books/0.4.0/config_ldap_group

LDAPGroupLookup

Knox can be configured to look up LDAP groups that the authenticated user belong to. Knox can look up both Static LDAP Groups and Dynamic LDAP Groups. The looked up groups are populated as Principal(s) in the Java Subject of authenticated user. Therefore service authorization rules can be defined in terms of LDAPGroups looked up from LDAP directory.

To look up LDAPGroups of autheticated user from LDAP, you have to use org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm in Shiro configuration.

Please see below a sample Shiro configuration snippet from a topology file that was tested looking LDAPGroups.

    <provider>
        <role>authentication</role>
        <name>ShiroProvider</name>
        <enabled>true</enabled>
        <!-- 
        session timeout in minutes,  this is really idle timeout,
        defaults to 30mins, if the property value is not defined,, 
        current client authentication would expire if client idles contiuosly for more than this value
        -->
        <!-- defaults to: 30 minutes
        <param>
            <name>sessionTimeout</name>
            <value>30</value>
        </param>
        -->

        <!--
          Use single KnoxLdapRealm to do authentication and ldap group look up
        -->
        <param>
          <name>main.ldapRealm</name>
          <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
        </param>
        <param>
          <name>main.ldapGroupContextFactory</name>
          <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
        </param>
        <param>
          <name>main.ldapRealm.contextFactory</name>
          <value>$ldapGroupContextFactory</value>
        </param>
        <!-- defaults to: simple
        <param>
          <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
          <value>simple</value>
        </param>
        -->
        <param>
          <name>main.ldapRealm.contextFactory.url</name>
          <value>ldap://localhost:33389</value>
        </param>
        <param>
          <name>main.ldapRealm.userDnTemplate</name>
          <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>

        <param>
          <name>main.ldapRealm.authorizationEnabled</name>
          <!-- defaults to: false -->
          <value>true</value>
        </param>
        <!-- defaults to: simple
        <param>
          <name>main.ldapRealm.contextFactory.systemAuthenticationMechanism</name>
          <value>simple</value>
        </param>
        -->
        <param>
          <name>main.ldapRealm.searchBase</name>
          <value>ou=groups,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <!-- defaults to: groupOfNames
        <param>
          <name>main.ldapRealm.groupObjectClass</name>
          <value>groupOfNames</value>
        </param>
        -->
        <!-- defaults to: member
        <param>
          <name>main.ldapRealm.memberAttribute</name>
          <value>member</value>
        </param>
        -->
        <param>
          <name>main.ldapRealm.memberAttributeValueTemplate</name>
          <value>cn={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
          <name>main.ldapRealm.contextFactory.systemUsername</name>
          <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
          <name>main.ldapRealm.contextFactory.systemPassword</name>
          <value>${ALIAS=ldcSystemPassword}</value>
        </param>

        <param>
          <name>urls./**</name> 
          <value>authcBasic</value>
        </param>

    </provider>

The configuration shown above would look up Static LDAP groups of authenticated user and populate the group principals in the Java Subject corresponding to authenticated user.

If you want to look up Dynamic LDAP Groups instead of Static LDAP Groups, you would have to speciify groupObjectClass and memberAttribute params as shown below:

       <param>
          <name>main.ldapRealm.groupObjectClass</name>
          <value>groupOfUrls</value>
        </param>
        <param>
          <name>main.ldapRealm.memberAttribute</name>
          <value>memberUrl</value>
        </param>

Template topology files and LDIF files to try out LDAP Group Look up

Knox bundles some template topology files and ldif files that you can use to try and test LDAP Group Lookup and associated authorization acls. All these template files are located under {GATEWAY_HOME}/templates.

LDAP Static Group Lookup Templates, authentication and group lookup from the same directory

topology file: sandbox.knoxrealm1.xml ldif file : users.ldapgroups.ldif

To try this out

cd {GATEWAY_HOME} cp templates/sandbox.knoxrealm1.xml deployments/sandbox.xml cp templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master

Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of group “analyst”, authorization prvoider states user should be member of group “analyst”

curl -i -v -k -u guest:guest-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY

Following call to WebHDFS should report: {“Path”:“/user/sam”} As sam is a member of group “analyst”, authorization prvoider states user should be member of group “analyst”

curl -i -v -k -u sam:sam-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY

LDAP Static Group Lookup Templates, authentication and group lookup from different directories

topology file: sandbox.knoxrealm2.xml ldif file : users.ldapgroups.ldif

To try this out

cd {GATEWAY_HOME} cp templates/sandbox.knoxrealm2.xml deployments/sandbox.xml cp templates/users.ldapgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master

Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of group “analyst”, authorization prvoider states user should be member of group “analyst”

curl -i -v -k -u guest:guest-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY

Following call to WebHDFS should report: {“Path”:“/user/sam”} As sam is a member of group “analyst”, authorization prvoider states user should be member of group “analyst”

curl -i -v -k -u sam:sam-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY

LDAP Dynamic Group Lookup Templates, authentication and dynamic group lookup from same directory

topology file: sandbox.knoxrealmdg.xml ldif file : users.ldapdynamicgroups.ldif

To try this out

cd {GATEWAY_HOME} cp templates/sandbox.knoxrealmdg.xml deployments/sandbox.xml cp templates/users.ldapdynamicgroups.ldif conf/users.ldif java -jar bin/ldap.jar conf java -Dsandbox.ldcSystemPassword=guest-password -jar bin/gateway.jar -persist-master

Please note that user.ldapdynamicgroups.ldif also loads ncessary schema to create dynamic groups in Apache DS.

Following call to WebHDFS should report HTTP/1.1 401 Unauthorized As guest is not a member of dynamic group “directors”, authorization prvoider states user should be member of group “directors”

curl -i -v -k -u guest:guest-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY

Following call to WebHDFS should report: {“Path”:“/user/bob”} As bob is a member of dynamic group “directors”, authorization prvoider states user should be member of group “directors”

curl -i -v -k -u sam:sam-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY