Configuring Proxy with Apache Knox
Also available as:
PDF
loading table of contents...

Configure LDAP Authentication Caching

How to enable LDAP authentication caching using the Shiro Provider.

You can also configure the Apache Knox Gateway to cache LDAP authentication information by leveraging built-in caching mechanisms that the Shiro EhCache Manager provides. The ability to cache LDAP authentication information is useful in eliminating the need to authenticate against the LDAP server each time you use.
Note
Note

When the authentication information is cached, the Knox gateway will not authenticate the user again until the cache expires.

  1. Use the org.apache.hadoop.gateway.ShiroRealm.knoxLdapRealm in the Shiro configuration.
  2. Set the main.ldaprealm.authenticationcachingEnabled property similar to the example shown below:
    <provider>
        <role>authentication</role>
        <enabled>true</enabled>
        <param>
            <name>main.ldapRealm</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
        </param>
        <param>
            <name>main.ldapGroupContextFactory</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
        </param>
        <param>
            <name>main.ldapRealm.ContextFactory</name>
            <value>$ldapGroupContextFactory</value>
        </param>
        <param>
            <name>main.ldapRealm.ContextFactory.url</name>
            <value>$ldap://localhost:33389</value>
        </param>
        <param>
            <name>main.ldapRealm.authorizationEnabled</name>
            <value>true</value>
        </param>
        <param>
            <name>main.ldapRealm.searchBase</name>
            <value>ou-groups,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
            <name>main.cacheManager</name>
            <value>org.apache.knox.gateway.shirorealm.KnoxCacheManager</value>
        </param>
        <param>
            <name>main.securityManager.cacheManager</name>
            <value>$cacheManager</value>
        </param>
        <param>
            <name>main.ldapRealm.authenticationCachingEnabled</name>
            <value>true</value>
        </param>
        <param>
            <name>main.ldapRealm.memberAttributeValueTemplate</name>
            <value>uid={0}ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
            <name>main.ldapRealm.contextFactory.systemUsername</name>
            <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
        </param>
        <param>
            <name>main.ldapRealm.contextFactory.systemPassword</name>
            <value>guest=password</value>
        </param>
        <param>
            <name>urls./**</name>
            <value>authBasic</value>
        </param>
    </provider>
    In this example, you need to configure these properties to set the Knox Gateway for LDAP authentication caching. The Knox Gateway also includes several template topology files that you can use to test the caching function. You can locate these template files in the templates directory.
  3. Test the caching function:
    1. Navigate to the Knox gateway HOME directory: cd {$GATEWAY_HOME}.
    2. Copy the templates files to your sandbox.
      cp templates/sandbox.knoxrealm.ehcache.xml
      conf.topologies/sandbox.xml
    3. Start the LDAP authentication provider: bin/ldap.sh start .
    4. Start the Knox gateway: bin/gateway.sh start .
    5. Once the gateway is started, make the following WebHDFS API call:
      curl -ivk -u tom:tom-password -X GET
      https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY
    6. To see LDAP authentication caching working, shut down the LDAP authentication provider: bin/ldap.sh stop .
    7. Run the WebHDFS API call again.
      curl -ivk -u tom:tom=password -X GET
      https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY