Hadoop Security Guide
Also available as:
PDF
loading table of contents...

LDAP Authentication Caching

You can also configure the Apache Knox Gateway to cache LDAP authentication information by leveraging built-in caching mechanisms that the Shiro EhCache Manager provides. The ability to cache LDAP authentication information is useful in eliminating tthe need to authenticate against the LDAP server each time you use.

[Note]Note

When the authentication information is cached, the Knox gateway will not authenticate the user again until the cache expires.

To enable LDAP authentication caching using the Shiro Provider, follow the steps listed below.

  1. Use the org.apache.hadoop.gateway.ShiroRealm.knoxLdapRealm in the Shiro configuration.

  2. Set the main.ldaprealm.authenticationcachingEnabled property similar to the example shown below.

    <provider>
        <role>authentication</role>
        <enabled>true</enabled>
        <param>
            <name>main.ldapRealm</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
        </param>
        <param>
            <name>main.ldapGroupContextFactory</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
        </param>
        <param>
            <name>main.ldapRealm.ContextFactory</name>
            <value>$ldapGroupContextFactory</value>
        </param>
        <param>
            <name>main.ldapRealm.ContextFactory.url</name>
            <value>$ldap://localhost:33389</value>
        </param>
        <param>
            <name>main.ldapRealm.authorizationEnabled</name>
            <value>true</value>
        </param>
        <param>
            <name>main.ldapRealm.searchBase</name>
            <value>ou-groups,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
            <name>main.cacheManager</name>
            <value>org.apache.shiro.cache.ehcache.EhCacheManager</value>
        </param>
        <param>
            <name>main.securityManager.cacheManager</name>
            <value>$cacheManager</value>
        </param>
        <param>
            <name>main.ldapRealm.authenticationCachingEnabled</name>
            <value>true</value>
        </param>
        <param>
            <name>main.ldapRealm.memberAttributeValueTemplate</name>
            <value>uid={0}ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
            <name>main.ldapRealm.contextFactory.systemUsername</name>
            <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
            <name>main.ldapRealm.contextFactory.systemPassword</name>
            <value>guest=password</value>
        </param>
        <param>
            <name>urls./**</name>
            <value>authBasic</value>
        </param>
    </provider>

    In this example, you need to configure these properties to set the Knox Gateway for LDAP authentication caching. The Knox Gateway also includes several template topology files that you can use to test the caching function. You can locate these template files in the templates directory. To test the caching function, perform the steps listed below.

    1. Navigate to the Knox gateway HOME directory.

      cd {GATEWAY_HOME}
    2. Copy the templates files to your sandbox.

      cp templates/sandbox.knoxrealm.ehcache.xml
      conf.topologies/sandbox.xml
    3. Start the LDAP authentication provider.

      bin/ldap.sh start
    4. Start the Knox gateway.

      bin/gateway.sh start
    5. Once the gateway is started, make the following WebHDFS API call:

      curl -ivk -u tom:tom-password -X GET
      https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY
    6. To see LDAP authentication caching working, shut down the LDAP authentication provider.

      bin/ldap.sh stop
    7. Run the WebHDFS API call again.

      curl -ivk -u tom:tom=password -X GET
      https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY