Dynamically Generating Knox Topology Files
Topology files can be dynamically generated from combinations of Provider Configurations and Descriptors, which can be defined using the Knox Admin UI.
In the early days of Knox, you enabled Knox proxy by editing topology files manually. Topology
files consisted of 3 things:
- Provider configurations: e.g., authentication, federation, authentication, authorization, identity assertion, etc
- HA provider
- Services: component URLs you want to proxy
Most recently, topology files are dynamically generated from combinations of Provider
Configurations and Descriptors, defined using the Knox Admin UI. Additionally, these provider
configurations and descriptors are now shared- you no longer have to specify configurations (e.g.
authentication provider, identity assertion provider, or authorization provider) for each
topology file- you define a Provider Configuration or Descriptor and they are shared across all
topologies you choose. The Admin UI consists of 3 sections:
- Provider Configurations: A named set of providers, e.g., authentication, federation, authentication, authorization, identity assertion, etc. Provider configurations can be shared across descriptors/topologies.
- Descriptors: References the Provider Configurations to declare the policy (authentication, authorization, identity assertion, etc) that goes along with proxying that cluster. Descriptors cannot be shared across topologies; Descriptors and topologies are 1-to-1.
- Topologies: Dynamically generated based on the Provider Configurations and Descriptors you define.
However- the topologies that are managed by Cloudera Manager should be read-only. Within an Cloudera Manager-managed cluster, the Knox Admin UI is to be used for creating additional topologies. When a Knox instance is not managed by Cloudera Manager, all topology management will be done via the Knox Admin UI.