[jira] [Updated] (AMBARI-24118) Update KNOX Service Config to Better Integrate the Knox Admin UI

Fri, 26 Oct 2018 09:35:34 -0700 


     [ 
https://issues.apache.org/jira/browse/AMBARI-24118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Olivér Szabó updated AMBARI-24118:
----------------------------------
    Fix Version/s:     (was: 2.7.3)
                   2.8.0

> Update KNOX Service Config to Better Integrate the Knox Admin UI
> ----------------------------------------------------------------
>
>                 Key: AMBARI-24118
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24118
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-sever
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.8.0
>
>         Attachments: AMBARI-24118-001.patch
>
>
> The manager.xml topology in Apache Knox hosts the endpoint for the Knox Admin 
> UI. In order to provide management of the configuration for access to the UI 
> we need to be able to manage the LDAP configuration for authentication, group 
> lookup and the ACLs for constraining access to admin users and groups.
> We have taken a couple actions in Knox to facilitate this:
>  # Moved the authentication in manager.xml to leverage KnoxSSO as the 
> authentication mechanism. Will also buy us seamless SSO between Ambari and 
> Knox UIs.
>  # Made the group look up manageable from the gateway-site.xml and the 
> admin.xml and manager.xml topologies auto-redeploy on startup of the Knox 
> server to pick up gateway-site changes.
>  # Made the list of admin users and admin groups configurable in 
> gateway-site.xml
> This patch will default the KNOX_ADMIN_USERS to "admin" and the 
> KNOX_ADMIN_GROUPS to "admin". These values will work with the Knox DEMO LDAP 
> server that can be used for demos and testing but will need to be adjusted to 
> the enterprise LDAP users/groups that require access to the Knox Admin UI.
> The HadoopGroupProvider will assume the default configuration but when there 
> are no local OS accounts, the admin will be able to configure LDAP or other 
> group mapping mechanisms in gateway-site.xml via advanced params.
> Lastly, the patch adds the admin group to the DEMO LDAP users.ldif file to 
> facilitate group lookup if needed. It will actually use no lookup by default 
> and will grant access to a user named "admin" only but can be configured to 
> use the admin group.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to