Support Questions

Hi Wes - It is possible. I used the following knox config in past to do it.

For 2 - You would need a different knox topology.

    <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
                <!--
                session timeout in minutes,  this is really idle timeout,
                defaults to 30mins, if the property value is not defined,,
                current client authentication would expire if client idles contiuosly for more than this value
                -->
                <name>sessionTimeout</name>
                <value>30</value>
            </param>            
            <param>
                <name>main.ldapRealm</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
                <name>main.ldapContextFactory</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory</name>
                <value>$ldapContextFactory</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.url</name>
                <!-- ADJUST host, port for your AD setup-->
                <value>ldap://ad.client.com:389</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                <value>simple</value>
            </param>
            <!-- Param below is ignored-->
            <param>
                <name>main.ldapRealm.userDnTemplate</name>
                <value>cn={0},ou=hadoop,ou=personal,ou=accounts,dc=ad,dc=client,dc=com</value>
            </param>
            <!-- Param above is ignored-->            
			<param>
				<name>main.ldapRealm.userSearchAttributeName</name>
				<value>sAMAccountName</value>
			</param>


			<param>
				<name>main.ldapRealm.userObjectClass</name>
				<value>person</value>
			</param>


			<param>
				<name>main.ldapRealm.contextFactory.systemUsername</name>
				<value>cn=hadoop_knox_id,ou=process,ou=accounts,dc=ad,dc=client,dc=com</value>
			</param>
			<param>
				<name>main.ldapRealm.contextFactory.systemPassword</name>
				<value>passwd_4_hadoop_knox_id</value>
			</param>
			
			<!-- search base used to search for user bind DN and groups -->
			<param>
				<name>main.ldapRealm.searchBase</name>
				<value>ou=personal,ou=accounts,dc=ad,dc=client,dc=com</value>
			</param>


			<!-- search base used to search for user bind DN.
				 Defaults to the value of main.ldapRealm.searchBase. 
				 If main.ldapRealm.userSearchAttributeName is defined, 
				 vlaue for main.ldapRealm.searchBase  or main.ldapRealm.userSearchBase 
				 should be defined -->
			<param>
				<name>main.ldapRealm.userSearchBase</name>
				<value>ou=personal,ou=accounts,dc=ad,dc=client,dc=com</value>
			</param>			


            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>
        </provider>


        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>