...
- Service discovery type
An identifier indicating which type of discovery to apply (e.g., Ambari, etc...) - Service discovery address
The associated service registry address - Credentials for interacting with the discovery source
- A provider configuration reference (a unique name, filename, etc...)
A unique name mapped to a set of provider configurations (see item #3 from the Motivation section) - A list of services to be exposed through Knox (with optional service parameters and URL values)
- A list of UIs to be proxied by Knox (per KIP-9)
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?>
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<!--
session timeout in minutes, this is really idle timeout,
defaults to 30mins, if the property value is not defined,,
current client authentication would expire if client idles contiuosly for more than this value
-->
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<!--
Defines rules for mapping host names internal to a Hadoop cluster to externally accessible host names.
For example, a hadoop service running in AWS may return a response that includes URLs containing the
some AWS internal host name. If the client needs to make a subsequent request to the host identified
in those URLs they need to be mapped to external host names that the client Knox can use to connect.
If the external hostname and internal host names are same turn of this provider by setting the value of
enabled parameter as false.
The name parameter specifies the external host names in a comma separated list.
The value parameter specifies corresponding internal host names in a comma separated list.
Note that when you are using Sandbox, the external hostname needs to be localhost, as seen in out
of box sandbox.xml. This is because Sandbox uses port mapping to allow clients to connect to the
Hadoop services using localhost. In real clusters, external host names would almost never be localhost.
-->
<provider>
<role>hostmap</role>
<name>static</name>
<enabled>true</enabled>
<param><name>localhost</name><value>sandbox,sandbox.hortonworks.com</value></param>
</provider>
</gateway>
<service>
<role>AMBARIUI</role>
<url>http://c6401.ambari.apache.org:8080</url>
</service>
<service>
<role>HIVE</role>
<url>http://c6402.ambari.apache.org:10001/cliservice</url>
</service>
<service>
<role>WEBHCAT</role>
<url>http://c6402.ambari.apache.org:50111/templeton</url>
</service>
<service>
<role>AMBARI</role>
<url>http://c6401.ambari.apache.org:8080</url>
</service>
<service>
<role>OOZIE</role>
<url>http://c6402.ambari.apache.org:11000/oozie</url>
</service>
<service>
<role>JOBTRACKER</role>
<url>rpc://c6402.ambari.apache.org:8050</url>
</service>
<service>
<role>NAMENODE</role>
<url>hdfs://c6401.ambari.apache.org:8020</url>
</service>
<service>
<role>WEBHBASE</role>
<url>http://c6401.ambari.apache.org:60080</url>
</service>
<service>
<role>WEBHDFS</role>
<url>http://c6401.ambari.apache.org:50070/webhdfs</url>
</service>
<service>
<role>RESOURCEMANAGER</role>
<url>http://c6402.ambari.apache.org:8088/ws</url>
</service>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>100000</value>
</param>
</service>
</topology> |
3.1 Simple Descriptor Discovery
...
- Provision the alias mapping using the knoxcli.sh script
bin/knoxcli.sh create-alias ambari.discovery.user --value ambariuser - Specify the discovery-user property in a descriptor (This can be useful if a Knox instance will proxy services in clusters managed by multiple Ambari instances)
"discovery-user":"ambariuser"
...
- Provision the password mapped to the default alias, ambari.discovery.password
bin/knoxcli.sh create-alias ambari.discovery.password --value ambaripasswd - Provision a different alias, and specify it in the descriptordescriptor (This can be useful if a Knox instance will proxy services in clusters managed by multiple Ambari instances)
"discovery-pwd-alias":"my.ambari.discovery.password.alias"
...