[jira] [Commented] (KNOX-1350) Centralize Group Lookup Config for Knox Admin API

Sat, 09 Jun 2018 10:18:10 -0700 


    [ 
https://issues.apache.org/jira/browse/KNOX-1350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16507080#comment-16507080
 ] 

Larry McCay commented on KNOX-1350:
-----------------------------------

Rather than constraining this to just the KNOX service, we can provide a 
topology level param that indicates that this topology wishes to use central 
group lookup config rather than topology level.

By adding "CENTRAL_GROUP_CONFIG_PREFIX" as a param with a value that indicates 
which prefix to use when pulling the config params, the configuration will be 
used across any topology that shares the prefix. We will need to redundantly 
configure the prefix but that is easier to do correctly than all of the LDAP 
params for instance.

I will also make admin.xml and manager.xml have this set to the same value 
which will keep them in sync.

When this is set and there is no config in gatewayConfig for the provided 
prefix, it will use whatever is in the topology as the params.

There may be opportunity to override central params from the topology as well.

> Centralize Group Lookup Config for Knox Admin API
> -------------------------------------------------
>
>                 Key: KNOX-1350
>                 URL: https://issues.apache.org/jira/browse/KNOX-1350
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 1.1.0
>
>
> This change enables the use of HadoopGroupProvider identity-assertion 
> provider to be configured by GatewayConfig rather than having to redundantly 
> configure it in each topology that hosts the KNOX service.
> It allows for the configuration to be standard hadoop names with a 
> "gateway.knox.admin.group.config." prefix. It is aligned with the 
> KNOX_ADMIN_USERS and KNOX_ADMIN_GROUPS that were added to the AclsAuthz 
> provider to allow that configuration to also be provided in the gateway 
> config.
> In Ambari managed environments this will be easier for providing this config 
> in one place and not even need to be able to manage manager.xml or others 
> that need this information.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to