You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/09/30 16:27:51 UTC

svn commit: r1527590 - in /incubator/knox/trunk/books/0.3.0: config.md config_authz.md

Author: lmccay
Date: Mon Sep 30 14:27:51 2013
New Revision: 1527590

URL: http://svn.apache.org/r1527590
Log:
added documentation for wildcards within ip addresses in ACL authorization

Modified:
    incubator/knox/trunk/books/0.3.0/config.md
    incubator/knox/trunk/books/0.3.0/config_authz.md

Modified: incubator/knox/trunk/books/0.3.0/config.md
URL: http://svn.apache.org/viewvc/incubator/knox/trunk/books/0.3.0/config.md?rev=1527590&r1=1527589&r2=1527590&view=diff
==============================================================================
--- incubator/knox/trunk/books/0.3.0/config.md (original)
+++ incubator/knox/trunk/books/0.3.0/config.md Mon Sep 30 14:27:51 2013
@@ -326,7 +326,7 @@ The credential stores in Knox use the JC
 Follow the prompts again for the DN for the cert of the credential store. This certificate isn't really used for anything at the moment but is required to create the credential store.
 
 ##### Provisioning of Keystores #####
-Once you have created these keystores you must move them into place for the gateway to discover them and use them to represent its identity for SSL connections. This is done by copying the keystores to the {GATEWAY_HOME}/conf/security/keystores directory for your gateway install.
+Once you have created these keystores you must move them into place for the gateway to discover them and use them to represent its identity for SSL connections. This is done by copying the keystores to the `{GATEWAY_HOME}/conf/security/keystores` directory for your gateway install.
 
 #### Summary of Secrets to be Managed ####
 

Modified: incubator/knox/trunk/books/0.3.0/config_authz.md
URL: http://svn.apache.org/viewvc/incubator/knox/trunk/books/0.3.0/config_authz.md?rev=1527590&r1=1527589&r2=1527590&view=diff
==============================================================================
--- incubator/knox/trunk/books/0.3.0/config_authz.md (original)
+++ incubator/knox/trunk/books/0.3.0/config_authz.md Mon Sep 30 14:27:51 2013
@@ -136,9 +136,19 @@ The above configuration enables the auth
         <name>{serviceName}.acl</name>
         <value>username[,*|username...];group[,*|group...];ipaddr[,*|ipaddr...]</value>
     </param>
-
+    
 where `{serverName}` would need to be the name of a configured Hadoop service within the topology.
-Note that the configuration without any ACLs defined is equivalent to:
+
+NOTE: ipaddr is unique among the parts of the ACL in that you are able to specify a wildcard within an ipaddr to indicate that the remote address must being with the String prior to the asterisk within the ipaddr acl. For instance:
+
+    <param>
+        <name>{serviceName}.acl</name>
+        <value>*;*;192.168.*</value>
+    </param>
+    
+This indicates that the request must come from an IP address that begins with '192.168.' in order to be granted access.
+
+Note also that configuration without any ACLs defined is equivalent to:
 
     <param>
         <name>{serviceName}.acl</name>