metron-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rmerri...@apache.org
Subject [metron] branch master updated: METRON-1945 Metron MPack support for Knox SSO setup (merrimanr) closes apache/metron#1308
Date Thu, 03 Jan 2019 23:06:34 GMT
This is an automated email from the ASF dual-hosted git repository.

rmerriman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/metron.git


The following commit(s) were added to refs/heads/master by this push:
     new 309ce65  METRON-1945 Metron MPack support for Knox SSO setup (merrimanr) closes apache/metron#1308
309ce65 is described below

commit 309ce65f863d2532ca29a1c779bda02c1d42ee4d
Author: merrimanr <merrimanr@gmail.com>
AuthorDate: Thu Jan 3 17:05:25 2019 -0600

    METRON-1945 Metron MPack support for Knox SSO setup (merrimanr) closes apache/metron#1308
---
 .../CURRENT/configuration/metron-security-env.xml  |  43 +++++++++
 .../common-services/METRON/CURRENT/metainfo.xml    |   3 +
 .../CURRENT/package/scripts/alerts_ui_master.py    |  10 +++
 .../package/scripts/management_ui_master.py        |  10 +++
 .../CURRENT/package/scripts/metron_client.py       |  21 +++++
 .../CURRENT/package/scripts/metron_service.py      |  39 ++++++++
 .../CURRENT/package/scripts/params/params_linux.py |  47 +++++++---
 .../package/scripts/params/status_params.py        |   6 +-
 .../METRON/CURRENT/package/scripts/rest_master.py  |   4 +
 .../package/templates/alerts-ui-app-config.json.j2 |   4 +
 .../templates/management-ui-app-config.json.j2     |   4 +
 .../METRON/CURRENT/package/templates/metron.xml.j2 |  56 ++++++++++++
 .../CURRENT/package/templates/metronsso.xml.j2     | 100 +++++++++++++++++++++
 .../METRON/CURRENT/themes/metron_theme.json        |  51 ++++++++++-
 metron-interface/README.md                         |  78 ++++++++++++++++
 .../src/main/scripts/install_metron_knox.sh        |  32 ++++---
 16 files changed, 485 insertions(+), 23 deletions(-)

diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
index ab1fe6c..ab3e532 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/configuration/metron-security-env.xml
@@ -182,5 +182,48 @@
     </value-attributes>
     <on-ambari-upgrade add="true"/>
   </property>
+  <property>
+    <name>metron.knox.enabled</name>
+    <display-name>Knox Enabled</display-name>
+    <value>false</value>
+    <description>Enable Knox</description>
+    <value-attributes>
+      <type>value-list</type>
+      <entries>
+        <entry>
+          <value>true</value>
+          <label>On</label>
+        </entry>
+        <entry>
+          <value>false</value>
+          <label>Off</label>
+        </entry>
+      </entries>
+      <selection-cardinality>1</selection-cardinality>
+      <overridable>false</overridable>
+    </value-attributes>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
+    <name>metron.knox.sso.pubkey</name>
+    <display-name>Knox SSO Public Key</display-name>
+    <value></value>
+    <description>Knox public key used to verify Knox SSO tokens.</description>
+    <on-ambari-upgrade add="true"/>
+    <value-attributes>
+      <overridable>false</overridable>
+      <empty-value-valid>true</empty-value-valid>
+    </value-attributes>
+  </property>
+  <property>
+    <name>metron.knox.sso.token.ttl</name>
+    <display-name>Knox SSO Token Time to live</display-name>
+    <value>300000</value>
+    <description>Controls the time to live for Knox SSO tokens in Metron.  Units are
in milliseconds.</description>
+    <on-ambari-upgrade add="true"/>
+    <value-attributes>
+      <overridable>false</overridable>
+    </value-attributes>
+  </property>
 
 </configuration>
\ No newline at end of file
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml
index 9516014..99e9325 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/metainfo.xml
@@ -416,6 +416,9 @@
             <scriptType>PYTHON</scriptType>
             <timeout>1200</timeout>
           </commandScript>
+          <configuration-dependencies>
+            <config-type>metron-security-env</config-type>
+          </configuration-dependencies>
         </component>
 
       </components>
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_master.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_master.py
index 85c3be3..7cc2c31 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_master.py
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/alerts_ui_master.py
@@ -19,6 +19,7 @@ limitations under the License.
 
 from resource_management.core.exceptions import ComponentIsNotRunning
 from resource_management.core.exceptions import ExecutionFailed
+from resource_management.core.exceptions import Fail
 from resource_management.core.resources.system import Directory
 from resource_management.core.resources.system import File
 from resource_management.core.source import Template
@@ -51,6 +52,15 @@ class AlertsUIMaster(Script):
              group=params.metron_group
              )
 
+        File(format("{metron_alerts_ui_path}/assets/app-config.json"),
+             content=Template("alerts-ui-app-config.json.j2"),
+             owner=params.metron_user,
+             group=params.metron_group
+             )
+
+        if params.metron_knox_enabled and not params.metron_ldap_enabled:
+            raise Fail("Enabling Metron with Knox requires LDAP authentication.  Please set
'LDAP Enabled' to true in the Metron Security tab.")
+
     def start(self, env, upgrade_type=None):
         from params import params
         env.set_params(params)
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_master.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_master.py
index dad8f12..c50b09c 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_master.py
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/management_ui_master.py
@@ -24,6 +24,7 @@ from resource_management.libraries.functions.format import format
 from resource_management.libraries.script import Script
 from resource_management.core.resources.system import Execute
 from resource_management.core.logger import Logger
+from resource_management.core.exceptions import Fail
 
 from management_ui_commands import ManagementUICommands
 
@@ -49,6 +50,12 @@ class ManagementUIMaster(Script):
              group=params.metron_group
              )
 
+        File(format("{metron_management_ui_path}/assets/app-config.json"),
+             content=Template("management-ui-app-config.json.j2"),
+             owner=params.metron_user,
+             group=params.metron_group
+             )
+
         Directory('/var/run/metron',
                   create_parents=False,
                   mode=0755,
@@ -56,6 +63,9 @@ class ManagementUIMaster(Script):
                   group=params.metron_group
                   )
 
+        if params.metron_knox_enabled and not params.metron_ldap_enabled:
+            raise Fail("Enabling Metron with Knox requires LDAP authentication.  Please set
'LDAP Enabled' to true in the Metron Security tab.")
+
     def start(self, env, upgrade_type=None):
         from params import params
         env.set_params(params)
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_client.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_client.py
index 32fe0e9..e65d62e 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_client.py
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_client.py
@@ -19,8 +19,13 @@ limitations under the License.
 
 from resource_management.libraries.script.script import Script
 from resource_management.core.exceptions import ClientComponentHasNoStatus
+from resource_management.core.exceptions import Fail
 from resource_management.core.resources.system import Directory
 from metron_security import storm_security_setup
+from metron_service import install_metron_knox
+from metron_service import metron_knox_topology_setup
+from metron_service import is_metron_knox_installed
+from metron_service import set_metron_knox_installed
 
 class MetronClient(Script):
 
@@ -34,14 +39,30 @@ class MetronClient(Script):
         env.set_params(params)
         storm_security_setup(params)
 
+        if params.metron_knox_enabled and not params.metron_ldap_enabled:
+            raise Fail("Enabling Metron with Knox requires LDAP authentication.  Please set
'LDAP Enabled' to true in the Metron Security tab.")
+
+        if params.metron_knox_enabled:
+            if not is_metron_knox_installed(params):
+                install_metron_knox(params)
+                set_metron_knox_installed(params)
+            metron_knox_topology_setup(params)
+
     def start(self, env, upgrade_type=None):
         from params import params
         env.set_params(params)
+        self.configure(env)
 
     def stop(self, env, upgrade_type=None):
         from params import params
         env.set_params(params)
 
+    def restart(self, env):
+        from params import params
+        env.set_params(params)
+        self.configure(env)
+
+
     def status(self, env):
         raise ClientComponentHasNoStatus()
 
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_service.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_service.py
index a7074da..f538122 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_service.py
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/metron_service.py
@@ -24,6 +24,7 @@ from resource_management.core.exceptions import ComponentIsNotRunning
 from resource_management.core.exceptions import Fail
 from resource_management.core.resources.system import Directory, File
 from resource_management.core.resources.system import Execute
+from resource_management.core.source import Template
 from resource_management.core.source import InlineTemplate
 from resource_management.libraries.functions import format as ambari_format
 from resource_management.libraries.functions.get_user_call_output import get_user_call_output
@@ -588,3 +589,41 @@ def check_indexer_parameters():
 
     if len(missing) > 0:
       raise Fail("Missing required indexing parameters(s): indexer={0}, missing={1}".format(indexer,
missing))
+
+def install_metron_knox(params):
+    if os.path.exists(params.knox_home):
+        template = """export KNOX_HOME={0}; \
+            export KNOX_USER={1}; \
+            export KNOX_GROUP={2}; \
+            {3}/bin/install_metron_knox.sh; \
+            unset KNOX_USER; \
+            unset KNOX_GROUP; \
+            unset KNOX_HOME;"""
+        cmd = template.format(params.knox_home, params.knox_user, params.knox_group, params.metron_home)
+
+        Execute(cmd)
+
+def is_metron_knox_installed(params):
+    return os.path.isfile(params.metron_knox_installed_flag_file)
+
+def set_metron_knox_installed(params):
+    Directory(params.metron_zookeeper_config_path,
+              mode=0755,
+              owner=params.metron_user,
+              group=params.metron_group,
+              create_parents=True
+              )
+    set_configured(params.metron_user, params.metron_knox_installed_flag_file, "Setting Metron
Knox installed to true")
+
+def metron_knox_topology_setup(params):
+    if os.path.exists(params.knox_home):
+        File(ambari_format("{knox_home}/conf/topologies/metron.xml"),
+             content=Template("metron.xml.j2"),
+             owner=params.knox_user,
+             group=params.knox_group
+             )
+        File(ambari_format("{knox_home}/conf/topologies/metronsso.xml"),
+             content=Template("metronsso.xml.j2"),
+             owner=params.knox_user,
+             group=params.knox_group
+             )
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py
index 5635330..a543d79 100755
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/params_linux.py
@@ -51,23 +51,24 @@ metron_user = status_params.metron_user
 metron_group = config['configurations']['metron-env']['metron_group']
 metron_log_dir = config['configurations']['metron-env']['metron_log_dir']
 metron_pid_dir = config['configurations']['metron-env']['metron_pid_dir']
-
+metron_rest_host = status_params.metron_rest_host
 metron_rest_port = status_params.metron_rest_port
 metron_management_ui_host = status_params.metron_management_ui_host
 metron_management_ui_port = status_params.metron_management_ui_port
+metron_management_ui_path = metron_home + '/web/management-ui/'
 metron_alerts_ui_host = status_params.metron_alerts_ui_host
 metron_alerts_ui_port = status_params.metron_alerts_ui_port
+metron_alerts_ui_path = metron_home + '/web/alerts-ui/'
 metron_jvm_flags = config['configurations']['metron-rest-env']['metron_jvm_flags']
 
 # Construct the profiles as a temp variable first. Only the first time it's set will carry
through
-metron_spring_profiles_temp = config['configurations']['metron-rest-env']['metron_spring_profiles_active']
-if config['configurations']['metron-security-env']['metron.ldap.enabled']:
-    if metron_spring_profiles_temp:
-        metron_spring_profiles_active = metron_spring_profiles_temp + ',ldap'
+metron_spring_profiles_active = config['configurations']['metron-rest-env']['metron_spring_profiles_active']
+metron_ldap_enabled = config['configurations']['metron-security-env']['metron.ldap.enabled']
+if metron_ldap_enabled:
+    if not len(metron_spring_profiles_active) == 0:
+        metron_spring_profiles_active += ',ldap'
     else:
         metron_spring_profiles_active = 'ldap'
-else:
-    metron_spring_profiles_active = metron_spring_profiles_temp
 
 metron_jdbc_driver = config['configurations']['metron-rest-env']['metron_jdbc_driver']
 metron_jdbc_url = config['configurations']['metron-rest-env']['metron_jdbc_url']
@@ -100,6 +101,7 @@ rest_kafka_configured_flag_file = status_params.rest_kafka_configured_flag_file
 rest_kafka_acl_configured_flag_file = status_params.rest_kafka_acl_configured_flag_file
 rest_hbase_configured_flag_file = status_params.rest_hbase_configured_flag_file
 rest_hbase_acl_configured_flag_file = status_params.rest_hbase_acl_configured_flag_file
+metron_knox_installed_flag_file = status_params.metron_knox_installed_flag_file
 global_properties_template = config['configurations']['metron-env']['elasticsearch-properties']
 
 # Elasticsearch hosts and port management
@@ -291,9 +293,6 @@ metron_ldap_group_role = config['configurations']['metron-security-env']['metron
 metron_ldap_ssl_truststore = config['configurations']['metron-security-env']['metron.ldap.ssl.truststore']
 metron_ldap_ssl_truststore_password = config['configurations']['metron-security-env']['metron.ldap.ssl.truststore.password']
 
-# Management UI
-metron_rest_host = default("/clusterHostInfo/metron_rest_hosts", [hostname])[0]
-
 # REST
 metron_rest_pid_dir = config['configurations']['metron-rest-env']['metron_rest_pid_dir']
 metron_rest_pid = 'metron-rest.pid'
@@ -443,3 +442,31 @@ kafka_spout_parallelism = config['configurations']['metron-pcap-env']['kafka_spo
 # MapReduce
 metron_user_hdfs_dir = '/user/' + metron_user
 metron_user_hdfs_dir_configured_flag_file = status_params.metron_user_hdfs_dir_configured_flag_file
+
+# Knox
+knox_user = config['configurations']['knox-env']['knox_user']
+knox_group = config['configurations']['knox-env']['knox_group']
+metron_knox_root_path = '/gateway/metron'
+metron_rest_path = '/api/v1'
+metron_alerts_ui_login_path = '/login'
+metron_management_ui_login_path = '/login'
+metron_knox_enabled = config['configurations']['metron-security-env']['metron.knox.enabled']
+metron_knox_sso_pubkey = config['configurations']['metron-security-env']['metron.knox.sso.pubkey']
+metron_knox_sso_token_ttl = config['configurations']['metron-security-env']['metron.knox.sso.token.ttl']
+if metron_knox_enabled:
+    metron_rest_path = metron_knox_root_path + '/metron-rest' + metron_rest_path
+    metron_alerts_ui_login_path = metron_knox_root_path + '/metron-alerts/'
+    metron_management_ui_login_path = metron_knox_root_path + '/metron-management/sensors'
+    if not len(metron_spring_options) == 0:
+        metron_spring_options += ' '
+    metron_spring_options += '--knox.root=' + metron_knox_root_path + '/metron-rest'
+    metron_spring_options += ' --knox.sso.pubkey=' + metron_knox_sso_pubkey
+    if not len(metron_spring_profiles_active) == 0:
+        metron_spring_profiles_active += ','
+    metron_spring_profiles_active += 'knox'
+
+knox_home = os.path.join(stack_root, "current", "knox-server")
+knox_hosts = default("/clusterHostInfo/knox_gateway_hosts", [])
+knox_host = ''
+if not len(knox_hosts) == 0:
+    knox_host = knox_hosts[0]
\ No newline at end of file
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/status_params.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/status_params.py
index aad34a9..2563646 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/status_params.py
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/params/status_params.py
@@ -82,6 +82,7 @@ elasticsearch_template_installed_flag_file = metron_zookeeper_config_path
+ '/..
 solr_schema_installed_flag_file = metron_zookeeper_config_path + '/../metron_solr_schema_installed_flag_file'
 
 # REST
+metron_rest_host = default("/clusterHostInfo/metron_rest_hosts", [hostname])[0]
 metron_rest_port = config['configurations']['metron-rest-env']['metron_rest_port']
 rest_kafka_configured_flag_file = metron_zookeeper_config_path + '/../metron_rest_kafka_configured'
 rest_kafka_acl_configured_flag_file = metron_zookeeper_config_path + '/../metron_rest_kafka_acl_configured'
@@ -126,4 +127,7 @@ pcap_perm_configured_flag_file = metron_zookeeper_config_path + '/../metron_pcap
 pcap_acl_configured_flag_file = metron_zookeeper_config_path + '/../metron_pcap_acl_configured'
 
 # MapReduce
-metron_user_hdfs_dir_configured_flag_file = metron_zookeeper_config_path + '/../metron_user_hdfs_dir_configured'
\ No newline at end of file
+metron_user_hdfs_dir_configured_flag_file = metron_zookeeper_config_path + '/../metron_user_hdfs_dir_configured'
+
+# Knox
+metron_knox_installed_flag_file = metron_zookeeper_config_path + '/../metron_knox_installed'
\ No newline at end of file
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_master.py
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_master.py
index 43224ad..90f4ac5 100755
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_master.py
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/rest_master.py
@@ -19,6 +19,7 @@ limitations under the License.
 
 from resource_management.core.exceptions import ComponentIsNotRunning
 from resource_management.core.exceptions import ExecutionFailed
+from resource_management.core.exceptions import Fail
 from resource_management.core.resources.system import Directory
 from resource_management.core.resources.system import File
 from resource_management.core.source import Template
@@ -59,6 +60,9 @@ class RestMaster(Script):
             commands.init_kafka_acls()
             commands.set_kafka_acl_configured()
 
+        if params.metron_knox_enabled and not params.metron_ldap_enabled:
+            raise Fail("Enabling Metron with Knox requires LDAP authentication.  Please set
'LDAP Enabled' to true in the Metron Security tab.")
+
     def start(self, env, upgrade_type=None):
         from params import params
         env.set_params(params)
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/alerts-ui-app-config.json.j2
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/alerts-ui-app-config.json.j2
new file mode 100644
index 0000000..edbc1b6
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/alerts-ui-app-config.json.j2
@@ -0,0 +1,4 @@
+{
+  "apiRoot": "{{metron_rest_path}}",
+  "loginPath": "{{metron_alerts_ui_login_path}}"
+}
\ No newline at end of file
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/management-ui-app-config.json.j2
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/management-ui-app-config.json.j2
new file mode 100644
index 0000000..12c3168
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/management-ui-app-config.json.j2
@@ -0,0 +1,4 @@
+{
+  "apiRoot": "{{metron_rest_path}}",
+  "loginPath": "{{metron_management_ui_login_path}}"
+}
\ No newline at end of file
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.xml.j2
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.xml.j2
new file mode 100644
index 0000000..c1ea149
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metron.xml.j2
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software
+	Foundation (ASF) under one or more contributor license agreements. See the
+	NOTICE file distributed with this work for additional information regarding
+	copyright ownership. The ASF licenses this file to You under the Apache License,
+	Version 2.0 (the "License"); you may not use this file except in compliance
+	with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software distributed
+	under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+	OR CONDITIONS OF ANY KIND, either express or implied. See the License for
+  the specific language governing permissions and limitations under the License.
+  -->
+<topology>
+
+  <gateway>
+    <provider>
+          <role>federation</role>
+          <name>SSOCookieProvider</name>
+          <enabled>true</enabled>
+          <param>
+            <name>sso.authentication.provider.url</name>
+            <value>https://{{knox_host}}:8443/gateway/metronsso/api/v1/websso</value>
+          </param>
+        </provider>
+
+    <provider>
+      <role>identity-assertion</role>
+      <name>Default</name>
+      <enabled>true</enabled>
+    </provider>
+
+    <provider>
+      <role>authorization</role>
+      <name>AclsAuthz</name>
+      <enabled>true</enabled>
+    </provider>
+
+  </gateway>
+
+  <service>
+    <role>METRON-REST</role>
+    <url>http://{{metron_rest_host}}:{{metron_rest_port}}</url>
+  </service>
+
+  <service>
+    <role>METRON-ALERTS</role>
+    <url>http://{{metron_alerts_ui_host}}:{{metron_alerts_ui_port}}</url>
+  </service>
+
+  <service>
+    <role>METRON-MANAGEMENT</role>
+    <url>http://{{metron_management_ui_host}}:{{metron_management_ui_port}}</url>
+  </service>
+
+</topology>
\ No newline at end of file
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metronsso.xml.j2
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metronsso.xml.j2
new file mode 100644
index 0000000..d32f86a
--- /dev/null
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/templates/metronsso.xml.j2
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software
+	Foundation (ASF) under one or more contributor license agreements. See the
+	NOTICE file distributed with this work for additional information regarding
+	copyright ownership. The ASF licenses this file to You under the Apache License,
+	Version 2.0 (the "License"); you may not use this file except in compliance
+	with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software distributed
+	under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
+	OR CONDITIONS OF ANY KIND, either express or implied. See the License for
+  the specific language governing permissions and limitations under the License.
+  -->
+<topology>
+  <gateway>
+    <provider>
+      <role>webappsec</role>
+      <name>WebAppSec</name>
+      <enabled>true</enabled>
+      <param><name>xframe.options.enabled</name><value>true</value></param>
+    </provider>
+
+    <provider>
+      <role>authentication</role>
+      <name>ShiroProvider</name>
+      <enabled>true</enabled>
+      <param>
+        <name>sessionTimeout</name>
+        <value>30</value>
+      </param>
+      <param>
+        <name>redirectToUrl</name>
+        <value>/gateway/metronsso/knoxauth/login.html</value>
+      </param>
+      <param>
+        <name>restrictedCookies</name>
+        <value>rememberme,WWW-Authenticate</value>
+      </param>
+      <param>
+        <name>main.ldapRealm</name>
+        <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
+      </param>
+      <param>
+        <name>main.ldapContextFactory</name>
+        <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
+      </param>
+      <param>
+        <name>main.ldapRealm.contextFactory</name>
+        <value>$ldapContextFactory</value>
+      </param>
+      <param>
+        <name>main.ldapRealm.userDnTemplate</name>
+        <value>{{metron_ldap_user_pattern}}</value>
+      </param>
+      <param>
+        <name>main.ldapRealm.contextFactory.url</name>
+        <value>{{metron_ldap_url}}</value>
+      </param>
+      <param>
+        <name>main.ldapRealm.authenticationCachingEnabled</name>
+        <value>false</value>
+      </param>
+      <param>
+        <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+        <value>simple</value>
+      </param>
+      <param>
+        <name>urls./**</name>
+        <value>authcBasic</value>
+      </param>
+    </provider>
+
+    <provider>
+      <role>identity-assertion</role>
+      <name>Default</name>
+      <enabled>true</enabled>
+    </provider>
+  </gateway>
+
+  <application>
+    <name>knoxauth</name>
+  </application>
+
+  <service>
+    <role>KNOXSSO</role>
+    <param>
+      <name>knoxsso.cookie.secure.only</name>
+      <value>false</value>
+    </param>
+    <param>
+      <name>knoxsso.token.ttl</name>
+      <value>{{metron_knox_sso_token_ttl}}</value>
+    </param>
+    <param>
+      <name>knoxsso.redirect.whitelist.regex</name>
+      <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1|{{metron_rest_host}}|{{metron_management_ui_host}}|{{metron_alerts_ui_host}}):[0-9].*$</value>
+    </param>
+  </service>
+
+</topology>
\ No newline at end of file
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json
b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json
index 7f84f1d..6749101 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/themes/metron_theme.json
@@ -426,7 +426,7 @@
             "display-name": "Security",
             "layout": {
               "tab-columns": "2",
-              "tab-rows": "1",
+              "tab-rows": "2",
               "sections": [
                 {
                   "name": "section-security-ldap",
@@ -446,6 +446,25 @@
                       "column-span": "1"
                     }
                   ]
+                },
+                {
+                  "name": "section-security-knox",
+                  "row-index": "1",
+                  "column-index": "0",
+                  "row-span": "1",
+                  "column-span": "1",
+                  "section-columns": "1",
+                  "section-rows": "1",
+                  "subsections": [
+                    {
+                      "name": "subsection-security-knox",
+                      "display-name": "KNOX",
+                      "row-index": "0",
+                      "column-index": "0",
+                      "row-span": "1",
+                      "column-span": "1"
+                    }
+                  ]
                 }
               ]
             }
@@ -933,6 +952,18 @@
           "subsection-name": "subsection-security-ldap"
         },
         {
+          "config": "metron-security-env/metron.knox.enabled",
+          "subsection-name": "subsection-security-knox"
+        },
+        {
+          "config": "metron-security-env/metron.knox.sso.pubkey",
+          "subsection-name": "subsection-security-knox"
+        },
+        {
+          "config": "metron-security-env/metron.knox.sso.token.ttl",
+          "subsection-name": "subsection-security-knox"
+        },
+        {
           "config": "metron-pcap-env/pcap_topology_workers",
           "subsection-name": "subsection-pcap"
         },
@@ -1688,6 +1719,24 @@
         }
       },
       {
+        "config": "metron-security-env/metron.knox.enabled",
+        "widget": {
+          "type": "toggle"
+        }
+      },
+      {
+        "config": "metron-security-env/metron.knox.sso.pubkey",
+        "widget": {
+          "type": "text-area"
+        }
+      },
+      {
+        "config": "metron-security-env/metron.knox.sso.token.ttl",
+        "widget": {
+          "type": "text-field"
+        }
+      },
+      {
         "config": "metron-pcap-env/pcap_topology_workers",
         "widget": {
           "type": "text-field"
diff --git a/metron-interface/README.md b/metron-interface/README.md
index 639667f..e10bec8 100644
--- a/metron-interface/README.md
+++ b/metron-interface/README.md
@@ -73,3 +73,81 @@ The following diagram illustrates the flow of data for the various types
of requ
 ![Knox Flow Diagram](knox_flow_diagram.png)
 
 Note how the flow diagrams for Static asset requests and Rest requests (through Knox) are
identical.
+
+## Enabling Knox for Metron
+
+Follow the instructions in the next 3 sections to enable Knox for Metron.  The new Knox urls
will be similar to (substitute the Knox host/port in your environment for `node1:8443`):
+
+- Metron Alerts UI - https://node1:8443/gateway/metron/metron-alerts/
+- Metron Management UI - https://node1:8443/gateway/metron/metron-management/sensors
+- Metron REST - https://node1:8443/gateway/metron/metron-rest/swagger-ui.html
+
+
+
+### Install Metron Clients
+
+The Metron Client component in Ambari is responsible for installing the service definition
and topology files in the appropriate Knox directories.  These files are installed whenever
the Metron Client component(s) are installed, started or restarted AND the `Knox Enabled`
Metron Ambari property
+is set to true (under the `Security` tab in the Metron Config section).  Ambari calls the
script at `$METRON_HOME/bin/install_metron_knox.sh` which installs the following files:
+
+- `$KNOX_HOME/conf/topologies/metron.xml`
+- `$KNOX_HOME/conf/topologies/metronsso.xml`
+- `$KNOX_HOME/data/services/metron-alerts/$METRON_VERSION/rewrite.xml`
+- `$KNOX_HOME/data/services/metron-alerts/$METRON_VERSION/service.xml`
+- `$KNOX_HOME/data/services/metron-management/$METRON_VERSION/rewrite.xml`
+- `$KNOX_HOME/data/services/metron-management/$METRON_VERSION/service.xml`
+- `$KNOX_HOME/data/services/metron-rest/$METRON_VERSION/rewrite.xml`
+- `$KNOX_HOME/data/services/metron-rest/$METRON_VERSION/service.xml`
+
+A Metron Client should be installed anywhere a Knox Gateway is installed.  It is not strictly
required but Metron will not be available through any Knox Gateways that do not have these
files installed.
+  
+### Enable Knox for Metron in Ambari
+
+After Metron Client components have been installed on the appropriate hosts, there are a
couple settings that need to be changed in the Ambari "Security" tab.  
+First the Knox SSO public key needs to be read from Knox.  Run the following command on a
Knox Gateway to get the key:
+```
+openssl s_client -connect node1:8443 < /dev/null | openssl x509 | grep -v 'CERTIFICATE'
| paste -sd "" -
+```
+The `Knox SSO Public Key` Ambari property should be set to the output of that command.  In
the same section, set the `Knox Enabled` setting to "ON".  
+
+After these changes have been made, the following Metron components must be restarted:
+
+- Metron Client
+- Metron Alerts UI
+- Metron Management UI
+- Metron REST
+
+Any change to the settings described in this section will cause Ambari to suggest restarting
these services.  Either restart them manually or follow the prompt in Ambari.
+
+Note:  Knox can only be enabled for Metron when Metron authentication is set to `LDAP` (the
`LDAP Enabled` setting in Ambari).  
+If `LDAP` is not enabled an error will be thrown when any of the previous components are
restarted. 
+
+### Update Quicklinks (Optional)
+
+Currently there is no way to dynamicly change the quick links in Ambari to the new Knox urls
so it must be done manually.  Locate this file on the Ambari server host:
+```
+/var/lib/ambari-server/resources/mpacks/metron-ambari.mpack-$METRON_MPACK_VERSION/common-services/METRON/$METRON_VERSION/quicklinks/quicklinks.json
+```
+Quicklinks for each component are defined as an array of json objects under the `/configuration/links/`
attribute.
+
+Locate the json object for the component you want to update.  Change the `url` attribute
to match the new Knox url.  For example, to update the Metron REST quick link, locate the
json object with the `label` property set to `Swagger UI`.  Change the `url` property from
+`%@://%@:%@/swagger-ui.html` to `https://<knox gateway host>:<knox gateway port>/gateway/metron/metron-rest/swagger-ui.html`.
+
+The json object should look like this in full dev:
+```
+{
+    "name": "metron_rest_ui",
+    "label": "Swagger UI",
+    "requires_user_name": "false",
+    "component_name": "METRON_REST",
+    "url":"https://node1:8443/gateway/metron/metron-rest/swagger-ui.html",
+    "port":{
+      "http_property": "metron_rest_port",
+      "http_default_port": "8082",
+      "https_property": "metron_rest_port",
+      "https_default_port": "8082",
+      "regex": "^(\\d+)$",
+      "site": "metron-rest-env"
+    }
+}
+```
+Repeat for the Alerts UI and Management UI.  Any update to this file requires an Ambari server
restart.
\ No newline at end of file
diff --git a/metron-interface/metron-rest/src/main/scripts/install_metron_knox.sh b/metron-interface/metron-rest/src/main/scripts/install_metron_knox.sh
index 7e87393..ca16ebe 100755
--- a/metron-interface/metron-rest/src/main/scripts/install_metron_knox.sh
+++ b/metron-interface/metron-rest/src/main/scripts/install_metron_knox.sh
@@ -18,17 +18,27 @@
 #
 METRON_VERSION=${project.version}
 METRON_HOME=${METRON_HOME:-/usr/metron/${METRON_VERSION}}
+KNOX_USER=${KNOX_USER:-knox}
+KNOX_GROUP=${KNOX_GROUP:-knox}
 KNOX_HOME=${KNOX_HOME:-/usr/hdp/current/knox-server}
-KNOX_METRON_REST_DIR=$KNOX_HOME/data/services/metron-rest/$METRON_VERSION
-KNOX_METRON_ALERTS_DIR=$KNOX_HOME/data/services/metron-alerts/$METRON_VERSION
-KNOX_METRON_MANAGEMENT_DIR=$KNOX_HOME/data/services/metron-management/$METRON_VERSION
+KNOX_METRON_REST_DIR=$KNOX_HOME/data/services/metron-rest
+KNOX_METRON_ALERTS_DIR=$KNOX_HOME/data/services/metron-alerts
+KNOX_METRON_MANAGEMENT_DIR=$KNOX_HOME/data/services/metron-management
 
-mkdir -p $KNOX_METRON_REST_DIR
-mkdir -p $KNOX_METRON_ALERTS_DIR
-mkdir -p $KNOX_METRON_MANAGEMENT_DIR
+if [ -d "$KNOX_HOME" ]
+then
+    mkdir -p $KNOX_METRON_REST_DIR/$METRON_VERSION
+    mkdir -p $KNOX_METRON_ALERTS_DIR/$METRON_VERSION
+    mkdir -p $KNOX_METRON_MANAGEMENT_DIR/$METRON_VERSION
 
-cp $METRON_HOME/config/knox/data/services/rest/* $KNOX_METRON_REST_DIR
-cp $METRON_HOME/config/knox/data/services/alerts/* $KNOX_METRON_ALERTS_DIR
-cp $METRON_HOME/config/knox/data/services/management/* $KNOX_METRON_MANAGEMENT_DIR
-cp $METRON_HOME/config/knox/conf/topologies/metron.xml $KNOX_HOME/conf/topologies
-cp $METRON_HOME/config/knox/conf/topologies/metronsso.xml $KNOX_HOME/conf/topologies
+    cp $METRON_HOME/config/knox/data/services/rest/* $KNOX_METRON_REST_DIR/$METRON_VERSION
+    cp $METRON_HOME/config/knox/data/services/alerts/* $KNOX_METRON_ALERTS_DIR/$METRON_VERSION
+    cp $METRON_HOME/config/knox/data/services/management/* $KNOX_METRON_MANAGEMENT_DIR/$METRON_VERSION
+    cp $METRON_HOME/config/knox/conf/topologies/metron.xml $KNOX_HOME/conf/topologies
+
+    sudo chown -R $KNOX_USER:$KNOX_GROUP $KNOX_METRON_REST_DIR
+    sudo chown -R $KNOX_USER:$KNOX_GROUP $KNOX_METRON_ALERTS_DIR
+    sudo chown -R $KNOX_USER:$KNOX_GROUP $KNOX_METRON_MANAGEMENT_DIR
+else
+    echo "$KNOX_HOME does not exist. Skipping Metron Knox installation."
+fi
\ No newline at end of file


Mime
View raw message