Author: sumit
Date: Mon May 11 19:17:26 2015
New Revision: 1678804
URL: http://svn.apache.org/r1678804
Log:
KNOX-540
Added:
knox/trunk/books/static/workflow-configuration.xml
knox/trunk/books/static/workflow-definition.xml
Modified:
knox/site/books/knox-0-4-0/deployment-overview.png
knox/site/books/knox-0-4-0/deployment-provider.png
knox/site/books/knox-0-4-0/deployment-service.png
knox/site/books/knox-0-4-0/runtime-overview.png
knox/site/books/knox-0-4-0/runtime-request-processing.png
knox/site/books/knox-0-5-0/deployment-overview.png
knox/site/books/knox-0-5-0/deployment-provider.png
knox/site/books/knox-0-5-0/deployment-service.png
knox/site/books/knox-0-5-0/runtime-overview.png
knox/site/books/knox-0-5-0/runtime-request-processing.png
knox/site/books/knox-0-6-0/deployment-overview.png
knox/site/books/knox-0-6-0/deployment-provider.png
knox/site/books/knox-0-6-0/deployment-service.png
knox/site/books/knox-0-6-0/runtime-overview.png
knox/site/books/knox-0-6-0/runtime-request-processing.png
knox/site/books/knox-0-6-0/user-guide.html
knox/site/index.html
knox/site/issue-tracking.html
knox/site/license.html
knox/site/mail-lists.html
knox/site/project-info.html
knox/site/team-list.html
knox/trunk/books/0.6.0/admin_api.md
knox/trunk/books/0.6.0/config_ldap_authc_cache.md
knox/trunk/books/0.6.0/config_ldap_group_lookup.md
Modified: knox/site/books/knox-0-4-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-provider.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/deployment-service.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/runtime-overview.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
Binary files - no diff available.
Modified: knox/site/books/knox-0-6-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/user-guide.html?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/site/books/knox-0-6-0/user-guide.html (original)
+++ knox/site/books/knox-0-6-0/user-guide.html Mon May 11 19:17:26 2015
@@ -654,11 +654,11 @@ ip-10-39-107-209.ec2.internal
<li><h6>HTTP PUT</h6></li>
<li><h6>HTTP DELETE</h6></li>
</ul><h5><a id="Server+Version"></a>Server Version</h5><h6><a
id="Description"></a>Description</h6><p>Calls to Knox and returns the
gateway’s current version and the version hash inside of a JSON object.
</p><h6><a id="Example+Request+URL"></a>Example Request
URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/version</code>
</p><h6><a id="Example+cURL+Request"></a>Example cURL
Request</h6><p><code>curl -u admin:admin-password -i -k
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/version</code></p><h6><a
id="Response"></a>Response</h6>
-<pre><code> {
- "hash":"{version-hash}",
- "version":"0.6.0"
- }
-</code></pre><h5><a id="Topology+Collection"></a>Topology
Collection</h5><h6><a id="Description"></a>Description</h6><p>Calls to Knox and
return an array of JSON objects that represent the list of deployed topologies
currently inside of the gateway. </p><h6><a
id="Example+Request+URL"></a>Example Request
URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/{api-version}/topologies</code>
</p><h6><a id="Example+cURL+Request"></a>Example cURL
Request</h6><p><code>curl -u admin:admin-password -i -k
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies</code></p><h6><a
id="Response"></a>Response</h6>
+<pre><code> <ServerVersion>
+ <version>0.6.0</version>
+ <hash>{version-hash}</hash>
+ </ServerVersion>
+</code></pre><h5><a id="Topology+Collection"></a>Topology
Collection</h5><h6><a id="Description"></a>Description</h6><p>Calls to Knox and
return an array of JSON objects that represent the list of deployed topologies
currently inside of the gateway. </p><h6><a
id="Example+Request+URL"></a>Example Request
URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/{api-version}/topologies</code>
</p><h6><a id="Example+cURL+Request"></a>Example cURL
Request</h6><p><code>curl -u admin:admin-password -i -k -H
Accept:application/json
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies</code></p><h6><a
id="Response"></a>Response</h6>
<pre><code>[
{
"href":"https://localhost:8443/gateway/admin/api/v1/topologies/_default",
@@ -673,7 +673,7 @@ ip-10-39-107-209.ec2.internal
"uri":"https://localhost:8443/gateway/admin"
}
]
-</code></pre><h5><a id="Topology"></a>Topology</h5><h6><a
id="Description"></a>Description</h6><p>Calls to Knox and return a JSON object
that represents the requested topology </p><h6><a
id="Example+Request+URL"></a>Example Request
URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}</code>
</p><h6><a id="Example+cURL+Request"></a>Example cURL
Request</h6><p><code>curl -u admin:admin-password -i -k
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}</code></p><h6><a
id="Response"></a>Response</h6>
+</code></pre><h5><a id="Topology"></a>Topology</h5><h6><a
id="Description"></a>Description</h6><p>Calls to Knox and return a JSON object
that represents the requested topology </p><h6><a
id="Example+Request+URL"></a>Example Request
URL</h6><p><code>https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}</code>
</p><h6><a id="Example+cURL+Request"></a>Example cURL
Request</h6><p><code>curl -u admin:admin-password -i -k -H
Accept:application/json
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}</code></p><h6><a
id="Response"></a>Response</h6>
<pre><code>{
"name": "admin",
"providers": [{
@@ -1009,7 +1009,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop
<value>authcBasic</value>
</param>
</provider>
-</code></pre><h3><a id="Trying+out+caching"></a>Trying out caching</h3><p>Knox
bundles a template topology files that can be used to try out the caching
functionality. The template file located under {GATEWAY_HOME}/templates is
sandbox.knoxrealm.ehcache.xml.</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp
templates/sandbox.knoxrealm.ehcache.xml conf/topologies/sandbox.xml bin/ldap.sh
start bin/gateway.sh start</p><p>The following call to WebHDFS should report:
{“Path”:“/user/guest”}</p><p>curl -i -v -k -u
guest:guest-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>In
order to see the cache working, LDAP can now be shutdown and the user will
still authenticate successfully.</p><p>bin/ldap.sh stop</p><p>and then the
following should still return successfully like it did earlier.</p><p>curl -i
-v -k -u guest:guest-password -X GET <a hr
ef="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a
id="Advanced+Caching+Config"></a>Advanced Caching Config</h4><p>By default the
ehcache support in shiro contains a ehcache.xml in its classpath which is the
following</p>
+</code></pre><h3><a id="Trying+out+caching"></a>Trying out caching</h3><p>Knox
bundles a template topology files that can be used to try out the caching
functionality. The template file located under {GATEWAY_HOME}/templates is
sandbox.knoxrealm.ehcache.xml.</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp
templates/sandbox.knoxrealm.ehcache.xml conf/topologies/sandbox.xml bin/ldap.sh
start bin/gateway.sh start</p><p>The following call to WebHDFS should report:
{“Path”:“/user/tom”}</p><p>curl -i -v -k -u
tom:tom-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>In
order to see the cache working, LDAP can now be shutdown and the user will
still authenticate successfully.</p><p>bin/ldap.sh stop</p><p>and then the
following should still return successfully like it did earlier.</p><p>curl -i
-v -k -u tom:tom-password -X GET <a href="https:
//localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY">https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a
id="Advanced+Caching+Config"></a>Advanced Caching Config</h4><p>By default the
ehcache support in shiro contains a ehcache.xml in its classpath which is the
following</p>
<pre><code><ehcache>
<!-- Sets the path to the directory where cache .data files are created.
@@ -1094,7 +1094,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop
<name>main.cacheManager.cacheManagerConfigFile</name>
<value>classpath:ehcache.xml</value>
</param>
-</code></pre><p>In the above example, place the ehcache.xml file under
{GATEWAY_HOME}/conf and restart the gateway server.</p><h3><a
id="LDAPGroupLookup"></a>LDAPGroupLookup</h3><p>Knox can be configured to look
up LDAP groups that the authenticated user belong to. Knox can look up both
Static LDAP Groups and Dynamic LDAP Groups. The looked up groups are populated
as Principal(s) in the Java Subject of authenticated user. Therefore service
authorization rules can be defined in terms of LDAPGroups looked up from LDAP
directory.</p><p>To look up LDAPGroups of autheticated user from LDAP, you have
to use org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro
configuration.</p><p>Please see below a sample Shiro configuration snippet from
a topology file that was tested looking LDAPGroups.</p>
+</code></pre><p>In the above example, place the ehcache.xml file under
{GATEWAY_HOME}/conf and restart the gateway server.</p><h3><a
id="LDAPGroupLookup"></a>LDAPGroupLookup</h3><p>Knox can be configured to look
up LDAP groups that the authenticated user belong to. Knox can look up both
Static LDAP Groups and Dynamic LDAP Groups. The looked up groups are populated
as Principal(s) in the Java Subject of authenticated user. Therefore service
authorization rules can be defined in terms of LDAPGroups looked up from LDAP
directory.</p><p>To look up LDAPGroups of authenticated user from LDAP, you
have to use org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro
configuration.</p><p>Please see below a sample Shiro configuration snippet from
a topology file that was tested looking LDAPGroups.</p>
<pre><code> <provider>
<role>authentication</role>
<name>ShiroProvider</name>
@@ -1203,7 +1203,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop
</param>
</provider>
-</code></pre><p>The configuration shown above would look up Static LDAP groups
of authenticated user and populate the group principals in the Java Subject
corresponding to authenticated user.</p><p>If you want to look up Dynamic LDAP
Groups instead of Static LDAP Groups, you would have to speciify
groupObjectClass and memberAttribute params as shown below:</p>
+</code></pre><p>The configuration shown above would look up Static LDAP groups
of authenticated user and populate the group principals in the Java Subject
corresponding to authenticated user.</p><p>If you want to look up Dynamic LDAP
Groups instead of Static LDAP Groups, you would have to specify
groupObjectClass and memberAttribute params as shown below:</p>
<pre><code> <param>
<name>main.ldapRealm.groupObjectClass</name>
<value>groupOfUrls</value>
@@ -1212,7 +1212,7 @@ ldapRealm.userDnTemplate=uid={0},ou=peop
<name>main.ldapRealm.memberAttribute</name>
<value>memberUrl</value>
</param>
-</code></pre><h3><a
id="Template+topology+files+and+LDIF+files+to+try+out+LDAP+Group+Look+up"></a>Template
topology files and LDIF files to try out LDAP Group Look up</h3><p>Knox
bundles some template topology files and ldif files that you can use to try and
test LDAP Group Lookup and associated authorization acls. All these template
files are located under {GATEWAY_HOME}/templates.</p><h4><a
id="LDAP+Static+Group+Lookup+Templates,+authentication+and+group+lookup+from+the+same+directory"></a>LDAP
Static Group Lookup Templates, authentication and group lookup from the same
directory</h4><p>topology file: sandbox.knoxrealm1.xml ldif file :
users.ldapgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp
templates/sandbox.knoxrealm1.xml deployments/sandbox.xml cp
templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf
java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master</p><p>Following call to WebHDFS should report HTTP/1.1 401
Unauthorized As guest is not a member of group “analyst”,
authorization prvoider states user should be member of group
“analyst”</p><p>curl -i -v -k -u guest:guest-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following
call to WebHDFS should report: {“Path”:“/user/sam”} As
sam is a member of group “analyst”, authorization prvoider states
user should be member of group “analyst”</p><p>curl -i -v -k -u
sam:sam-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a
id="LDAP+Static+Group+Lookup+Templates,+authentication+and+group+lookup+from+different++directories"></a>LDAP
Static Group Lookup Templates, authentication and group lookup from different
directories</h
4><p>topology file: sandbox.knoxrealm2.xml ldif file :
users.ldapgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp
templates/sandbox.knoxrealm2.xml deployments/sandbox.xml cp
templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf
java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master</p><p>Following call to WebHDFS should report HTTP/1.1 401
Unauthorized As guest is not a member of group “analyst”,
authorization prvoider states user should be member of group
“analyst”</p><p>curl -i -v -k -u guest:guest-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following
call to WebHDFS should report: {“Path”:“/user/sam”} As
sam is a member of group “analyst”, authorization prvoider states
user should be member of group “analyst”</p><p>c
url -i -v -k -u sam:sam-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a
id="LDAP+Dynamic+Group+Lookup+Templates,+authentication+and+dynamic+group+lookup+from+same++directory"></a>LDAP
Dynamic Group Lookup Templates, authentication and dynamic group lookup from
same directory</h4><p>topology file: sandbox.knoxrealmdg.xml ldif file :
users.ldapdynamicgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp
templates/sandbox.knoxrealmdg.xml deployments/sandbox.xml cp
templates/users.ldapdynamicgroups.ldif conf/users.ldif java -jar bin/ldap.jar
conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master</p><p>Please note that user.ldapdynamicgroups.ldif also loads
ncessary schema to create dynamic groups in Apache DS.</p><p>Following call to
WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of
dynamic
group “directors”, authorization prvoider states user should be
member of group “directors”</p><p>curl -i -v -k -u
guest:guest-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following
call to WebHDFS should report: {“Path”:“/user/bob”} As
bob is a member of dynamic group “directors”, authorization
prvoider states user should be member of group
“directors”</p><p>curl -i -v -k -u sam:sam-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h3><a
id="Identity+Assertion"></a>Identity Assertion</h3><p>The identity assertion
provider within Knox plays the critical role of communicating the identity
principal to be used within the Hadoop cluster to represent the identity t
hat has been authenticated at the gateway.</p><p>The general responsibilities
of the identity assertion provider is to interrogate the current Java Subject
that has been established by the authentication or federation provider and:</p>
+</code></pre><h3><a
id="Template+topology+files+and+LDIF+files+to+try+out+LDAP+Group+Look+up"></a>Template
topology files and LDIF files to try out LDAP Group Look up</h3><p>Knox
bundles some template topology files and ldif files that you can use to try and
test LDAP Group Lookup and associated authorization acls. All these template
files are located under {GATEWAY_HOME}/templates.</p><h4><a
id="LDAP+Static+Group+Lookup+Templates,+authentication+and+group+lookup+from+the+same+directory"></a>LDAP
Static Group Lookup Templates, authentication and group lookup from the same
directory</h4><p>topology file: sandbox.knoxrealm1.xml ldif file :
users.ldapgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp
templates/sandbox.knoxrealm1.xml conf/topologies/sandbox.xml cp
templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf
java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master</p><p>Following call to WebHDFS should report HTTP/1.1
401 Unauthorized As guest is not a member of group “analyst”,
authorization prvoider states user should be member of group
“analyst”</p><p>curl -i -v -k -u guest:guest-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following
call to WebHDFS should report: {“Path”:“/user/sam”} As
sam is a member of group “analyst”, authorization prvoider states
user should be member of group “analyst”</p><p>curl -i -v -k -u
sam:sam-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a
id="LDAP+Static+Group+Lookup+Templates,+authentication+and+group+lookup+from+different++directories"></a>LDAP
Static Group Lookup Templates, authentication and group lookup from different
directorie
s</h4><p>topology file: sandbox.knoxrealm2.xml ldif file :
users.ldapgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp
templates/sandbox.knoxrealm2.xml conf/topologies/sandbox.xml cp
templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf
java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master</p><p>Following call to WebHDFS should report HTTP/1.1 401
Unauthorized As guest is not a member of group “analyst”,
authorization prvoider states user should be member of group
“analyst”</p><p>curl -i -v -k -u guest:guest-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following
call to WebHDFS should report: {“Path”:“/user/sam”} As
sam is a member of group “analyst”, authorization prvoider states
user should be member of group “analyst”
</p><p>curl -i -v -k -u sam:sam-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h4><a
id="LDAP+Dynamic+Group+Lookup+Templates,+authentication+and+dynamic+group+lookup+from+same++directory"></a>LDAP
Dynamic Group Lookup Templates, authentication and dynamic group lookup from
same directory</h4><p>topology file: sandbox.knoxrealmdg.xml ldif file :
users.ldapdynamicgroups.ldif</p><p>To try this out</p><p>cd {GATEWAY_HOME} cp
templates/sandbox.knoxrealmdg.xml conf/topologies/sandbox.xml cp
templates/users.ldapdynamicgroups.ldif conf/users.ldif java -jar bin/ldap.jar
conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master</p><p>Please note that user.ldapdynamicgroups.ldif also loads
ncessary schema to create dynamic groups in Apache DS.</p><p>Following call to
WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a membe
r of dynamic group “directors”, authorization prvoider states user
should be member of group “directors”</p><p>curl -i -v -k -u
guest:guest-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><p>Following
call to WebHDFS should report: {“Path”:“/user/bob”} As
bob is a member of dynamic group “directors”, authorization
prvoider states user should be member of group
“directors”</p><p>curl -i -v -k -u sam:sam-password -X GET <a
href="https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY";>https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY</a></p><h3><a
id="Identity+Assertion"></a>Identity Assertion</h3><p>The identity assertion
provider within Knox plays the critical role of communicating the identity
principal to be used within the Hadoop cluster to represent th
e identity that has been authenticated at the gateway.</p><p>The general
responsibilities of the identity assertion provider is to interrogate the
current Java Subject that has been established by the authentication or
federation provider and:</p>
<ol>
<li>determine whether it matches any principal mapping rules and apply them
appropriately</li>
<li>determine whether it matches any group principal mapping rules and apply
them</li>
Modified: knox/site/index.html
URL:
http://svn.apache.org/viewvc/knox/site/index.html?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Mon May 11 19:17:26 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150506" />
+ <meta name="Date-Revision-yyyymmdd" content="20150511" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-05-06</span>
+ | <span id="publishDate">Last Published:
2015-05-11</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/issue-tracking.html
URL:
http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Mon May 11 19:17:26 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150506" />
+ <meta name="Date-Revision-yyyymmdd" content="20150511" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-05-06</span>
+ | <span id="publishDate">Last Published:
2015-05-11</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/license.html
URL:
http://svn.apache.org/viewvc/knox/site/license.html?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Mon May 11 19:17:26 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150506" />
+ <meta name="Date-Revision-yyyymmdd" content="20150511" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-05-06</span>
+ | <span id="publishDate">Last Published:
2015-05-11</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/mail-lists.html
URL:
http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Mon May 11 19:17:26 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150506" />
+ <meta name="Date-Revision-yyyymmdd" content="20150511" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-05-06</span>
+ | <span id="publishDate">Last Published:
2015-05-11</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/project-info.html
URL:
http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Mon May 11 19:17:26 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150506" />
+ <meta name="Date-Revision-yyyymmdd" content="20150511" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-05-06</span>
+ | <span id="publishDate">Last Published:
2015-05-11</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/site/team-list.html
URL:
http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Mon May 11 19:17:26 2015
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
-<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-06 -->
+<!-- Generated by Apache Maven Doxia Site Renderer 1.6 at 2015-05-11 -->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -10,7 +10,7 @@
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css"
media="print" />
- <meta name="Date-Revision-yyyymmdd" content="20150506" />
+ <meta name="Date-Revision-yyyymmdd" content="20150511" />
<meta http-equiv="Content-Language" content="en" />
<script type="text/javascript">var _gaq = _gaq || [];
@@ -57,7 +57,7 @@
<a
href="https://cwiki.apache.org/confluence/display/KNOX/Index";
class="externalLink" title="Wiki">Wiki</a>
- | <span id="publishDate">Last Published:
2015-05-06</span>
+ | <span id="publishDate">Last Published:
2015-05-11</span>
| <span id="projectVersion">Version: 0.0.0-SNAPSHOT</span>
</div>
<div class="clear">
Modified: knox/trunk/books/0.6.0/admin_api.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/admin_api.md?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/trunk/books/0.6.0/admin_api.md (original)
+++ knox/trunk/books/0.6.0/admin_api.md Mon May 11 19:17:26 2015
@@ -56,11 +56,10 @@ Calls to Knox and returns the gateway's
###### Response
- {
- "hash":"{version-hash}",
- "version":"0.6.0"
- }
-
+ <ServerVersion>
+ <version>0.6.0</version>
+ <hash>{version-hash}</hash>
+ </ServerVersion>
##### Topology Collection
@@ -74,7 +73,7 @@ Calls to Knox and return an array of JSO
###### Example cURL Request
-`curl -u admin:admin-password -i -k
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies`
+`curl -u admin:admin-password -i -k -H Accept:application/json
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies`
###### Response
@@ -106,7 +105,7 @@ Calls to Knox and return a JSON object t
###### Example cURL Request
-`curl -u admin:admin-password -i -k
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}`
+`curl -u admin:admin-password -i -k -H Accept:application/json
https://{gateway-host}:{gateway-port}/{gateway-path}/admin/api/v1/topologies/{topology-name}`
###### Response
Modified: knox/trunk/books/0.6.0/config_ldap_authc_cache.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config_ldap_authc_cache.md?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/trunk/books/0.6.0/config_ldap_authc_cache.md (original)
+++ knox/trunk/books/0.6.0/config_ldap_authc_cache.md Mon May 11 19:17:26 2015
@@ -102,9 +102,9 @@ cp templates/sandbox.knoxrealm.ehcache.x
bin/ldap.sh start
bin/gateway.sh start
-The following call to WebHDFS should report: {"Path":"/user/guest"}
+The following call to WebHDFS should report: {"Path":"/user/tom"}
-curl -i -v -k -u guest:guest-password -X GET
https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY
+curl -i -v -k -u tom:tom-password -X GET
https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY
In order to see the cache working, LDAP can now be shutdown and the user will
still authenticate successfully.
@@ -112,7 +112,7 @@ bin/ldap.sh stop
and then the following should still return successfully like it did earlier.
-curl -i -v -k -u guest:guest-password -X GET
https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY
+curl -i -v -k -u tom:tom-password -X GET
https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY
#### Advanced Caching Config ####
Modified: knox/trunk/books/0.6.0/config_ldap_group_lookup.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.6.0/config_ldap_group_lookup.md?rev=1678804&r1=1678803&r2=1678804&view=diff
==============================================================================
--- knox/trunk/books/0.6.0/config_ldap_group_lookup.md (original)
+++ knox/trunk/books/0.6.0/config_ldap_group_lookup.md Mon May 11 19:17:26 2015
@@ -22,7 +22,7 @@ Knox can look up both Static LDAP Groups
The looked up groups are populated as Principal(s) in the Java Subject of
authenticated user.
Therefore service authorization rules can be defined in terms of LDAPGroups
looked up from LDAP directory.
-To look up LDAPGroups of autheticated user from LDAP, you have to use
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro configuration.
+To look up LDAPGroups of authenticated user from LDAP, you have to use
org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro configuration.
Please see below a sample Shiro configuration snippet from a topology file
that was tested looking LDAPGroups.
@@ -137,7 +137,7 @@ Please see below a sample Shiro configur
The configuration shown above would look up Static LDAP groups of
authenticated user and populate the group principals in the Java Subject
corresponding to authenticated user.
-If you want to look up Dynamic LDAP Groups instead of Static LDAP Groups, you
would have to speciify groupObjectClass and memberAttribute params as shown
below:
+If you want to look up Dynamic LDAP Groups instead of Static LDAP Groups, you
would have to specify groupObjectClass and memberAttribute params as shown
below:
<param>
<name>main.ldapRealm.groupObjectClass</name>
@@ -162,7 +162,7 @@ ldif file : users.ldapgroups.ldif
To try this out
cd {GATEWAY_HOME}
-cp templates/sandbox.knoxrealm1.xml deployments/sandbox.xml
+cp templates/sandbox.knoxrealm1.xml conf/topologies/sandbox.xml
cp templates/users.ldapgroups.ldif conf/users.ldif
java -jar bin/ldap.jar conf
java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master
@@ -186,7 +186,7 @@ ldif file : users.ldapgroups.ldif
To try this out
cd {GATEWAY_HOME}
-cp templates/sandbox.knoxrealm2.xml deployments/sandbox.xml
+cp templates/sandbox.knoxrealm2.xml conf/topologies/sandbox.xml
cp templates/users.ldapgroups.ldif conf/users.ldif
java -jar bin/ldap.jar conf
java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master
@@ -209,7 +209,7 @@ ldif file : users.ldapdynamicgroups.l
To try this out
cd {GATEWAY_HOME}
-cp templates/sandbox.knoxrealmdg.xml deployments/sandbox.xml
+cp templates/sandbox.knoxrealmdg.xml conf/topologies/sandbox.xml
cp templates/users.ldapdynamicgroups.ldif conf/users.ldif
java -jar bin/ldap.jar conf
java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar
-persist-master
Added: knox/trunk/books/static/workflow-configuration.xml
URL:
http://svn.apache.org/viewvc/knox/trunk/books/static/workflow-configuration.xml?rev=1678804&view=auto
==============================================================================
--- knox/trunk/books/static/workflow-configuration.xml (added)
+++ knox/trunk/books/static/workflow-configuration.xml Mon May 11 19:17:26 2015
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<configuration>
+ <property>
+ <name>jobTracker</name>
+ <value>REPLACE.JOBTRACKER.RPCHOSTPORT</value>
+ <!-- Example: <value>localhost:50300</value> -->
+ </property>
+ <property>
+ <name>nameNode</name>
+ <value>hdfs://REPLACE.NAMENODE.RPCHOSTPORT</value>
+ <!-- Example: <value>hdfs://localhost:8020</value> -->
+ </property>
+ <property>
+ <name>oozie.wf.application.path</name>
+ <value>hdfs://REPLACE.NAMENODE.RPCHOSTPORT/tmp/test</value>
+ <!-- Example: <value>hdfs://localhost:8020/tmp/test</value> -->
+ </property>
+ <property>
+ <name>user.name</name>
+ <value>mapred</value>
+ </property>
+ <property>
+ <name>inputDir</name>
+ <value>/tmp/test/input</value>
+ </property>
+ <property>
+ <name>outputDir</name>
+ <value>/tmp/test/output</value>
+ </property>
+</configuration>
Added: knox/trunk/books/static/workflow-definition.xml
URL:
http://svn.apache.org/viewvc/knox/trunk/books/static/workflow-definition.xml?rev=1678804&view=auto
==============================================================================
--- knox/trunk/books/static/workflow-definition.xml (added)
+++ knox/trunk/books/static/workflow-definition.xml Mon May 11 19:17:26 2015
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<workflow-app xmlns="uri:oozie:workflow:0.2" name="wordcount-workflow">
+ <start to="root"/>
+ <action name="root">
+ <java>
+ <job-tracker>${jobTracker}</job-tracker>
+ <name-node>${nameNode}</name-node>
+ <main-class>org.apache.hadoop.examples.WordCount</main-class>
+ <arg>${inputDir}</arg>
+ <arg>${outputDir}</arg>
+ </java>
+ <ok to="end"/>
+ <error to="fail"/>
+ </action>
+ <kill name="fail">
+ <message>Java failed, error
message[${wf:errorMessage(wf:lastErrorNode())}]</message>
+ </kill>
+ <end name="end"/>
+</workflow-app>
\ No newline at end of file
