You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2018/06/09 17:18:00 UTC

[jira] [Commented] (KNOX-1350) Centralize Group Lookup Config for Knox Admin API

    [ https://issues.apache.org/jira/browse/KNOX-1350?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16507080#comment-16507080 ] 

Larry McCay commented on KNOX-1350:
-----------------------------------

Rather than constraining this to just the KNOX service, we can provide a topology level param that indicates that this topology wishes to use central group lookup config rather than topology level.

By adding "CENTRAL_GROUP_CONFIG_PREFIX" as a param with a value that indicates which prefix to use when pulling the config params, the configuration will be used across any topology that shares the prefix. We will need to redundantly configure the prefix but that is easier to do correctly than all of the LDAP params for instance.

I will also make admin.xml and manager.xml have this set to the same value which will keep them in sync.

When this is set and there is no config in gatewayConfig for the provided prefix, it will use whatever is in the topology as the params.

There may be opportunity to override central params from the topology as well.

> Centralize Group Lookup Config for Knox Admin API
> -------------------------------------------------
>
>                 Key: KNOX-1350
>                 URL: https://issues.apache.org/jira/browse/KNOX-1350
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 1.1.0
>
>
> This change enables the use of HadoopGroupProvider identity-assertion provider to be configured by GatewayConfig rather than having to redundantly configure it in each topology that hosts the KNOX service.
> It allows for the configuration to be standard hadoop names with a "gateway.knox.admin.group.config." prefix. It is aligned with the KNOX_ADMIN_USERS and KNOX_ADMIN_GROUPS that were added to the AclsAuthz provider to allow that configuration to also be provided in the gateway config.
> In Ambari managed environments this will be easier for providing this config in one place and not even need to be able to manage manager.xml or others that need this information.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)