You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2017/03/16 06:12:10 UTC
svn commit: r1787131 - in /knox: site/books/knox-0-12-0/user-guide.html trunk/books/0.12.0/config_sso_cookie_provider.md

Author: lmccay
Date: Thu Mar 16 06:12:10 2017
New Revision: 1787131

URL: http://svn.apache.org/viewvc?rev=1787131&view=rev
Log:
adding docs for JWTProvider to 0.12.0

Modified:
    knox/site/books/knox-0-12-0/user-guide.html
    knox/trunk/books/0.12.0/config_sso_cookie_provider.md

Modified: knox/site/books/knox-0-12-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-12-0/user-guide.html?rev=1787131&r1=1787130&r2=1787131&view=diff
==============================================================================
--- knox/site/books/knox-0-12-0/user-guide.html (original)
+++ knox/site/books/knox-0-12-0/user-guide.html Thu Mar 16 06:12:10 2017
@@ -2547,10 +2547,10 @@ APACHE_HOME/bin/apachectl -k stop
    &lt;enabled&gt;true&lt;/enabled&gt;
    &lt;param&gt;
        &lt;name&gt;knox.token.audiences&lt;/name&gt;
-       &lt;value&gt;1234,2345&lt;/value&gt;
+       &lt;value&gt;tokenbased&lt;/value&gt;
    &lt;/param&gt;
 &lt;/provider&gt;
-</code></pre><p>The following table describes the configuration options for the JWT federation provider:</p><h5><a id="Descriptions">Descriptions</a> <a href="#Descriptions"><img src="markbook-section-link.png"/></a></h5>
+</code></pre><p>The knox.token.audiences parameter above indicates that any token in an incoming request must contain an audience claim called &ldquo;tokenbased&rdquo;. In this case, the idea is that the issuing KnoxToken service will be configured to include such an audience claim and that the resulting token is valid to use in the topology that contains configuration like above. This would generally be the name of the topology but you can standardize on anything.</p><p>The following table describes the configuration options for the JWT federation provider:</p><h5><a id="Descriptions">Descriptions</a> <a href="#Descriptions"><img src="markbook-section-link.png"/></a></h5>
 <table>
   <thead>
     <tr>
@@ -2562,11 +2562,11 @@ APACHE_HOME/bin/apachectl -k stop
   <tbody>
     <tr>
       <td>knox.token.audiences</td>
-      <td>Optional parameter. This parameter allows the administrator to constrain the use of tokens on this endpoint to those that have tokens with at least one of the configured audience claims. These claims have associated configuration within the KnoxToken service as well. This provides and interesting way to make sure that the token issued based on authentication to a particular LDAP server or other IdP is accepted but not others.</td>
+      <td>Optional parameter. This parameter allows the administrator to constrain the use of tokens on this endpoint to those that have tokens with at least one of the configured audience claims. These claims have associated configuration within the KnoxToken service as well. This provides an interesting way to make sure that the token issued based on authentication to a particular LDAP server or other IdP is accepted but not others.</td>
       <td>N/A</td>
     </tr>
   </tbody>
-</table><h3><a id="Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j Provider - CAS / OAuth / SAML / OpenID Connect</a> <a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect"><img src="markbook-section-link.png"/></a></h3>
+</table><p>See the documentation for the Knox Token service for related details.</p><h3><a id="Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect">Pac4j Provider - CAS / OAuth / SAML / OpenID Connect</a> <a href="#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect"><img src="markbook-section-link.png"/></a></h3>
 <p align="center">
   <img src="https://pac4j.github.io/pac4j/img/logo-knox.png" width="300" />
 </p><p><a href="https://github.com/pac4j/pac4j">pac4j</a> is a Java security engine to authenticate users, get their profiles and manage their authorizations in order to secure Java web applications.</p><p>It supports many authentication mechanisms for UI and web services and is implemented by many frameworks and tools.</p><p>For Knox, it is used as a federation provider to support the OAuth, CAS, SAML and OpenID Connect protocols. It must be used for SSO, in association with the KnoxSSO service and optionally with the SSOCookieProvider for access to REST APIs.</p><h4><a id="Configuration">Configuration</a> <a href="#Configuration"><img src="markbook-section-link.png"/></a></h4><h5><a id="SSO+topology">SSO topology</a> <a href="#SSO+topology"><img src="markbook-section-link.png"/></a></h5><p>To enable SSO for REST API access through the Knox gateway, you need to protect your Hadoop services with the the SSOCookieProvider configured to use the KnoxSSO service (sandbox.xml topology):<
 /p>

Modified: knox/trunk/books/0.12.0/config_sso_cookie_provider.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.12.0/config_sso_cookie_provider.md?rev=1787131&r1=1787130&r2=1787131&view=diff
==============================================================================
--- knox/trunk/books/0.12.0/config_sso_cookie_provider.md (original)
+++ knox/trunk/books/0.12.0/config_sso_cookie_provider.md Thu Mar 16 06:12:10 2017
@@ -89,14 +89,18 @@ The following provider configuration can
        <enabled>true</enabled>
        <param>
            <name>knox.token.audiences</name>
-           <value>1234,2345</value>
+           <value>tokenbased</value>
        </param>
     </provider>
 
+The knox.token.audiences parameter above indicates that any token in an incoming request must contain an audience claim called "tokenbased". In this case, the idea is that the issuing KnoxToken service will be configured to include such an audience claim and that the resulting token is valid to use in the topology that contains configuration like above. This would generally be the name of the topology but you can standardize on anything.
+
 The following table describes the configuration options for the JWT federation provider:
 
 ##### Descriptions #####
 
 Name | Description | Default
 ---------|-----------
-knox.token.audiences|Optional parameter. This parameter allows the administrator to constrain the use of tokens on this endpoint to those that have tokens with at least one of the configured audience claims. These claims have associated configuration within the KnoxToken service as well. This provides and interesting way to make sure that the token issued based on authentication to a particular LDAP server or other IdP is accepted but not others.|N/A
\ No newline at end of file
+knox.token.audiences|Optional parameter. This parameter allows the administrator to constrain the use of tokens on this endpoint to those that have tokens with at least one of the configured audience claims. These claims have associated configuration within the KnoxToken service as well. This provides an interesting way to make sure that the token issued based on authentication to a particular LDAP server or other IdP is accepted but not others.|N/A
+
+See the documentation for the Knox Token service for related details.
\ No newline at end of file