Cloudera Docs

Dynamically generating Knox topology files

Topology files can be dynamically generated from combinations of provider configurations and descriptors, which can be defined using Cloudera Manager.

In the early days of Knox, you enabled Knox proxy by editing topology files directly. The topology files consisted of the following things:
  • Provider configurations: For example, authentication, federation, authorization, identity assertion, HA, and so on.
  • Services: Native Knox services (for example, KNOXTOKEN) or proxied services.
You configured each of the above list in every topology file.
More recently, topology files can be dynamically generated from combinations of provider configurations and descriptors. Additionally, these provider configurations are now shared; you no longer have to specify configurations (for example, authentication provider, identity assertion provider, or authorization provider) for each topology file. You define a provider configuration which can be shared by many descriptors. The following list describes provider configurations, descriptors, and topologies:
  • Provider configurations: A named set of providers, for example, authentication, federation, authentication, authorization, identity assertion, and so on. Provider configurations can be shared across descriptors or topologies.
  • Descriptors: References the provider configurations to declare the policy (authentication, authorization, identity assertion, and so on) that goes along with proxying that cluster. Descriptors and topologies are 1-to-1.
  • Topologies: Dynamically generated based on the descriptors you define.

However, the topologies that are managed by Cloudera Manager should be read-only. Within a Cloudera Manager managed cluster, use Cloudera Manager for creating additional topologies.