Have been trying out a few ideas with Knox and managed to get Knox running with
1. WEB-INF/gateway.xml is completely removed 2. WEB-INF/web.xml declares only shiro filter and a defautl servlet 2. all filters are defined and injected using WEB-INF/shiro.ini To me that looks much simpler to comprehend and administer. Agreed, this could be subjective. Hence, seeking comments from community. Pasting web.xml and shiro.ini inline. web.xml -------------- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation=" http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";> <listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <listener> <listener-class>org.apache.hadoop.gateway.services.GatewayServicesContextListener</listener-class> </listener> <listener> <listener-class>org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletContextListener</listener-class> </listener> <context-param> <param-name>rewriteDescriptorLocation</param-name> <param-value>/WEB-INF/rewrite.xml</param-value> </context-param> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <session-config> <session-timeout>30</session-timeout> </session-config> <servlet> <servlet-name>errorservlet</servlet-name> <servlet-class>org.apache.hadoop.gateway.filter.KnoxErrorServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>errorservlet</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> </web-app> shiro.ini ------------- [main] # define ldapRealm ldapRealm=org.apache.shiro.realm.ldap.JndiLdapRealm ldapRealm.contextFactory.authenticationMechanism=simple ldapRealm.contextFactory.url=ldap://localhost:33389 ldapRealm.userDnTemplate=uid={0},ou=people,dc=hadoop,dc=apache,dc=org # define filter: knoxResponseCookieFilter knoxResponseCookieFilter = org.apache.hadoop.gateway.filter.ResponseCookieFilter knoxResponseCookieFilter.enabled = true knoxResponseCookieFilter.filterHeaders = rememberMe, hadoop.auth.cookie # define filter: knoxPrincipalMapper knoxPrincipalMapper = org.apache.hadoop.gateway.filter.KnoxPrincipalMapper knoxPrincipalMapper.enabled = true knoxPrincipalMapper.userToUserMap = bob:guest, jon:bob knoxPrincipalMapper.userToGroupMap = *:users, bob:admin # define filter: knoxIPTracker knoxIPTracker =org.apache.hadoop.gateway.filter.KnoxIPTracker knoxIPTracker.enabled = true # define filter: knoxAclAuthzFilter knoxAclAuthzFilter = org.apache.hadoop.gateway.filter.KnoxAclAuthzFilter knoxAclAuthzFilter.enabled = true knoxAclAuthzFilter.globalGroupAclMode = OR knoxAclAuthzFilter.serviceGroupAclModeMap = /webhdfs/:OR, /templeton/:OR knoxAclAuthzFilter.serviceAclMap = /webhdfs/:user1 user2; users admin; 127.*.*.*, /templeton/:user11 user12; users admin # define filter: javaSubjectMapper javaSubjectMapper = org.apache.hadoop.gateway.filter.PostAuthenticationFilter # define filter: knoxIdentityAsserter knoxIdentityAsserter = org.apache.hadoop.gateway.filter.KnoxIdentityAsserter knoxIdentityAsserter.enabled = true # define filter: knoxUrlRewriter knoxUrlRewriter = org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter knoxUrlRewriter.requestUrlMap = /webhdfs/v1/:WEBHDFS/webhdfs/inbound/namenode/root, /webhdfs/v1/[^~]+:WEBHDFS/webhdfs/inbound/namenode/file, /webhdfs/v1/~:WEBHDFS/webhdfs/inbound/namenode/home, /webhdfs/v1/~/.*:WEBHDFS/webhdfs/inbound/namenode/home/file, /webhdfs/data/v1/.+:WEBHDFS/webhdfs/inbound/datanode knoxUrlRewriter.requestBodyMap = /oozie/:OOZIE/oozie/configuration, /oozie/v1/.*:OOZIE/oozie/configuration, /oozie/v2/.*:OOZIE/oozie/configuration knoxUrlRewriter.responseHeadersMap = /webhdfs/v1/[^~]*:WEBHDFS/webhdfs/outbound/namenode/headers, /webhdfs/v1/~/:WEBHDFS/webhdfs/outbound/namenode/headers, /hbase/:WEBHBASE/webhbase/headers/outbound, /hbase/[~/]*:WEBHBASE/webhbase/headers/outbound, /hbase/status/cluster:WEBHBASE/webhbase/status/outbound, /hbase/[^/]*/regions:WEBHBASE/webhbase/regions/outbound # define filter: knoxHttpDispatcher knoxHttpDispatcher = org.apache.hadoop.gateway.dispatch.HttpClientDispatch knoxHttpDispatcher.replayBufferSizeMap = webhdfs:4, templeton:8, oozie:4 [urls] # you could choose to have a different chain of filter for different url patterns # so far Knox did not need it /** = knoxResponseCookieFilter, authcBasic, knoxPrincipalMapper, knoxIPTracker, knoxAclAuthzFilter, javaSubjectMapper, knoxIdentityAsserter, knoxUrlRewriter, knoxHttpDispatcher # end of shiro.ini I think we can rename shiro.ini as knox.ini to make it explicit this is more about knox configuration than shiro library configuration. We are using shiro config file mechanism as simple, lightweight depenency injection. This does not really tie us to using only Shiro authentication mechanism or authorization mechanisms. We have the choice of writing all our authentication or authorization in our own servlet filters or leverage filters from Shiro library, Realms from Shiro library or write your own Shiro filters or Shiro realms. In most of the cases, when we want to integrate with a new Hadoop back end service, all that we have to do is specify the path to a file having rewrite rules for the service. Rest of the things in knox.ini(=shiro.ini) would remain same. Please review and comment. Thanks Dilli -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
