You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by di...@apache.org on 2014/02/22 02:24:10 UTC
git commit: KNOX-277: add topology template files to illustrate
preauth sso and sla
Repository: incubator-knox
Updated Branches:
refs/heads/master d82e991a3 -> aff2b8465
KNOX-277: add topology template files to illustrate preauth sso and sla
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/aff2b846
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/aff2b846
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/aff2b846
Branch: refs/heads/master
Commit: aff2b8465675f933c9c53fdaa2a5ae5a491cb5b8
Parents: d82e991
Author: Dilli Dorai Arumugam <da...@hortonworks.com>
Authored: Fri Feb 21 17:18:54 2014 -0800
Committer: Dilli Dorai Arumugam <da...@hortonworks.com>
Committed: Fri Feb 21 17:18:54 2014 -0800
----------------------------------------------------------------------
.../home/templates/preauth127sla.xml | 116 +++++++++++++++++++
.../home/templates/preauth254sla.xml | 116 +++++++++++++++++++
2 files changed, 232 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/aff2b846/gateway-release/home/templates/preauth127sla.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/preauth127sla.xml b/gateway-release/home/templates/preauth127sla.xml
new file mode 100644
index 0000000..1d030d6
--- /dev/null
+++ b/gateway-release/home/templates/preauth127sla.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<topology>
+
+ <gateway>
+
+ <!-- test: curl -i -k https://localhost:8443/gateway/preauth127sla/webhdfs/v1?op=GETHOMEDIRECTORY -->
+ <!-- test: curl -i -k -H "SM_USER: guest" https://localhost:8443/gateway/preauth127sla/webhdfs/v1?op=GETHOMEDIRECTORY -->
+ <!-- test: curl -i -k -H "SM_USER:guest" -H "sm_group:analyst" https://localhost:8443/gateway/preauth127sla/webhdfs/v1?op=GETHOMEDIRECTORY -->
+ <provider>
+ <role>federation</role>
+ <name>HeaderPreAuth</name>
+ <enabled>true</enabled>
+ <param><name>preauth.validation.method</name><value>preauth.ip.validation</value></param>
+ <!-- testing from localhost request ip shows up as
+ 127.0.0.1
+ or
+ 0:0:0:0:0:0:0:1 -->
+ <param><name>preauth.validation.method</name><value>preauth.ip.validation</value></param>
+ <param><name>preauth.ip.addresses</name><value>127.*,10.*,0:*</value></param>
+ <param><name>preauth.custom.header</name><value>SM_USER</value></param>
+ <param><name>preauth.custom.group.header</name><value>sm_group</value></param>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Pseudo</name>
+ <enabled>true</enabled>
+ </provider>
+
+ <provider>
+ <role>authorization</role>
+ <name>AclsAuthz</name>
+ <enabled>true</enabled>
+ <param>
+ <name>webhdfs.acl</name>
+ <value>*;analyst;*</value>
+ </param>
+ </provider>
+
+ <!--
+ Defines rules for mapping host names internal to a Hadoop cluster to externally accessible host names.
+ For example, a hadoop service running in AWS may return a response that includes URLs containing the
+ some AWS internal host name. If the client needs to make a subsequent request to the host identified
+ in those URLs they need to be mapped to external host names that the client Knox can use to connect.
+
+ If the external hostname and internal host names are same turn of this provider by setting the value of
+ enabled parameter as false.
+
+ The name parameter specifies the external host names in a comma separated list.
+ The value parameter specifies corresponding internal host names in a comma separated list.
+
+ Note that when you are using Sandbox, the external hostname needs to be localhost, as seen in out
+ of box sandbox.xml. This is because Sandbox uses port mapping to allow clients to connect to the
+ Hadoop services using localhost. In real clusters, external host names would almost never be localhost.
+ -->
+ <provider>
+ <role>hostmap</role>
+ <name>static</name>
+ <enabled>false</enabled>
+ <param><name>localhost</name><value>sandbox,sandbox.hortonworks.com</value></param>
+ </provider>
+
+ </gateway>
+
+ <service>
+ <role>NAMENODE</role>
+ <url>hdfs://hdp.example.com:8020</url>
+ </service>
+
+ <service>
+ <role>JOBTRACKER</role>
+ <url>rpc://hdp.example.com:8050</url>
+ </service>
+
+ <service>
+ <role>WEBHDFS</role>
+ <url>http://hdp.example.com:50070/webhdfs</url>
+ </service>
+
+ <service>
+ <role>WEBHCAT</role>
+ <url>http://hdp.example.com:50111/templeton</url>
+ </service>
+
+ <service>
+ <role>OOZIE</role>
+ <url>http://hdp.example.com:11000/oozie</url>
+ </service>
+
+ <service>
+ <role>WEBHBASE</role>
+ <url>http://hdp.example.com:60080</url>
+ </service>
+
+ <service>
+ <role>HIVE</role>
+ <url>http://hdp.example.com:10001/cliservice</url>
+ </service>
+
+</topology>
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/aff2b846/gateway-release/home/templates/preauth254sla.xml
----------------------------------------------------------------------
diff --git a/gateway-release/home/templates/preauth254sla.xml b/gateway-release/home/templates/preauth254sla.xml
new file mode 100644
index 0000000..f4ed898
--- /dev/null
+++ b/gateway-release/home/templates/preauth254sla.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<topology>
+
+ <gateway>
+
+ <!-- test: curl -i -k https://localhost:8443/gateway/preauth254sla/webhdfs/v1?op=GETHOMEDIRECTORY -->
+ <!-- test: curl -i -k -H "SM_USER: guest" https://localhost:8443/gateway/preauth254sla/webhdfs/v1?op=GETHOMEDIRECTORY -->
+ <!-- test: curl -i -k -H "SM_USER:guest" -H "sm_group:analyst" https://localhost:8443/gateway/preauth254sla/webhdfs/v1?op=GETHOMEDIRECTORY -->
+ <provider>
+ <role>federation</role>
+ <name>HeaderPreAuth</name>
+ <enabled>true</enabled>
+ <param><name>preauth.validation.method</name><value>preauth.ip.validation</value></param>
+ <!-- testing from localhost request ip shows up as
+ 127.0.0.1
+ or
+ 0:0:0:0:0:0:0:1 -->
+ <param><name>preauth.validation.method</name><value>preauth.ip.validation</value></param>
+ <param><name>preauth.ip.addresses</name><value>254.*</value></param>
+ <param><name>preauth.custom.header</name><value>SM_USER</value></param>
+ <param><name>preauth.custom.group.header</name><value>sm_group</value></param>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Pseudo</name>
+ <enabled>true</enabled>
+ </provider>
+
+ <provider>
+ <role>authorization</role>
+ <name>AclsAuthz</name>
+ <enabled>true</enabled>
+ <param>
+ <name>webhdfs.acl</name>
+ <value>*;analyst;*</value>
+ </param>
+ </provider>
+
+ <!--
+ Defines rules for mapping host names internal to a Hadoop cluster to externally accessible host names.
+ For example, a hadoop service running in AWS may return a response that includes URLs containing the
+ some AWS internal host name. If the client needs to make a subsequent request to the host identified
+ in those URLs they need to be mapped to external host names that the client Knox can use to connect.
+
+ If the external hostname and internal host names are same turn of this provider by setting the value of
+ enabled parameter as false.
+
+ The name parameter specifies the external host names in a comma separated list.
+ The value parameter specifies corresponding internal host names in a comma separated list.
+
+ Note that when you are using Sandbox, the external hostname needs to be localhost, as seen in out
+ of box sandbox.xml. This is because Sandbox uses port mapping to allow clients to connect to the
+ Hadoop services using localhost. In real clusters, external host names would almost never be localhost.
+ -->
+ <provider>
+ <role>hostmap</role>
+ <name>static</name>
+ <enabled>false</enabled>
+ <param><name>localhost</name><value>sandbox,sandbox.hortonworks.com</value></param>
+ </provider>
+
+ </gateway>
+
+ <service>
+ <role>NAMENODE</role>
+ <url>hdfs://hdp.example.com:8020</url>
+ </service>
+
+ <service>
+ <role>JOBTRACKER</role>
+ <url>rpc://hdp.example.com:8050</url>
+ </service>
+
+ <service>
+ <role>WEBHDFS</role>
+ <url>http://hdp.example.com:50070/webhdfs</url>
+ </service>
+
+ <service>
+ <role>WEBHCAT</role>
+ <url>http://hdp.example.com:50111/templeton</url>
+ </service>
+
+ <service>
+ <role>OOZIE</role>
+ <url>http://hdp.example.com:11000/oozie</url>
+ </service>
+
+ <service>
+ <role>WEBHBASE</role>
+ <url>http://hdp.example.com:60080</url>
+ </service>
+
+ <service>
+ <role>HIVE</role>
+ <url>http://hdp.example.com:10001/cliservice</url>
+ </service>
+
+</topology>