+ unset KNOX_USER; \
+ unset KNOX_GROUP; \
+ unset KNOX_HOME;"""
+ cmd = template.format(params.knox_home, params.knox_user,
params.knox_group, params.metron_home)
+
+ Execute(cmd)
+
+def is_metron_knox_installed(params):
+ return os.path.isfile(params.metron_knox_installed_flag_file)
+
+def set_metron_knox_installed(params):
+ Directory(params.metron_zookeeper_config_path,
+ mode=0755,
+ owner=params.metron_user,
+ group=params.metron_group,
+ create_parents=True
+ )
+ set_configured(params.metron_user, params.metron_knox_installed_flag_file,
"Setting Metron Knox installed to true")
+
+def metron_knox_topology_setup(params):
+ if os.path.exists(params.knox_home):
+ File(ambari_format("{knox_home}/conf/topologies/metron.xml"),
+ content=Template("metron.xml.j2"),
+ owner=params.knox_user,
+ group=params.knox_group
+ )
+ File(ambari_format("{knox_home}/conf/topologies/metronsso.xml"),
+ content=Template("metronsso.xml.j2"),
+ owner=params.knox_user,
+ group=params.knox_group
+ )
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py
index 5635330..a543d79 100755
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py
@@ -51,23 +51,24 @@ metron_user = status_params.metron_user
metron_group = config['configurations']['metron-env']['metron_group']
metron_log_dir = config['configurations']['metron-env']['metron_log_dir']
metron_pid_dir = config['configurations']['metron-env']['metron_pid_dir']
-
+metron_rest_host = status_params.metron_rest_host
metron_rest_port = status_params.metron_rest_port
metron_management_ui_host = status_params.metron_management_ui_host
metron_management_ui_port = status_params.metron_management_ui_port
+metron_management_ui_path = metron_home + '/web/management-ui/'
metron_alerts_ui_host = status_params.metron_alerts_ui_host
metron_alerts_ui_port = status_params.metron_alerts_ui_port
+metron_alerts_ui_path = metron_home + '/web/alerts-ui/'
metron_jvm_flags =
config['configurations']['metron-rest-env']['metron_jvm_flags']
# Construct the profiles as a temp variable first. Only the first time it's
set will carry through
-metron_spring_profiles_temp =
config['configurations']['metron-rest-env']['metron_spring_profiles_active']
-if config['configurations']['metron-security-env']['metron.ldap.enabled']:
- if metron_spring_profiles_temp:
- metron_spring_profiles_active = metron_spring_profiles_temp + ',ldap'
+metron_spring_profiles_active =
config['configurations']['metron-rest-env']['metron_spring_profiles_active']
+metron_ldap_enabled =
config['configurations']['metron-security-env']['metron.ldap.enabled']
+if metron_ldap_enabled:
+ if not len(metron_spring_profiles_active) == 0:
+ metron_spring_profiles_active += ',ldap'
else:
metron_spring_profiles_active = 'ldap'
-else:
- metron_spring_profiles_active = metron_spring_profiles_temp
metron_jdbc_driver =
config['configurations']['metron-rest-env']['metron_jdbc_driver']
metron_jdbc_url =
config['configurations']['metron-rest-env']['metron_jdbc_url']
@@ -100,6 +101,7 @@ rest_kafka_configured_flag_file =
status_params.rest_kafka_configured_flag_file
rest_kafka_acl_configured_flag_file =
status_params.rest_kafka_acl_configured_flag_file
rest_hbase_configured_flag_file = status_params.rest_hbase_configured_flag_file
rest_hbase_acl_configured_flag_file =
status_params.rest_hbase_acl_configured_flag_file
+metron_knox_installed_flag_file = status_params.metron_knox_installed_flag_file
global_properties_template =
config['configurations']['metron-env']['elasticsearch-properties']
# Elasticsearch hosts and port management
@@ -291,9 +293,6 @@ metron_ldap_group_role =
config['configurations']['metron-security-env']['metron
metron_ldap_ssl_truststore =
config['configurations']['metron-security-env']['metron.ldap.ssl.truststore']
metron_ldap_ssl_truststore_password =
config['configurations']['metron-security-env']['metron.ldap.ssl.truststore.password']
-# Management UI
-metron_rest_host = default("/clusterHostInfo/metron_rest_hosts", [hostname])[0]
-
# REST
metron_rest_pid_dir =
config['configurations']['metron-rest-env']['metron_rest_pid_dir']
metron_rest_pid = 'metron-rest.pid'
@@ -443,3 +442,31 @@ kafka_spout_parallelism =
config['configurations']['metron-pcap-env']['kafka_spo
# MapReduce
metron_user_hdfs_dir = '/user/' + metron_user
metron_user_hdfs_dir_configured_flag_file =
status_params.metron_user_hdfs_dir_configured_flag_file
+
+# Knox
+knox_user = config['configurations']['knox-env']['knox_user']
+knox_group = config['configurations']['knox-env']['knox_group']
+metron_knox_root_path = '/gateway/metron'
+metron_rest_path = '/api/v1'
+metron_alerts_ui_login_path = '/login'
+metron_management_ui_login_path = '/login'
+metron_knox_enabled =
config['configurations']['metron-security-env']['metron.knox.enabled']
+metron_knox_sso_pubkey =
config['configurations']['metron-security-env']['metron.knox.sso.pubkey']
+metron_knox_sso_token_ttl =
config['configurations']['metron-security-env']['metron.knox.sso.token.ttl']
+if metron_knox_enabled:
+ metron_rest_path = metron_knox_root_path + '/metron-rest' +
metron_rest_path
+ metron_alerts_ui_login_path = metron_knox_root_path + '/metron-alerts/'
+ metron_management_ui_login_path = metron_knox_root_path +
'/metron-management/sensors'
+ if not len(metron_spring_options) == 0:
+ metron_spring_options += ' '
+ metron_spring_options += '--knox.root=' + metron_knox_root_path +
'/metron-rest'
+ metron_spring_options += ' --knox.sso.pubkey=' + metron_knox_sso_pubkey
+ if not len(metron_spring_profiles_active) == 0:
+ metron_spring_profiles_active += ','
+ metron_spring_profiles_active += 'knox'
+
+knox_home = os.path.join(stack_root, "current", "knox-server")
+knox_hosts = default("/clusterHostInfo/knox_gateway_hosts", [])
+knox_host = ''
+if not len(knox_hosts) == 0:
+ knox_host = knox_hosts[0]
\ No newline at end of file
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/status_params.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/status_params.py
index aad34a9..2563646 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/status_params.py
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/status_params.py
@@ -82,6 +82,7 @@ elasticsearch_template_installed_flag_file =
metron_zookeeper_config_path + '/..
solr_schema_installed_flag_file = metron_zookeeper_config_path +
'/../metron_solr_schema_installed_flag_file'
# REST
+metron_rest_host = default("/clusterHostInfo/metron_rest_hosts", [hostname])[0]
metron_rest_port =
config['configurations']['metron-rest-env']['metron_rest_port']
rest_kafka_configured_flag_file = metron_zookeeper_config_path +
'/../metron_rest_kafka_configured'
rest_kafka_acl_configured_flag_file = metron_zookeeper_config_path +
'/../metron_rest_kafka_acl_configured'
@@ -126,4 +127,7 @@ pcap_perm_configured_flag_file =
metron_zookeeper_config_path + '/../metron_pcap
pcap_acl_configured_flag_file = metron_zookeeper_config_path +
'/../metron_pcap_acl_configured'
# MapReduce
-metron_user_hdfs_dir_configured_flag_file = metron_zookeeper_config_path +
'/../metron_user_hdfs_dir_configured'
\ No newline at end of file
+metron_user_hdfs_dir_configured_flag_file = metron_zookeeper_config_path +
'/../metron_user_hdfs_dir_configured'
+
+# Knox
+metron_knox_installed_flag_file = metron_zookeeper_config_path +
'/../metron_knox_installed'
\ No newline at end of file
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_master.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_master.py
index 43224ad..90f4ac5 100755
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_master.py
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_master.py
@@ -19,6 +19,7 @@ limitations under the License.
from resource_management.core.exceptions import ComponentIsNotRunning
from resource_management.core.exceptions import ExecutionFailed
+from resource_management.core.exceptions import Fail
from resource_management.core.resources.system import Directory
from resource_management.core.resources.system import File
from resource_management.core.source import Template
@@ -59,6 +60,9 @@ class RestMaster(Script):
commands.init_kafka_acls()
commands.set_kafka_acl_configured()
+ if params.metron_knox_enabled and not params.metron_ldap_enabled:
+ raise Fail("Enabling Metron with Knox requires LDAP
authentication. Please set 'LDAP Enabled' to true in the Metron Security tab.")
+
def start(self, env, upgrade_type=None):
from params import params
env.set_params(params)
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/alerts-ui-app-config.json.j2
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/alerts-ui-app-config.json.j2
new file mode 100644
index 0000000..edbc1b6
--- /dev/null
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/alerts-ui-app-config.json.j2
@@ -0,0 +1,4 @@
+{
+ "apiRoot": "{{metron_rest_path}}",
+ "loginPath": "{{metron_alerts_ui_login_path}}"
+}
\ No newline at end of file
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/management-ui-app-config.json.j2
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/management-ui-app-config.json.j2
new file mode 100644
index 0000000..12c3168
--- /dev/null
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/management-ui-app-config.json.j2
@@ -0,0 +1,4 @@
+{
+ "apiRoot": "{{metron_rest_path}}",
+ "loginPath": "{{metron_management_ui_login_path}}"
+}
\ No newline at end of file
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.xml.j2
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.xml.j2
new file mode 100644
index 0000000..c1ea149
--- /dev/null
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.xml.j2
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software
+ Foundation (ASF) under one or more contributor license agreements. See
the
+ NOTICE file distributed with this work for additional information
regarding
+ copyright ownership. The ASF licenses this file to You under the Apache
License,
+ Version 2.0 (the "License"); you may not use this file except in
compliance
+ with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
distributed
+ under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+ OR CONDITIONS OF ANY KIND, either express or implied. See the License
for
+ the specific language governing permissions and limitations under the
License.
+ -->
+<topology>
+
+ <gateway>
+ <provider>
+ <role>federation</role>
+ <name>SSOCookieProvider</name>
+ <enabled>true</enabled>
+ <param>
+ <name>sso.authentication.provider.url</name>
+
<value>https://{{knox_host}}:8443/gateway/metronsso/api/v1/websso</value>
+ </param>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Default</name>
+ <enabled>true</enabled>
+ </provider>
+
+ <provider>
+ <role>authorization</role>
+ <name>AclsAuthz</name>
+ <enabled>true</enabled>
+ </provider>
+
+ </gateway>
+
+ <service>
+ <role>METRON-REST</role>
+ <url>http://{{metron_rest_host}}:{{metron_rest_port}}</url>
+ </service>
+
+ <service>
+ <role>METRON-ALERTS</role>
+ <url>http://{{metron_alerts_ui_host}}:{{metron_alerts_ui_port}}</url>
+ </service>
+
+ <service>
+ <role>METRON-MANAGEMENT</role>
+
<url>http://{{metron_management_ui_host}}:{{metron_management_ui_port}}</url>
+ </service>
+
+</topology>
\ No newline at end of file
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metronsso.xml.j2
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metronsso.xml.j2
new file mode 100644
index 0000000..d32f86a
--- /dev/null
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metronsso.xml.j2
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software
+ Foundation (ASF) under one or more contributor license agreements. See
the
+ NOTICE file distributed with this work for additional information
regarding
+ copyright ownership. The ASF licenses this file to You under the Apache
License,
+ Version 2.0 (the "License"); you may not use this file except in
compliance
+ with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
distributed
+ under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+ OR CONDITIONS OF ANY KIND, either express or implied. See the License
for
+ the specific language governing permissions and limitations under the
License.
+ -->
+<topology>
+ <gateway>
+ <provider>
+ <role>webappsec</role>
+ <name>WebAppSec</name>
+ <enabled>true</enabled>
+ <param><name>xframe.options.enabled</name><value>true</value></param>
+ </provider>
+
+ <provider>
+ <role>authentication</role>
+ <name>ShiroProvider</name>
+ <enabled>true</enabled>
+ <param>
+ <name>sessionTimeout</name>
+ <value>30</value>
+ </param>
+ <param>
+ <name>redirectToUrl</name>
+ <value>/gateway/metronsso/knoxauth/login.html</value>
+ </param>
+ <param>
+ <name>restrictedCookies</name>
+ <value>rememberme,WWW-Authenticate</value>
+ </param>
+ <param>
+ <name>main.ldapRealm</name>
+ <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
+ </param>
+ <param>
+ <name>main.ldapContextFactory</name>
+
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory</name>
+ <value>$ldapContextFactory</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.userDnTemplate</name>
+ <value>{{metron_ldap_user_pattern}}</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.url</name>
+ <value>{{metron_ldap_url}}</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.authenticationCachingEnabled</name>
+ <value>false</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+ <value>simple</value>
+ </param>
+ <param>
+ <name>urls./**</name>
+ <value>authcBasic</value>
+ </param>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Default</name>
+ <enabled>true</enabled>
+ </provider>
+ </gateway>
+
+ <application>
+ <name>knoxauth</name>
+ </application>
+
+ <service>
+ <role>KNOXSSO</role>
+ <param>
+ <name>knoxsso.cookie.secure.only</name>
+ <value>false</value>
+ </param>
+ <param>
+ <name>knoxsso.token.ttl</name>
+ <value>{{metron_knox_sso_token_ttl}}</value>
+ </param>
+ <param>
+ <name>knoxsso.redirect.whitelist.regex</name>
+
<value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1|{{metron_rest_host}}|{{metron_management_ui_host}}|{{metron_alerts_ui_host}}):[0-9].*$</value>
+ </param>
+ </service>
+
+</topology>
\ No newline at end of file
diff --git
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json
index 7f84f1d..6749101 100644
---
a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json
+++
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json
@@ -426,7 +426,7 @@
"display-name": "Security",
"layout": {
"tab-columns": "2",
- "tab-rows": "1",
+ "tab-rows": "2",
"sections": [
{
"name": "section-security-ldap",
@@ -446,6 +446,25 @@
"column-span": "1"
}
]
+ },
+ {
+ "name": "section-security-knox",
+ "row-index": "1",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1",
+ "section-columns": "1",
+ "section-rows": "1",
+ "subsections": [
+ {
+ "name": "subsection-security-knox",
+ "display-name": "KNOX",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1"
+ }
+ ]
}
]
}
@@ -933,6 +952,18 @@
"subsection-name": "subsection-security-ldap"
},
{
+ "config": "metron-security-env/metron.knox.enabled",
+ "subsection-name": "subsection-security-knox"
+ },
+ {
+ "config": "metron-security-env/metron.knox.sso.pubkey",
+ "subsection-name": "subsection-security-knox"
+ },
+ {
+ "config": "metron-security-env/metron.knox.sso.token.ttl",
+ "subsection-name": "subsection-security-knox"
+ },
+ {
"config": "metron-pcap-env/pcap_topology_workers",
"subsection-name": "subsection-pcap"
},
@@ -1688,6 +1719,24 @@
}
},
{
+ "config": "metron-security-env/metron.knox.enabled",
+ "widget": {
+ "type": "toggle"
+ }
+ },
+ {
+ "config": "metron-security-env/metron.knox.sso.pubkey",
+ "widget": {
+ "type": "text-area"
+ }
+ },
+ {
+ "config": "metron-security-env/metron.knox.sso.token.ttl",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
"config": "metron-pcap-env/pcap_topology_workers",
"widget": {
"type": "text-field"
diff --git a/metron-interface/README.md b/metron-interface/README.md
index 639667f..e10bec8 100644
--- a/metron-interface/README.md
+++ b/metron-interface/README.md
@@ -73,3 +73,81 @@ The following diagram illustrates the flow of data for the
various types of requ
Note how the flow diagrams for Static asset requests and Rest requests
(through Knox) are identical.
+
+## Enabling Knox for Metron
+
+Follow the instructions in the next 3 sections to enable Knox for Metron. The
new Knox urls will be similar to (substitute the Knox host/port in your
environment for `node1:8443`):
+
+- Metron Alerts UI - https://node1:8443/gateway/metron/metron-alerts/
+- Metron Management UI -
https://node1:8443/gateway/metron/metron-management/sensors
+- Metron REST - https://node1:8443/gateway/metron/metron-rest/swagger-ui.html
+
+
+
+### Install Metron Clients
+
+The Metron Client component in Ambari is responsible for installing the
service definition and topology files in the appropriate Knox directories.
These files are installed whenever the Metron Client component(s) are
installed, started or restarted AND the `Knox Enabled` Metron Ambari property
+is set to true (under the `Security` tab in the Metron Config section).
Ambari calls the script at `$METRON_HOME/bin/install_metron_knox.sh` which
installs the following files:
+
+- `$KNOX_HOME/conf/topologies/metron.xml`
+- `$KNOX_HOME/conf/topologies/metronsso.xml`
+- `$KNOX_HOME/data/services/metron-alerts/$METRON_VERSION/rewrite.xml`
+- `$KNOX_HOME/data/services/metron-alerts/$METRON_VERSION/service.xml`
+- `$KNOX_HOME/data/services/metron-management/$METRON_VERSION/rewrite.xml`
+- `$KNOX_HOME/data/services/metron-management/$METRON_VERSION/service.xml`
+- `$KNOX_HOME/data/services/metron-rest/$METRON_VERSION/rewrite.xml`
+- `$KNOX_HOME/data/services/metron-rest/$METRON_VERSION/service.xml`
+
+A Metron Client should be installed anywhere a Knox Gateway is installed. It
is not strictly required but Metron will not be available through any Knox
Gateways that do not have these files installed.
+
+### Enable Knox for Metron in Ambari
+
+After Metron Client components have been installed on the appropriate hosts,
there are a couple settings that need to be changed in the Ambari "Security"
tab.
+First the Knox SSO public key needs to be read from Knox. Run the following
command on a Knox Gateway to get the key:
+```
+openssl s_client -connect node1:8443 < /dev/null | openssl x509 | grep -v
'CERTIFICATE' | paste -sd "" -
+```
+The `Knox SSO Public Key` Ambari property should be set to the output of that
command. In the same section, set the `Knox Enabled` setting to "ON".
+
+After these changes have been made, the following Metron components must be
restarted:
+
+- Metron Client
+- Metron Alerts UI
+- Metron Management UI
+- Metron REST
+
+Any change to the settings described in this section will cause Ambari to
suggest restarting these services. Either restart them manually or follow the
prompt in Ambari.
+
+Note: Knox can only be enabled for Metron when Metron authentication is set
to `LDAP` (the `LDAP Enabled` setting in Ambari).
+If `LDAP` is not enabled an error will be thrown when any of the previous
components are restarted.
+
+### Update Quicklinks (Optional)
+
+Currently there is no way to dynamicly change the quick links in Ambari to the
new Knox urls so it must be done manually. Locate this file on the Ambari
server host:
+```
+/var/lib/ambari-server/resources/mpacks/metron-ambari.mpack-$METRON_MPACK_VERSION/common-services/METRON/$METRON_VERSION/quicklinks/quicklinks.json
+```
+Quicklinks for each component are defined as an array of json objects under
the `/configuration/links/` attribute.
+
+Locate the json object for the component you want to update. Change the `url`
attribute to match the new Knox url. For example, to update the Metron REST
quick link, locate the json object with the `label` property set to `Swagger
UI`. Change the `url` property from
+`%@://%@:%@/swagger-ui.html` to `https://<knox gateway host>:<knox gateway
port>/gateway/metron/metron-rest/swagger-ui.html`.
+
+The json object should look like this in full dev:
+```
+{
+ "name": "metron_rest_ui",
+ "label": "Swagger UI",
+ "requires_user_name": "false",
+ "component_name": "METRON_REST",
+ "url":"https://node1:8443/gateway/metron/metron-rest/swagger-ui.html";,
+ "port":{
+ "http_property": "metron_rest_port",
+ "http_default_port": "8082",
+ "https_property": "metron_rest_port",
+ "https_default_port": "8082",
+ "regex": "^(\\d+)$",
+ "site": "metron-rest-env"
+ }
+}
+```
+Repeat for the Alerts UI and Management UI. Any update to this file requires
an Ambari server restart.
\ No newline at end of file
diff --git
a/metron-interface/metron-rest/src/main/scripts/install_metron_knox.sh
b/metron-interface/metron-rest/src/main/scripts/install_metron_knox.sh
index 7e87393..ca16ebe 100755
--- a/metron-interface/metron-rest/src/main/scripts/install_metron_knox.sh
+++ b/metron-interface/metron-rest/src/main/scripts/install_metron_knox.sh
@@ -18,17 +18,27 @@
#
METRON_VERSION=${project.version}
METRON_HOME=${METRON_HOME:-/usr/metron/${METRON_VERSION}}
+KNOX_USER=${KNOX_USER:-knox}
+KNOX_GROUP=${KNOX_GROUP:-knox}
KNOX_HOME=${KNOX_HOME:-/usr/hdp/current/knox-server}
-KNOX_METRON_REST_DIR=$KNOX_HOME/data/services/metron-rest/$METRON_VERSION
-KNOX_METRON_ALERTS_DIR=$KNOX_HOME/data/services/metron-alerts/$METRON_VERSION
-KNOX_METRON_MANAGEMENT_DIR=$KNOX_HOME/data/services/metron-management/$METRON_VERSION
+KNOX_METRON_REST_DIR=$KNOX_HOME/data/services/metron-rest
+KNOX_METRON_ALERTS_DIR=$KNOX_HOME/data/services/metron-alerts
+KNOX_METRON_MANAGEMENT_DIR=$KNOX_HOME/data/services/metron-management
-mkdir -p $KNOX_METRON_REST_DIR
-mkdir -p $KNOX_METRON_ALERTS_DIR
-mkdir -p $KNOX_METRON_MANAGEMENT_DIR
+if [ -d "$KNOX_HOME" ]
+then
+ mkdir -p $KNOX_METRON_REST_DIR/$METRON_VERSION
+ mkdir -p $KNOX_METRON_ALERTS_DIR/$METRON_VERSION
+ mkdir -p $KNOX_METRON_MANAGEMENT_DIR/$METRON_VERSION
-cp $METRON_HOME/config/knox/data/services/rest/* $KNOX_METRON_REST_DIR
-cp $METRON_HOME/config/knox/data/services/alerts/* $KNOX_METRON_ALERTS_DIR
-cp $METRON_HOME/config/knox/data/services/management/*
$KNOX_METRON_MANAGEMENT_DIR
-cp $METRON_HOME/config/knox/conf/topologies/metron.xml
$KNOX_HOME/conf/topologies
-cp $METRON_HOME/config/knox/conf/topologies/metronsso.xml
$KNOX_HOME/conf/topologies
+ cp $METRON_HOME/config/knox/data/services/rest/*
$KNOX_METRON_REST_DIR/$METRON_VERSION
+ cp $METRON_HOME/config/knox/data/services/alerts/*
$KNOX_METRON_ALERTS_DIR/$METRON_VERSION
+ cp $METRON_HOME/config/knox/data/services/management/*
$KNOX_METRON_MANAGEMENT_DIR/$METRON_VERSION
+ cp $METRON_HOME/config/knox/conf/topologies/metron.xml
$KNOX_HOME/conf/topologies
+
+ sudo chown -R $KNOX_USER:$KNOX_GROUP $KNOX_METRON_REST_DIR
+ sudo chown -R $KNOX_USER:$KNOX_GROUP $KNOX_METRON_ALERTS_DIR
+ sudo chown -R $KNOX_USER:$KNOX_GROUP $KNOX_METRON_MANAGEMENT_DIR
+else
+ echo "$KNOX_HOME does not exist. Skipping Metron Knox installation."
+fi
\ No newline at end of file
