You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2014/02/19 21:41:48 UTC
svn commit: r1569910 - in /incubator/knox:
site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html
trunk/books/0.4.0/config_preauth_sso_provider.md
Author: lmccay
Date: Wed Feb 19 20:41:47 2014
New Revision: 1569910
URL: http://svn.apache.org/r1569910
Log:
changed the caution paragraph to strong rather than code - so we can see the whole thing
Modified:
incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html
incubator/knox/trunk/books/0.4.0/config_preauth_sso_provider.md
Modified: incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html
URL: http://svn.apache.org/viewvc/incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html?rev=1569910&r1=1569909&r2=1569910&view=diff
==============================================================================
--- incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html (original)
+++ incubator/knox/site/books/knox-incubating-0-4-0/knox-incubating-0-4-0.html Wed Feb 19 20:41:47 2014
@@ -1116,9 +1116,7 @@ APACHE_HOME/bin/apachectl -k stop
</tbody>
</table><h4><a id="REST+Invocation"></a>REST Invocation</h4><p>The following curl command can be used to request a directory listing from HDFS while passing in the expected header X-XSRF-Header.</p>
<pre><code>curl -k -i --header "X-XSRF-Header: valid" -v -u guest:guest-password https://localhost:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS
-</code></pre><p>Omitting the –header “X-XSRF-Header: valid” above should result in an HTTP 400 bad_request.</p><p>Disabling the provider will then allow a request that is missing the header through. </p><h3><a id="Preauthenticated+SSO+Provider"></a>Preauthenticated SSO Provider</h3><p>A number of SSO solutions provide mechanisms for federating an authenticated identity across applications. These mechanisms are at times simple HTTP Header type tokens that can be used to propagate the identity across process boundaries.</p><p>Knox Gateway needs a pluggable mechanism for consuming these tokens and federating the asserted identity through an interaction with the Hadoop cluster. </p>
-<pre><code>CAUTION: The use of this provider requires that proper network security and identity provider configuration and deployment does not allow requests directly to the Knox gateway. Otherwise, this provider will leave the gateway exposed to identity spoofing.
-</code></pre><h4><a id="Configuration"></a>Configuration</h4><h5><a id="Overview"></a>Overview</h5><p>The HeaderPreAuth provider is configured within the topology file and has a minimal configuration that assumes SM_USER for CA SiteMinder. The following example is the bare minimum configuration for SiteMinder (with no IP address validation).</p>
+</code></pre><p>Omitting the –header “X-XSRF-Header: valid” above should result in an HTTP 400 bad_request.</p><p>Disabling the provider will then allow a request that is missing the header through. </p><h3><a id="Preauthenticated+SSO+Provider"></a>Preauthenticated SSO Provider</h3><p>A number of SSO solutions provide mechanisms for federating an authenticated identity across applications. These mechanisms are at times simple HTTP Header type tokens that can be used to propagate the identity across process boundaries.</p><p>Knox Gateway needs a pluggable mechanism for consuming these tokens and federating the asserted identity through an interaction with the Hadoop cluster. </p><p><strong>CAUTION: The use of this provider requires that proper network security and identity provider configuration and deployment does not allow requests directly to the Knox gateway. Otherwise, this provider will leave the gateway exposed to identity spoofing.</strong></p><h4><a id="Con
figuration"></a>Configuration</h4><h5><a id="Overview"></a>Overview</h5><p>The HeaderPreAuth provider is configured within the topology file and has a minimal configuration that assumes SM_USER for CA SiteMinder. The following example is the bare minimum configuration for SiteMinder (with no IP address validation).</p>
<pre><code><provider>
<role>federation</role>
<name>HeaderPreAuth</name>
Modified: incubator/knox/trunk/books/0.4.0/config_preauth_sso_provider.md
URL: http://svn.apache.org/viewvc/incubator/knox/trunk/books/0.4.0/config_preauth_sso_provider.md?rev=1569910&r1=1569909&r2=1569910&view=diff
==============================================================================
--- incubator/knox/trunk/books/0.4.0/config_preauth_sso_provider.md (original)
+++ incubator/knox/trunk/books/0.4.0/config_preauth_sso_provider.md Wed Feb 19 20:41:47 2014
@@ -21,7 +21,7 @@ A number of SSO solutions provide mechan
Knox Gateway needs a pluggable mechanism for consuming these tokens and federating the asserted identity through an interaction with the Hadoop cluster.
- CAUTION: The use of this provider requires that proper network security and identity provider configuration and deployment does not allow requests directly to the Knox gateway. Otherwise, this provider will leave the gateway exposed to identity spoofing.
+**CAUTION: The use of this provider requires that proper network security and identity provider configuration and deployment does not allow requests directly to the Knox gateway. Otherwise, this provider will leave the gateway exposed to identity spoofing.**
#### Configuration ####
##### Overview #####