Details
-
Bug
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
The manager.xml topology in Apache Knox hosts the endpoint for the Knox Admin UI. In order to provide management of the configuration for access to the UI we need to be able to manage the LDAP configuration for authentication, group lookup and the ACLs for constraining access to admin users and groups.
We have taken a couple actions in Knox to facilitate this:
- Moved the authentication in manager.xml to leverage KnoxSSO as the authentication mechanism. Will also buy us seamless SSO between Ambari and Knox UIs.
- Made the group look up manageable from the gateway-site.xml and the admin.xml and manager.xml topologies auto-redeploy on startup of the Knox server to pick up gateway-site changes.
- Made the list of admin users and admin groups configurable in gateway-site.xml
This patch will default the KNOX_ADMIN_USERS to "admin" and the KNOX_ADMIN_GROUPS to "admin". These values will work with the Knox DEMO LDAP server that can be used for demos and testing but will need to be adjusted to the enterprise LDAP users/groups that require access to the Knox Admin UI.
The HadoopGroupProvider will assume the default configuration but when there are no local OS accounts, the admin will be able to configure LDAP or other group mapping mechanisms in gateway-site.xml via advanced params.
Lastly, the patch adds the admin group to the DEMO LDAP users.ldif file to facilitate group lookup if needed. It will actually use no lookup by default and will grant access to a user named "admin" only but can be configured to use the admin group.