KNOX-1350 - Complete centralization of manager.xml topology config in gateway-site.xml
authorLarry McCay <lmccay@HW14155.home>
Wed, 13 Jun 2018 22:31:58 +0000 (18:31 -0400)
committerLarry McCay <lmccay@HW14155.home>
Wed, 13 Jun 2018 22:32:12 +0000 (18:32 -0400)
gateway-provider-identity-assertion-hadoop-groups/src/main/java/org/apache/knox/gateway/identityasserter/hadoop/groups/filter/HadoopGroupProviderDeploymentContributor.java
gateway-release/home/conf/gateway-site.xml
gateway-release/home/conf/topologies/manager.xml
gateway-release/home/conf/users.ldif
gateway-server/src/main/java/org/apache/knox/gateway/services/topology/impl/DefaultTopologyService.java

index 4fb8465..4d31132 100644 (file)
@@ -75,22 +75,22 @@ public class HadoopGroupProviderDeploymentContributor
   @Override
   public void contributeFilter( DeploymentContext context, Provider provider, Service service,
       ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
-       Map<String, String> p = provider.getParams();
-       String prefix = p.get("CENTRAL_GROUP_CONFIG_PREFIX");
-       if (prefix != null && !prefix.isEmpty()) {
-         if (!prefix.endsWith(".")) {
-        prefix += ".";
-         }
+       Map<String, String> p = provider.getParams();
+       String prefix = p.get("CENTRAL_GROUP_CONFIG_PREFIX");
+       if (prefix != null && !prefix.isEmpty()) {
+         if (!prefix.endsWith(".")) {
+          prefix += ".";
+         }
       Map<String, String> groupMappingParams = 
               ((Configuration)context.getGatewayConfig()).getPropsWithPrefix(prefix);
       if (groupMappingParams != null) {
         params = createParamList(resource, params, groupMappingParams);        
       }
     }
-
-       if (params == null || params.isEmpty()) {
-      params = buildFilterInitParms(provider, resource, params);
-       }
+  
+       if (params == null || params.isEmpty()) {
+        params = buildFilterInitParms(provider, resource, params);
+       }
     resource.addFilter().name(getName()).role(getRole()).impl(getFilterClassname()).params(params);
   }
 
index fec5e87..64abf16 100644 (file)
@@ -85,4 +85,48 @@ limitations under the License.
         <description>The interval (in seconds) for polling Ambari for cluster configuration changes.</description>
     </property>
 
+    <!-- Knox Admin related config -->
+       <property>
+        <name>gateway.knox.admin.groups</name>
+        <value>admin</value>
+    </property>
+
+    <!-- DEMO LDAP config for Hadoop Group Provider -->
+    <property>
+        <name>gateway.group.config.hadoop.security.group.mapping</name>
+        <value>org.apache.hadoop.security.LdapGroupsMapping</value>
+    </property>
+    <property>
+        <name>gateway.group.config.hadoop.security.group.mapping.ldap.bind.user</name>
+        <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
+    </property>
+    <property>
+        <name>gateway.group.config.hadoop.security.group.mapping.ldap.bind.password</name>
+        <value>guest-password</value>
+    </property>
+    <property>
+        <name>gateway.group.config.hadoop.security.group.mapping.ldap.url</name>
+        <value>ldap://localhost:33389</value>
+    </property>
+    <property>
+        <name>gateway.group.config.hadoop.security.group.mapping.ldap.base</name>
+        <value></value>
+    </property>
+    <property>
+        <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.filter.user</name>
+        <value>(&amp;(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value>
+    </property>
+    <property>
+        <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.filter.group</name>
+        <value>(objectclass=groupOfNames)</value>
+    </property>
+    <property>
+        <name>hgateway.group.config.adoop.security.group.mapping.ldap.search.attr.member</name>
+        <value>member</value>
+    </property>
+    <property>
+        <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.attr.group.name</name>
+        <value>cn</value>
+    </property>
+
 </configuration>
index 12dffe4..844d857 100644 (file)
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="UTF-8"?>
 <!--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
   limitations under the License.
 -->
 <topology>
-
-    <gateway>
-
-        <provider>
-            <role>webappsec</role>
-            <name>WebAppSec</name>
-            <enabled>true</enabled>
-            <param><name>csrf.enabled</name><value>true</value></param>
-            <param><name>csrf.customHeader</name><value>X-XSRF-Header</value></param>
-            <param><name>csrf.methodsToIgnore</name><value>GET,OPTIONS,HEAD</value></param>
-            <param><name>xframe.options.enabled</name><value>true</value></param>
-            <param><name>xss.protection.enabled</name><value>true</value></param>
-            <param><name>strict.transport.enabled</name><value>true</value></param>
-        </provider>
-
-        <provider>
-            <role>federation</role>
-            <name>SSOCookieProvider</name>
-            <enabled>true</enabled>
-        </provider>
-
-        <provider>
-            <role>authorization</role>
-            <name>AclsAuthz</name>
-            <enabled>true</enabled>
-            <param>
-                <name>knox.acl</name>
-                <value>admin;*;*</value>
-            </param>
-        </provider>
-
-        <provider>
-            <role>identity-assertion</role>
-            <name>Default</name>
-            <enabled>true</enabled>
-        </provider>
-
-        <provider>
-            <role>hostmap</role>
-            <name>static</name>
-            <enabled>true</enabled>
-            <param>
-                <name>localhost</name>
-                <value>sandbox,sandbox.hortonworks.com</value>
-            </param>
-        </provider>
-
-    </gateway>
-
-    <application>
-        <role>admin-ui</role>
-    </application>
-
-    <service>
-        <role>KNOX</role>
-    </service>
-
+   <name>manager</name>
+   <gateway>
+      <provider>
+         <role>webappsec</role>
+         <name>WebAppSec</name>
+         <enabled>true</enabled>
+         <param>
+            <name>csrf.enabled</name>
+            <value>true</value>
+         </param>
+         <param>
+            <name>csrf.customHeader</name>
+            <value>X-XSRF-Header</value>
+         </param>
+         <param>
+            <name>csrf.methodsToIgnore</name>
+            <value>GET,OPTIONS,HEAD</value>
+         </param>
+         <param>
+            <name>xframe.options.enabled</name>
+            <value>true</value>
+         </param>
+         <param>
+            <name>xss.protection.enabled</name>
+            <value>true</value>
+         </param>
+         <param>
+            <name>strict.transport.enabled</name>
+            <value>true</value>
+         </param>
+      </provider>
+      <provider>
+         <role>federation</role>
+         <name>SSOCookieProvider</name>
+         <enabled>true</enabled>
+      </provider>
+      <provider>
+         <role>identity-assertion</role>
+         <name>HadoopGroupProvider</name>
+         <enabled>true</enabled>
+         <param>
+            <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
+            <value>gateway.group.config.</value>
+         </param>
+      </provider>
+      <provider>
+         <role>authorization</role>
+         <name>AclsAuthz</name>
+         <enabled>true</enabled>
+         <param>
+            <name>knox.acl.mode</name>
+            <value>OR</value>
+         </param>
+         <param>
+            <name>knox.acl</name>
+            <value>KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*</value>
+         </param>
+      </provider>
+   </gateway>
+   <service>
+      <role>KNOX</role>
+   </service>
+   <application>
+      <name>admin-ui</name>
+   </application>
 </topology>
index a39f27c..986704d 100644 (file)
@@ -100,3 +100,11 @@ cn: scientist
 description: scientist group
 member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
 
+# create the admin group under groups
+dn: cn=admin,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass: groupofnames
+cn: admin
+description: admin group
+member: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
+
index e306d24..d2f6ad0 100644 (file)
@@ -163,7 +163,7 @@ public class DefaultTopologyService
     try {
       TopologyValidator tv = new TopologyValidator(topology);
 
-      if(tv.validateTopology()) {
+      if(!tv.validateTopology()) {
         throw new SAXException(tv.getErrorString());
       }