KNOX-702 - Templates for AD and Application Hosting Topologies
diff --git a/gateway-release/home/conf/topologies/knoxsso.xml b/gateway-release/home/conf/topologies/knoxsso.xml
index 56700dd..7e962cf 100644
--- a/gateway-release/home/conf/topologies/knoxsso.xml
+++ b/gateway-release/home/conf/topologies/knoxsso.xml
@@ -16,8 +16,13 @@
limitations under the License.
-->
<topology>
-
<gateway>
+ <provider>
+ <role>webappsec</role>
+ <name>WebAppSec</name>
+ <enabled>true</enabled>
+ <param><name>xframe.options.enabled</name><value>true</value></param>
+ </provider>
<provider>
<role>authentication</role>
@@ -76,22 +81,6 @@
<enabled>true</enabled>
</provider>
- <!--
- Defines rules for mapping host names internal to a Hadoop cluster to externally accessible host names.
- For example, a hadoop service running in AWS may return a response that includes URLs containing the
- some AWS internal host name. If the client needs to make a subsequent request to the host identified
- in those URLs they need to be mapped to external host names that the client Knox can use to connect.
-
- If the external hostname and internal host names are same turn of this provider by setting the value of
- enabled parameter as false.
-
- The name parameter specifies the external host names in a comma separated list.
- The value parameter specifies corresponding internal host names in a comma separated list.
-
- Note that when you are using Sandbox, the external hostname needs to be localhost, as seen in out
- of box sandbox.xml. This is because Sandbox uses port mapping to allow clients to connect to the
- Hadoop services using localhost. In real clusters, external host names would almost never be localhost.
- -->
<provider>
<role>hostmap</role>
<name>static</name>
diff --git a/gateway-release/home/templates/ad.xml b/gateway-release/home/templates/ad.xml
index 8586a61..3398f13 100644
--- a/gateway-release/home/templates/ad.xml
+++ b/gateway-release/home/templates/ad.xml
@@ -18,52 +18,33 @@
<topology>
<gateway>
-
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
- <param>
- <!--
- session timeout in minutes, this is really idle timeout,
- defaults to 30mins, if the property value is not defined,,
- current client authentication would expire if client idles contiuosly for more than this value
- -->
- <name>sessionTimeout</name>
- <value>30</value>
- </param>
- <param>
- <name>main.ldapRealm</name>
- <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
- </param>
- <param>
- <name>main.ldapContextFactory</name>
- <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
- </param>
- <param>
- <name>main.ldapRealm.contextFactory</name>
- <value>$ldapContextFactory</value>
- </param>
- <param>
- <name>main.ldapRealm.userDnTemplate</name>
- <!-- If your AD is configured to authenticate based on just the cn and password and does not require user DN,
- you do not have to specify value for main.ldapRealm.userDnTemplate. -->
- <!-- ADJUST template for your AD DIT model -->
- <value>cn={0},cn=users,dc=sample,dc=example,dc=com</value>
- </param>
- <param>
- <name>main.ldapRealm.contextFactory.url</name>
- <!-- ADJUST host, port for your AD setup-->
- <value>ldap://ad.example.com:389</value>
- </param>
- <param>
- <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
- <value>simple</value>
- </param>
- <param>
- <name>urls./**</name>
- <value>authcBasic</value>
- </param>
+ <param name="main.ldapRealm" value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm"/>
+ <param name="main.ldapContextFactory" value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory"/>
+ <param name="main.ldapRealm.contextFactory" value="$ldapContextFactory"/>
+
+ <param name="main.ldapRealm.contextFactory.url" value="ldap://ad.qa.your-domain.com:389"/>
+ <param name="main.ldapRealm.contextFactory.systemUsername" value="CN=sam,CN=Users,DC=hwqe,DC=hortonworks,DC=com"/>
+ <param name="main.ldapRealm.contextFactory.systemPassword" value="********"/>
+
+ <param name="main.ldapRealm.userSearchBase" value="CN=Users,DC=hwqe,DC=hortonworks,DC=com"/>
+ <param name="main.ldapRealm.userSearchAttributeName" value="sAMAccountName"/>
+ <param name="main.ldapRealm.userObjectClass" value="person"/>
+
+ <param name="main.ldapRealm.authorizationEnabled" value="true"/>
+ <param name="main.ldapRealm.groupSearchBase" value="OU=groups,DC=hwqe,DC=hortonworks,DC=com"/>
+ <param name="main.ldapRealm.groupObjectClass" value="group"/>
+ <param name="main.ldapRealm.groupIdAttribute" value="sAMAccountName"/>
+ <param name="main.ldapRealm.memberAttribute" value="member"/>
+
+ <param name="main.cacheManager" value="org.apache.shiro.cache.ehcache.EhCacheManager"/>
+ <param name="main.securityManager.cacheManager" value="$cacheManager"/>
+ <param name="main.ldapRealm.authenticationCachingEnabled" value="true"/>
+
+ <param name="urls./**" value="authcBasic"/>
</provider>
<provider>
diff --git a/gateway-release/home/templates/sandbox-apps.xml b/gateway-release/home/templates/sandbox-apps.xml
new file mode 100644
index 0000000..bed6470
--- /dev/null
+++ b/gateway-release/home/templates/sandbox-apps.xml
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<topology>
+ <provider>
+ <role>webappsec</role>
+ <name>WebAppSec</name>
+ <enabled>true</enabled>
+ <param><name>xframe.options.enabled</name><value>true</value></param>
+ <param><name>csrf.enabled</name><value>true</value></param>
+ </provider>
+
+ <gateway>
+ <provider>
+ <role>federation</role>
+ <name>SSOCookieProvider</name>
+ <enabled>true</enabled>
+ <param>
+ <name>sso.authentication.provider.url</name>
+ <value>https://www.local.com:8443/gateway/knoxsso/knoxauth/login.html</value>
+ </param>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Default</name>
+ <enabled>true</enabled>
+ </provider>
+ </gateway>
+
+ <!--application>
+ <name>knoxplorer</name>
+ </application-->
+
+ <service>
+ <role>NAMENODE</role>
+ <url>hdfs://localhost:8020</url>
+ </service>
+
+ <service>
+ <role>JOBTRACKER</role>
+ <url>rpc://localhost:8050</url>
+ </service>
+
+ <service>
+ <role>WEBHDFS</role>
+ <url>http://localhost:50070/webhdfs</url>
+ </service>
+
+ <service>
+ <role>WEBHCAT</role>
+ <url>http://localhost:50111/templeton</url>
+ </service>
+
+ <service>
+ <role>OOZIE</role>
+ <url>http://localhost:11000/oozie</url>
+ </service>
+
+ <service>
+ <role>WEBHBASE</role>
+ <url>http://localhost:60080</url>
+ </service>
+
+ <service>
+ <role>HIVE</role>
+ <url>http://localhost:10001/cliservice</url>
+ </service>
+
+ <service>
+ <role>RESOURCEMANAGER</role>
+ <url>http://localhost:8088/ws</url>
+ </service>
+
+</topology>