Knox is composed of a number of Gateway Services at its core. Among these are one for setting up the Jetty SSL listener (JettySSLService) and another for protection of various credentials (AliasService) in order to keep them out of clear text config. These services are able to leverage each other for various things. The JettySSLService has the AliasService injected in order to get to the protected gateway-identity-passphrase. This is a password that is stored at the gateway level as apposed to the topology or cluster level. While mixing the two concerns would be possible with the functionality of JCEKS, it would inappropriately couple the two services implementations together. There has always been plans to look for a more central and secure credential store. The addition of the Credential Provider API in Hadoop opens up this possibility. Currently, the primary credential provider in Hadoop is still a JCEKS provider. We need a server to sit over a secure storage that you would need to authenticate to in order to get the protected passwords. Once this is available the current design in Knox will allow us to transition to a central credential server without the JettySSLService even being aware. ... View more

Hi Vendant - SAML v2 available in the Apache Knox 0.7.0 release through the PicketLink federation provider. It is however not documented since the PicketLink project itself is being reworked into a larger identity solution. The Apache Knox 0.8.0 release which should be finalizing in the next week or so will leverage the pac4j provider that has recently been committed. Pac4j provider SAML v2 as well as various other integrations and is the focus of the 0.8.0 release. While I haven't tested it explicitly with OpenSSO, it has been successfully tested with shibboleth and Okta for SAML prior to commit. Given an environment with OpenSSO deployed, a professional services organization would be great to contribute such testing - you don't get much closer to the real world and the customers than that! ... View more

Apache Knox provides the same REST APIs for PUTting files into HDFS. Please see the Apache docs for examples: http://knox.apache.org/books/knox-0-7-0/user-guide.html#WebHDFS+Examples Note that the link will take you to examples of using the groovy scripting capabilities of Knox as well as examples of using curl to do the same things. ... View more

For Knox, sslv3 is disabled by default and this can be further configured to disable more or "none" through the ssl.exclude.protocols parameter in gateway-site.xml. This can be done directly in the file or from within Ambari. Knox does not have a configurable means to disable specific algorithms - however you can use the Java JSSE networking properties to do this. In fact, this will work for all applications being run in that particular JVM which is better than having to track it down for each application. You should be able to find this in $JRE_HOME/lib/security/java.security in others. # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing # # In some environments, certain algorithms or key lengths may be undesirable # when using SSL/TLS. This section describes the mechanism for disabling # algorithms during SSL/TLS security parameters negotiation, including cipher # suites selection, peer authentication and key exchange mechanisms. # # For PKI-based peer authentication and key exchange mechanisms, this list # of disabled algorithms will also be checked during certification path # building and validation, including algorithms used in certificates, as # well as revocation information such as CRLs and signed OCSP Responses. # This is in addition to the jdk.certpath.disabledAlgorithms property above. # # See the specification of "jdk.certpath.disabledAlgorithms" for the # syntax of the disabled algorithm string. # # Note: This property is currently used by Oracle's JSSE implementation. # It is not guaranteed to be examined and used by other implementations. # # Example: # jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 ... View more