Author: sumit Date: Mon May 11 19:17:26 2015 New Revision: 1678804 URL: http://svn.apache.org/r1678804 Log: KNOX-540
Added: knox/trunk/books/static/workflow-configuration.xml knox/trunk/books/static/workflow-definition.xml Modified: knox/site/books/knox-0-4-0/deployment-overview.png knox/site/books/knox-0-4-0/deployment-provider.png knox/site/books/knox-0-4-0/deployment-service.png knox/site/books/knox-0-4-0/runtime-overview.png knox/site/books/knox-0-4-0/runtime-request-processing.png knox/site/books/knox-0-5-0/deployment-overview.png knox/site/books/knox-0-5-0/deployment-provider.png knox/site/books/knox-0-5-0/deployment-service.png knox/site/books/knox-0-5-0/runtime-overview.png knox/site/books/knox-0-5-0/runtime-request-processing.png knox/site/books/knox-0-6-0/deployment-overview.png knox/site/books/knox-0-6-0/deployment-provider.png knox/site/books/knox-0-6-0/deployment-service.png knox/site/books/knox-0-6-0/runtime-overview.png knox/site/books/knox-0-6-0/runtime-request-processing.png knox/site/books/knox-0-6-0/user-guide.html knox/site/index.html knox/site/issue-tracking.html knox/site/license.html knox/site/mail-lists.html knox/site/project-info.html knox/site/team-list.html knox/trunk/books/0.6.0/admin_api.md knox/trunk/books/0.6.0/config_ldap_authc_cache.md knox/trunk/books/0.6.0/config_ldap_group_lookup.md Modified: knox/site/books/knox-0-4-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-4-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-4-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-4-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/deployment-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/deployment-provider.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/deployment-service.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/runtime-overview.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== Binary files - no diff available. Modified: knox/site/books/knox-0-6-0/user-guide.html URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/user-guide.html?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/site/books/knox-0-6-0/user-guide.html (original) +++ knox/site/books/knox-0-6-0/user-guide.html Mon May 11 19:17:26 2015 @@ -654,11 +654,11 @@ ip-10-39-107-209.ec2.internal <li><h6>HTTP PUT</h6></li> <li><h6>HTTP DELETE</h6></li> </ul><h5><a id="Server+Version"></a>Server Version</h5><h6><a id="Description"></a>Description</h6><p>Calls to Knox and returns the gateway’s current version and the version hash inside of a JSON object. </p><h6><a id="Example+Request+URL"></a>Example Request URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/version</code> </p><h6><a id="Example+cURL+Request"></a>Example cURL Request</h6><p><code>curl -u admin:admin-password -i -k https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/version</code></p><h6><a id="Response"></a>Response</h6> -<pre><code> { - "hash":"{version-hash}", - "version":"0.6.0" - } -</code></pre><h5><a id="Topology+Collection"></a>Topology Collection</h5><h6><a id="Description"></a>Description</h6><p>Calls to Knox and return an array of JSON objects that represent the list of deployed topologies currently inside of the gateway. </p><h6><a id="Example+Request+URL"></a>Example Request URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/{api-version}/topologies</code> </p><h6><a id="Example+cURL+Request"></a>Example cURL Request</h6><p><code>curl -u admin:admin-password -i -k https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies</code></p><h6><a id="Response"></a>Response</h6> +<pre><code> <ServerVersion> + <version>0.6.0</version> + <hash>{version-hash}</hash> + </ServerVersion> +</code></pre><h5><a id="Topology+Collection"></a>Topology Collection</h5><h6><a id="Description"></a>Description</h6><p>Calls to Knox and return an array of JSON objects that represent the list of deployed topologies currently inside of the gateway. </p><h6><a id="Example+Request+URL"></a>Example Request URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/{api-version}/topologies</code> </p><h6><a id="Example+cURL+Request"></a>Example cURL Request</h6><p><code>curl -u admin:admin-password -i -k -H Accept:application/json https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies</code></p><h6><a id="Response"></a>Response</h6> <pre><code>[ { "href":"https://localhost:8443/gateway/admin/api/v1/topologies/_default", @@ -673,7 +673,7 @@ ip-10-39-107-209.ec2.internal "uri":"https://localhost:8443/gateway/admin" } ] -</code></pre><h5><a id="Topology"></a>Topology</h5><h6><a id="Description"></a>Description</h6><p>Calls to Knox and return a JSON object that represents the requested topology </p><h6><a id="Example+Request+URL"></a>Example Request URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}</code> </p><h6><a id="Example+cURL+Request"></a>Example cURL Request</h6><p><code>curl -u admin:admin-password -i -k https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}</code></p><h6><a id="Response"></a>Response</h6> +</code></pre><h5><a id="Topology"></a>Topology</h5><h6><a id="Description"></a>Description</h6><p>Calls to Knox and return a JSON object that represents the requested topology </p><h6><a id="Example+Request+URL"></a>Example Request URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}</code> </p><h6><a id="Example+cURL+Request"></a>Example cURL Request</h6><p><code>curl -u admin:admin-password -i -k -H Accept:application/json https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}</code></p><h6><a id="Response"></a>Response</h6> <pre><code>{ "name": "admin", "providers": [{ @@ -1009,7 +1009,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop <value>authcBasic</value> </param> </provider> -</code></pre><h3><a id="Trying+out+caching"></a>Trying out caching</h3><p>Knox bundles a template topology files that can be used to try out the caching functionality. The template file located under {GATEWAY_HOME}/templates is sandbox.knoxrealm.ehcache.xml.</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp templates/sandbox.knoxrealm.ehcache.xml conf/topologies/sandbox.xml bin/ldap.sh start bin/gateway.sh start</p><p>The following call to WebHDFS should report: {“Path”:“/user/guest”}</p><p>curl -i -v -k -u guest:guest-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>In order to see the cache working, LDAP can now be shutdown and the user will still authenticate successfully.</p><p>bin/ldap.sh stop</p><p>and then the following should still return successfully like it did earlier.</p><p>curl -i -v -k -u guest:guest-password -X GET <a hr ef="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a id="Advanced+Caching+Config"></a>Advanced Caching Config</h4><p>By default the ehcache support in shiro contains a ehcache.xml in its classpath which is the following</p> +</code></pre><h3><a id="Trying+out+caching"></a>Trying out caching</h3><p>Knox bundles a template topology files that can be used to try out the caching functionality. The template file located under {GATEWAY_HOME}/templates is sandbox.knoxrealm.ehcache.xml.</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp templates/sandbox.knoxrealm.ehcache.xml conf/topologies/sandbox.xml bin/ldap.sh start bin/gateway.sh start</p><p>The following call to WebHDFS should report: {“Path”:“/user/tom”}</p><p>curl -i -v -k -u tom:tom-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>In order to see the cache working, LDAP can now be shutdown and the user will still authenticate successfully.</p><p>bin/ldap.sh stop</p><p>and then the following should still return successfully like it did earlier.</p><p>curl -i -v -k -u tom:tom-password -X GET <a href="https: //localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a id="Advanced+Caching+Config"></a>Advanced Caching Config</h4><p>By default the ehcache support in shiro contains a ehcache.xml in its classpath which is the following</p> <pre><code><ehcache> <!-- Sets the path to the directory where cache .data files are created. @@ -1094,7 +1094,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop <name>main.cacheManager.cacheManagerConfigFile</name> <value>classpath:ehcache.xml</value> </param> -</code></pre><p>In the above example, place the ehcache.xml file under {GATEWAY_HOME}/conf and restart the gateway server.</p><h3><a id="LDAPGroupLookup"></a>LDAPGroupLookup</h3><p>Knox can be configured to look up LDAP groups that the authenticated user belong to. Knox can look up both Static LDAP Groups and Dynamic LDAP Groups. The looked up groups are populated as Principal(s) in the Java Subject of authenticated user. Therefore service authorization rules can be defined in terms of LDAPGroups looked up from LDAP directory.</p><p>To look up LDAPGroups of autheticated user from LDAP, you have to use org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro configuration.</p><p>Please see below a sample Shiro configuration snippet from a topology file that was tested looking LDAPGroups.</p> +</code></pre><p>In the above example, place the ehcache.xml file under {GATEWAY_HOME}/conf and restart the gateway server.</p><h3><a id="LDAPGroupLookup"></a>LDAPGroupLookup</h3><p>Knox can be configured to look up LDAP groups that the authenticated user belong to. Knox can look up both Static LDAP Groups and Dynamic LDAP Groups. The looked up groups are populated as Principal(s) in the Java Subject of authenticated user. Therefore service authorization rules can be defined in terms of LDAPGroups looked up from LDAP directory.</p><p>To look up LDAPGroups of authenticated user from LDAP, you have to use org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro configuration.</p><p>Please see below a sample Shiro configuration snippet from a topology file that was tested looking LDAPGroups.</p> <pre><code> <provider> <role>authentication</role> <name>ShiroProvider</name> @@ -1203,7 +1203,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop </param> </provider> -</code></pre><p>The configuration shown above would look up Static LDAP groups of authenticated user and populate the group principals in the Java Subject corresponding to authenticated user.</p><p>If you want to look up Dynamic LDAP Groups instead of Static LDAP Groups, you would have to speciify groupObjectClass and memberAttribute params as shown below:</p> +</code></pre><p>The configuration shown above would look up Static LDAP groups of authenticated user and populate the group principals in the Java Subject corresponding to authenticated user.</p><p>If you want to look up Dynamic LDAP Groups instead of Static LDAP Groups, you would have to specify groupObjectClass and memberAttribute params as shown below:</p> <pre><code> <param> <name>main.ldapRealm.groupObjectClass</name> <value>groupOfUrls</value> @@ -1212,7 +1212,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop <name>main.ldapRealm.memberAttribute</name> <value>memberUrl</value> </param> -</code></pre><h3><a id="Template+topology+files+and+LDIF+files+to+try+out+LDAP+Group+Look+up"></a>Template topology files and LDIF files to try out LDAP Group Look up</h3><p>Knox bundles some template topology files and ldif files that you can use to try and test LDAP Group Lookup and associated authorization acls. All these template files are located under {GATEWAY_HOME}/templates.</p><h4><a id="LDAP+Static+Group+Lookup+Templates,+authentication+and+group+lookup+from+the+same+directory"></a>LDAP Static Group Lookup Templates, authentication and group lookup from the same directory</h4><p>topology file: sandbox.knoxrealm1.xml ldif file : users.ldapgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp templates/sandbox.knoxrealm1.xml deployments/sandbox.xml cp templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master</p><p>Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of group “analyst”, authorization prvoider states user should be member of group “analyst”</p><p>curl -i -v -k -u guest:guest-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following call to WebHDFS should report: {“Path”:“/user/sam”} As sam is a member of group “analyst”, authorization prvoider states user should be member of group “analyst”</p><p>curl -i -v -k -u sam:sam-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a id="LDAP+Static+Group+Lookup+Templates,+authentication+and+group+lookup+from+different++directories"></a>LDAP Static Group Lookup Templates, authentication and group lookup from different directories</h 4><p>topology file: sandbox.knoxrealm2.xml ldif file : users.ldapgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp templates/sandbox.knoxrealm2.xml deployments/sandbox.xml cp templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master</p><p>Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of group “analyst”, authorization prvoider states user should be member of group “analyst”</p><p>curl -i -v -k -u guest:guest-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following call to WebHDFS should report: {“Path”:“/user/sam”} As sam is a member of group “analyst”, authorization prvoider states user should be member of group “analyst”</p><p>c url -i -v -k -u sam:sam-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a id="LDAP+Dynamic+Group+Lookup+Templates,+authentication+and+dynamic+group+lookup+from+same++directory"></a>LDAP Dynamic Group Lookup Templates, authentication and dynamic group lookup from same directory</h4><p>topology file: sandbox.knoxrealmdg.xml ldif file : users.ldapdynamicgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp templates/sandbox.knoxrealmdg.xml deployments/sandbox.xml cp templates/users.ldapdynamicgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master</p><p>Please note that user.ldapdynamicgroups.ldif also loads ncessary schema to create dynamic groups in Apache DS.</p><p>Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of dynamic group “directors”, authorization prvoider states user should be member of group “directors”</p><p>curl -i -v -k -u guest:guest-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following call to WebHDFS should report: {“Path”:“/user/bob”} As bob is a member of dynamic group “directors”, authorization prvoider states user should be member of group “directors”</p><p>curl -i -v -k -u sam:sam-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h3><a id="Identity+Assertion"></a>Identity Assertion</h3><p>The identity assertion provider within Knox plays the critical role of communicating the identity principal to be used within the Hadoop cluster to represent the identity t hat has been authenticated at the gateway.</p><p>The general responsibilities of the identity assertion provider is to interrogate the current Java Subject that has been established by the authentication or federation provider and:</p> +</code></pre><h3><a id="Template+topology+files+and+LDIF+files+to+try+out+LDAP+Group+Look+up"></a>Template topology files and LDIF files to try out LDAP Group Look up</h3><p>Knox bundles some template topology files and ldif files that you can use to try and test LDAP Group Lookup and associated authorization acls. All these template files are located under {GATEWAY_HOME}/templates.</p><h4><a id="LDAP+Static+Group+Lookup+Templates,+authentication+and+group+lookup+from+the+same+directory"></a>LDAP Static Group Lookup Templates, authentication and group lookup from the same directory</h4><p>topology file: sandbox.knoxrealm1.xml ldif file : users.ldapgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp templates/sandbox.knoxrealm1.xml conf/topologies/sandbox.xml cp templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master</p><p>Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of group “analyst”, authorization prvoider states user should be member of group “analyst”</p><p>curl -i -v -k -u guest:guest-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following call to WebHDFS should report: {“Path”:“/user/sam”} As sam is a member of group “analyst”, authorization prvoider states user should be member of group “analyst”</p><p>curl -i -v -k -u sam:sam-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a id="LDAP+Static+Group+Lookup+Templates,+authentication+and+group+lookup+from+different++directories"></a>LDAP Static Group Lookup Templates, authentication and group lookup from different directorie s</h4><p>topology file: sandbox.knoxrealm2.xml ldif file : users.ldapgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp templates/sandbox.knoxrealm2.xml conf/topologies/sandbox.xml cp templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master</p><p>Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of group “analyst”, authorization prvoider states user should be member of group “analyst”</p><p>curl -i -v -k -u guest:guest-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following call to WebHDFS should report: {“Path”:“/user/sam”} As sam is a member of group “analyst”, authorization prvoider states user should be member of group “analyst” </p><p>curl -i -v -k -u sam:sam-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a id="LDAP+Dynamic+Group+Lookup+Templates,+authentication+and+dynamic+group+lookup+from+same++directory"></a>LDAP Dynamic Group Lookup Templates, authentication and dynamic group lookup from same directory</h4><p>topology file: sandbox.knoxrealmdg.xml ldif file : users.ldapdynamicgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp templates/sandbox.knoxrealmdg.xml conf/topologies/sandbox.xml cp templates/users.ldapdynamicgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master</p><p>Please note that user.ldapdynamicgroups.ldif also loads ncessary schema to create dynamic groups in Apache DS.</p><p>Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a membe r of dynamic group “directors”, authorization prvoider states user should be member of group “directors”</p><p>curl -i -v -k -u guest:guest-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following call to WebHDFS should report: {“Path”:“/user/bob”} As bob is a member of dynamic group “directors”, authorization prvoider states user should be member of group “directors”</p><p>curl -i -v -k -u sam:sam-password -X GET <a href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h3><a id="Identity+Assertion"></a>Identity Assertion</h3><p>The identity assertion provider within Knox plays the critical role of communicating the identity principal to be used within the Hadoop cluster to represent th e identity that has been authenticated at the gateway.</p><p>The general responsibilities of the identity assertion provider is to interrogate the current Java Subject that has been established by the authentication or federation provider and:</p> <ol> <li>determine whether it matches any principal mapping rules and apply them appropriately</li> <li>determine whether it matches any group principal mapping rules and apply them</li> Modified: knox/site/index.html URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/site/index.html (original) +++ knox/site/index.html Mon May 11 19:17:26 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150506" /> + <meta name="Date-Revision-yyyymmdd" content="20150511" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-05-06</span> + | <span id="publishDate">Last Published: 2015-05-11</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/issue-tracking.html URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/site/issue-tracking.html (original) +++ knox/site/issue-tracking.html Mon May 11 19:17:26 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150506" /> + <meta name="Date-Revision-yyyymmdd" content="20150511" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-05-06</span> + | <span id="publishDate">Last Published: 2015-05-11</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/license.html URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/site/license.html (original) +++ knox/site/license.html Mon May 11 19:17:26 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150506" /> + <meta name="Date-Revision-yyyymmdd" content="20150511" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-05-06</span> + | <span id="publishDate">Last Published: 2015-05-11</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/mail-lists.html URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/site/mail-lists.html (original) +++ knox/site/mail-lists.html Mon May 11 19:17:26 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150506" /> + <meta name="Date-Revision-yyyymmdd" content="20150511" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-05-06</span> + | <span id="publishDate">Last Published: 2015-05-11</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/project-info.html URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/site/project-info.html (original) +++ knox/site/project-info.html Mon May 11 19:17:26 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150506" /> + <meta name="Date-Revision-yyyymmdd" content="20150511" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-05-06</span> + | <span id="publishDate">Last Published: 2015-05-11</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/site/team-list.html URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/site/team-list.html (original) +++ knox/site/team-list.html Mon May 11 19:17:26 2015 @@ -1,5 +1,5 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 --> +<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> @@ -10,7 +10,7 @@ @import url("./css/site.css"); </style> <link rel="stylesheet" href="./css/print.css" type="text/css" media="print" /> - <meta name="Date-Revision-yyyymmdd" content="20150506" /> + <meta name="Date-Revision-yyyymmdd" content="20150511" /> <meta http-equiv="Content-Language" content="en" /> <script type="text/javascript">var _gaq = _gaq || []; @@ -57,7 +57,7 @@ <a href="https://cwiki.apache.org/confluence/display/KNOX/Index" class="externalLink" title="Wiki">Wiki</a> - | <span id="publishDate">Last Published: 2015-05-06</span> + | <span id="publishDate">Last Published: 2015-05-11</span> | <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span> </div> <div class="clear"> Modified: knox/trunk/books/0.6.0/admin_api.md URL: http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/admin_api.md?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/trunk/books/0.6.0/admin_api.md (original) +++ knox/trunk/books/0.6.0/admin_api.md Mon May 11 19:17:26 2015 @@ -56,11 +56,10 @@ Calls to Knox and returns the gateway's ###### Response - { - "hash":"{version-hash}", - "version":"0.6.0" - } - + <ServerVersion> + <version>0.6.0</version> + <hash>{version-hash}</hash> + </ServerVersion> ##### Topology Collection @@ -74,7 +73,7 @@ Calls to Knox and return an array of JSO ###### Example cURL Request -`curl -u admin:admin-password -i -k https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies` +`curl -u admin:admin-password -i -k -H Accept:application/json https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies` ###### Response @@ -106,7 +105,7 @@ Calls to Knox and return a JSON object t ###### Example cURL Request -`curl -u admin:admin-password -i -k https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}` +`curl -u admin:admin-password -i -k -H Accept:application/json https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}` ###### Response Modified: knox/trunk/books/0.6.0/config_ldap_authc_cache.md URL: http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config_ldap_authc_cache.md?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/trunk/books/0.6.0/config_ldap_authc_cache.md (original) +++ knox/trunk/books/0.6.0/config_ldap_authc_cache.md Mon May 11 19:17:26 2015 @@ -102,9 +102,9 @@ cp templates/sandbox.knoxrealm.ehcache.x bin/ldap.sh start bin/gateway.sh start -The following call to WebHDFS should report: {"Path":"/user/guest"} +The following call to WebHDFS should report: {"Path":"/user/tom"} -curl -i -v -k -u guest:guest-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY +curl -i -v -k -u tom:tom-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY In order to see the cache working, LDAP can now be shutdown and the user will still authenticate successfully. @@ -112,7 +112,7 @@ bin/ldap.sh stop and then the following should still return successfully like it did earlier. -curl -i -v -k -u guest:guest-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY +curl -i -v -k -u tom:tom-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY #### Advanced Caching Config #### Modified: knox/trunk/books/0.6.0/config_ldap_group_lookup.md URL: http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config_ldap_group_lookup.md?rev=1678804&r1=1678803&r2=1678804&view=diff ============================================================================== --- knox/trunk/books/0.6.0/config_ldap_group_lookup.md (original) +++ knox/trunk/books/0.6.0/config_ldap_group_lookup.md Mon May 11 19:17:26 2015 @@ -22,7 +22,7 @@ Knox can look up both Static LDAP Groups The looked up groups are populated as Principal(s) in the Java Subject of authenticated user. Therefore service authorization rules can be defined in terms of LDAPGroups looked up from LDAP directory. -To look up LDAPGroups of autheticated user from LDAP, you have to use org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro configuration. +To look up LDAPGroups of authenticated user from LDAP, you have to use org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro configuration. Please see below a sample Shiro configuration snippet from a topology file that was tested looking LDAPGroups. @@ -137,7 +137,7 @@ Please see below a sample Shiro configur The configuration shown above would look up Static LDAP groups of authenticated user and populate the group principals in the Java Subject corresponding to authenticated user. -If you want to look up Dynamic LDAP Groups instead of Static LDAP Groups, you would have to speciify groupObjectClass and memberAttribute params as shown below: +If you want to look up Dynamic LDAP Groups instead of Static LDAP Groups, you would have to specify groupObjectClass and memberAttribute params as shown below: <param> <name>main.ldapRealm.groupObjectClass</name> @@ -162,7 +162,7 @@ ldif file : users.ldapgroups.ldif To try this out cd {GATEWAY_HOME} -cp templates/sandbox.knoxrealm1.xml deployments/sandbox.xml +cp templates/sandbox.knoxrealm1.xml conf/topologies/sandbox.xml cp templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master @@ -186,7 +186,7 @@ ldif file : users.ldapgroups.ldif To try this out cd {GATEWAY_HOME} -cp templates/sandbox.knoxrealm2.xml deployments/sandbox.xml +cp templates/sandbox.knoxrealm2.xml conf/topologies/sandbox.xml cp templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master @@ -209,7 +209,7 @@ ldif file : users.ldapdynamicgroups.l To try this out cd {GATEWAY_HOME} -cp templates/sandbox.knoxrealmdg.xml deployments/sandbox.xml +cp templates/sandbox.knoxrealmdg.xml conf/topologies/sandbox.xml cp templates/users.ldapdynamicgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master Added: knox/trunk/books/static/workflow-configuration.xml URL: http://svn.apache.org/viewvc/knox/trunk/books/static/workflow-configuration.xml?rev=1678804&view=auto ============================================================================== --- knox/trunk/books/static/workflow-configuration.xml (added) +++ knox/trunk/books/static/workflow-configuration.xml Mon May 11 19:17:26 2015 @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<configuration> + <property> + <name>jobTracker</name> + <value>REPLACE.JOBTRACKER.RPCHOSTPORT</value> + <!-- Example: <value>localhost:50300</value> --> + </property> + <property> + <name>nameNode</name> + <value>hdfs://REPLACE.NAMENODE.RPCHOSTPORT</value> + <!-- Example: <value>hdfs://localhost:8020</value> --> + </property> + <property> + <name>oozie.wf.application.path</name> + <value>hdfs://REPLACE.NAMENODE.RPCHOSTPORT/tmp/test</value> + <!-- Example: <value>hdfs://localhost:8020/tmp/test</value> --> + </property> + <property> + <name>user.name</name> + <value>mapred</value> + </property> + <property> + <name>inputDir</name> + <value>/tmp/test/input</value> + </property> + <property> + <name>outputDir</name> + <value>/tmp/test/output</value> + </property> +</configuration> Added: knox/trunk/books/static/workflow-definition.xml URL: http://svn.apache.org/viewvc/knox/trunk/books/static/workflow-definition.xml?rev=1678804&view=auto ============================================================================== --- knox/trunk/books/static/workflow-definition.xml (added) +++ knox/trunk/books/static/workflow-definition.xml Mon May 11 19:17:26 2015 @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<workflow-app xmlns="uri:oozie:workflow:0.2" name="wordcount-workflow"> + <start to="root"/> + <action name="root"> + <java> + <job-tracker>${jobTracker}</job-tracker> + <name-node>${nameNode}</name-node> + <main-class>org.apache.hadoop.examples.WordCount</main-class> + <arg>${inputDir}</arg> + <arg>${outputDir}</arg> + </java> + <ok to="end"/> + <error to="fail"/> + </action> + <kill name="fail"> + <message>Java failed, error message[${wf:errorMessage(wf:lastErrorNode())}]</message> + </kill> + <end name="end"/> +</workflow-app> \ No newline at end of file