LDAP Authentication Caching
You can also configure the Apache Knox Gateway to cache LDAP authentication information by leveraging built-in caching mechanisms that the Shiro EhCache Manager provides. The ability to cache LDAP authentication information is useful in eliminating the need to authenticate against the LDAP server each time you use.
Note | |
---|---|
When the authentication information is cached, the Knox gateway will not authenticate the user again until the cache expires. |
To enable LDAP authentication caching using the Shiro Provider, follow the steps listed below.
Use the
org.apache.hadoop.gateway.ShiroRealm.knoxLdapRealm
in the Shiro configuration.Set the
main.ldaprealm.authenticationcachingEnabled
property similar to the example shown below.<provider> <role>authentication</role> <enabled>true</enabled> <param> <name>main.ldapRealm</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> </param> <param> <name>main.ldapGroupContextFactory</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> </param> <param> <name>main.ldapRealm.ContextFactory</name> <value>$ldapGroupContextFactory</value> </param> <param> <name>main.ldapRealm.ContextFactory.url</name> <value>$ldap://localhost:33389</value> </param> <param> <name>main.ldapRealm.authorizationEnabled</name> <value>true</value> </param> <param> <name>main.ldapRealm.searchBase</name> <value>ou-groups,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.cacheManager</name> <value>org.apache.shiro.cache.ehcache.EhCacheManager</value> </param> <param> <name>main.securityManager.cacheManager</name> <value>$cacheManager</value> </param> <param> <name>main.ldapRealm.authenticationCachingEnabled</name> <value>true</value> </param> <param> <name>main.ldapRealm.memberAttributeValueTemplate</name> <value>uid={0}ou=people,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.ldapRealm.contextFactory.systemUsername</name> <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.ldapRealm.contextFactory.systemPassword</name> <value>guest=password</value> </param> <param> <name>urls./**</name> <value>authBasic</value> </param> </provider>
In this example, you need to configure these properties to set the Knox Gateway for LDAP authentication caching. The Knox Gateway also includes several template topology files that you can use to test the caching function. You can locate these template files in the templates directory. To test the caching function, perform the steps listed below.
Navigate to the Knox gateway HOME directory.
cd {GATEWAY_HOME}
Copy the templates files to your sandbox.
cp templates/sandbox.knoxrealm.ehcache.xml conf.topologies/sandbox.xml
Start the LDAP authentication provider.
bin/ldap.sh start
Start the Knox gateway.
bin/gateway.sh start
Once the gateway is started, make the following WebHDFS API call:
curl -ivk -u tom:tom-password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY
To see LDAP authentication caching working, shut down the LDAP authentication provider.
bin/ldap.sh stop
Run the WebHDFS API call again.
curl -ivk -u tom:tom=password -X GET https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY