Knox configuration parameters

Sergei Tikhomirov
gateway-site.xml
Parameter Description Default value

Knox gateway port

HTTP port for Knox

8443

Gateway whitelist

A semicolon-delimited list of regular expressions that defines the allowed endpoints for Knox dispatches and redirects

^https?:\/\/(.*|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$
knox-env.sh
Parameter Description Default value

KNOX_GATEWAY_MEM_OPTS

A placeholder to allow customization of the gateway server’s JVM memory settings

 — 

KNOX_GATEWAY_LOG_DIR

Indicates where the gateway server should write its own error/standard output messages to

/var/log/knox
Configure SSL Knox Gateway
Parameter Description Default value

gateway.truststore.password.alias

Alias for the password to the truststore file holding the trusted client certificates. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the master secret will be used

gateway-truststore-password

gateway.truststore.path

Location of the truststore for client certificates to be trusted

 — 

gateway.truststore.type

Indicates the type of truststore at the path declared in gateway.truststore.path

JKS

gateway.tls.keystore.password.alias

Alias for the password to the keystore file holding the Gateway’s TLS certificate and keypair. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the master secret will be used

gateway-identity-keystore-password

gateway.tls.keystore.path

The path to the keystore file where the Gateway’s TLS certificate and keypair are stored

 — 

gateway.tls.keystore.type

The type of the keystore file where the Gateway’s TLS certificate and keypair are stored

JKS

gateway.tls.key.alias

The alias for the Gateway’s TLS certificate and keypair within the default keystore or the keystore specified via gateway.tls.keystore.path

gateway-identity

key_passphrase

Passphrase for the Gateway’s TLS private key stored within the default keystore or the keystore specified via gateway.tis.keystore.path. If empty — password for keystore is used

 — 

gateway.tls.key.passphrase.alias

The alias for passphrase for the Gateway’s TLS private key stored within the default keystore or the keystore specified via gateway.tls.keystore.path. Note that an alias with the provided name should be created using the knoxcli.sh create-alias command in order to provide the password; else the keystore password or the master secret will be used

gateway-identity-passphrase

ssl.exclude.protocols

Excludes a comma or pipe separated list of protocols to not accept for SSL or none

SSLv2,SSLv3,TLSv1,TLSv1.1
External LDAP authentication
Parameter Description Default value

main.ldapRealm.contextFactory.url

The URL that represents the host and port of the LDAP server. It also includes the scheme of the protocol to use. This may be either ldap or ldaps depending on whether you are communicating with the LDAP over SSL (highly recommended)

ldap://example.com:389

main.ldapRealm.contextFactory.systemUsername

Full distinguished name (DN) including common name (CN) of an AD user account that can search for users

 — 

main.ldapRealm.contextFactory.systemPassword

Password for the account associated with main.ldapRealm.contextFactory.systemUsername

 — 

main.ldapRealm.searchBase

The distinguished name (DN) of a starting point for directory server searches

 — 

main.ldapRealm.userObjectClass

LDAP User Object Class

Person

main.ldapRealm.userSearchAttributeName

Attribute name for simplified search filter

sAMAccountName

main.ldapRealm.groupSearchBase

Search base for the groups

 — 

main.ldapRealm.groupObjectClass

LDAP Group object class

group

main.ldapRealm.groupIdAttribute

Attribute that uniquely identifies a group

sAMAccountName

sessionTimeout

The session idle time in minutes

30

main.ldapRealm

Classname for Knox Shiro Realm implementation

org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm

main.ldapContextFactory

Classname for Knox Shiro LdapContextFactory implementation

org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory

main.ldapRealm.contextFactory

Context factory in the realm

$ldapContextFactory

main.ldapRealm.userSearchBase

Overrides main.ldapRealm.searchBase

 — 

main.ldapRealm.memberAttribute

Provides the group members

member
security
Parameter Description Default value

Master Secret

Master Secret that is used to protect the keystore, truststores, and credential stores for the gateway instance

 — 

Ranger plugin credstore password

Ranger plugin credential provider password

 — 
ranger-knox-audit.xml
Parameter Description Default value

xasecure.audit.destination.solr.batch.filespool.dir

Local disk directory for spool files

/srv/ranger/knox/audit_solr_spool
ranger-knox-security.xml
Parameter Description Default value

ranger.plugin.knox.policy.cache.dir

Directory to store Ranger policies once they are fetched

/srv/ranger/knox/policycache

ranger.plugin.knox.policy.pollIntervalMs

Interval to check for policy changes

30000

ranger.plugin.knox.policy.rest.client.connection.timeoutMs

Connection timeout in milliseconds

120000

ranger.plugin.knox.policy.rest.client.read.timeoutMs

Read timeout in milliseconds

30000

ranger.plugin.knox.policy.source.impl

Class used to retrieve policies

org.apache.ranger.admin.client.RangerAdminJersey2RESTClient
ranger-knox-policymgr-ssl.xml
Parameter Description Default value

xasecure.policymgr.clientssl.keystore

The location of the keystore file that was created previously

 — 

xasecure.policymgr.clientssl.keystore.credential.file

Path to the credential file for keystore password

/etc/knox/conf/rangerusersync.jceks

xasecure.policymgr.clientssl.truststore.credential.file

Path to the credential file for truststore password

/etc/knox/conf/rangerusersync.jceks

xasecure.policymgr.clientssl.truststore

The location of the truststore file that was created previously

 — 

xasecure.policymgr.clientssl.keystore.password

The password for the Ranger KMS JKS keystore file

 — 

xasecure.policymgr.clientssl.truststore.password

The password for the Knox Server JKS truststore file

 — 
Other
Parameter Description Default value

Custom gateway-site.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the gateway-site.xml configuration file

 — 

Custom knox-env.sh

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the knox-env.sh configuration file

 — 

Custom ranger-knox-audit.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-audit.xml configuration file

 — 

Custom ranger-knox-security.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-security.xml configuration file

 — 

Custom ranger-knox-policymgr-ssl.xml

In this section you can define values for custom parameters that are not displayed in ADCM UI, but are allowed in the ranger-knox-policymgr-ssl.xml configuration file

 — 

 
The Knox Gateway component contains the logging settings described below.

gateway-log4j2.xml template
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<Configuration>
    <Properties>
        <Property name="app.log.dir">${env:KNOX_GATEWAY_LOG_DIR}</Property>
        <Property name="app.log.file">${sys:launcher.name}.log</Property>
        <Property name="app.audit.file">${sys:launcher.name}-audit.log</Property>
    </Properties>

    <Appenders>
        <RollingFile name="auditfile" fileName="${app.log.dir}/${app.audit.file}" filePattern="${app.log.dir}/${app.audit.file}.%d{yyyy-MM-dd}">
            <AuditLayout />
            <TimeBasedTriggeringPolicy />
        </RollingFile>
        <Console name="stdout" target="SYSTEM_OUT">
            <PatternLayout pattern="%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n" />
        </Console>
        <RollingFile name="drfa" fileName="${app.log.dir}/${app.log.file}" filePattern="${app.log.dir}/${app.log.file}.%d{yyyy-MM-dd}">
            <!-- Same as ISO8601 format but without the 'T' (log4j1 compatible) -->
            <PatternLayout pattern="%d{yyyy-MM-dd' 'HH:mm:ss,SSS} %X{trace_id} %-5p %c{2} (%F:%M(%L)) - %m%n" />
            <TimeBasedTriggeringPolicy />
        </RollingFile>
<!--        <RollingFile name="httpclient" fileName="${app.log.dir}/${launcher.name}-http-client.log" filePattern="${app.log.dir}/${launcher.name}-http-client.log.%d{yyyy-MM-dd}">-->
<!--            <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!--            <TimeBasedTriggeringPolicy />-->
<!--        </RollingFile>-->
<!--        <RollingFile name="httpaccess" fileName="${app.log.dir}/${launcher.name}-http-access.log" filePattern="${app.log.dir}/${launcher.name}-http-access.log.%d{yyyy-MM-dd}">-->
<!--            <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!--            <TimeBasedTriggeringPolicy />-->
<!--        </RollingFile>-->
<!--        <RollingFile name="httpserver" fileName="${app.log.dir}/${launcher.name}-http-server.log" filePattern="${app.log.dir}/${launcher.name}-http-server.log.%d{yyyy-MM-dd}">-->
<!--            <PatternLayout pattern="%d{ISO8601}|%t|%m%n" />-->
<!--            <TimeBasedTriggeringPolicy />-->
<!--        </RollingFile>-->
    </Appenders>
    <Loggers>
        <Logger name="audit" level="INFO">
            <AppenderRef ref="auditfile" />
        </Logger>
        <Logger name="org.apache.knox.gateway" level="INFO" />
        <Root level="ERROR">
            <AppenderRef ref="drfa" />
        </Root>
<!--        <Logger name="org.apache.knox.gateway.websockets" level="DEBUG" />-->
<!--        <Logger name="org.springframework" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway.http.request.body" level="OFF" />-->
<!--        <Logger name="org.apache.knox.gateway.http" level="TRACE">-->
<!--            <AppenderRef ref="httpserver" />-->
<!--        </Logger>-->
<!--        <Logger name="org.apache.shiro" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway.http.response.body" level="OFF" />-->
<!--        <Logger name="org.apache.http.client" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway.http.request.headers" level="OFF" />-->
<!--        <Logger name="org.apache.http.wire" level="DEBUG">-->
<!--            <AppenderRef ref="httpclient" />-->
<!--        </Logger>-->
<!--        <Logger name="org.apache.knox.gateway.http.response.headers" level="OFF" />-->
<!--        <Logger name="net.sf.ehcache" level="DEBUG" />-->
<!--        <Logger name="org.apache.http" level="DEBUG" />-->
<!--        <Logger name="org.apache.http.headers" level="DEBUG" />-->
<!--        <Logger name="org.apache.shiro.util.ThreadContext" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway" level="DEBUG" />-->
<!--        <Logger name="org.eclipse.jetty" level="DEBUG" />-->
<!--        <Logger name="org.apache.knox.gateway.access" level="TRACE">-->
<!--            <AppenderRef ref="httpaccess" />-->
<!--        </Logger>-->
    </Loggers>
</Configuration>
knoxshell-log4j2.xml
<?xml version="1.0" encoding="utf-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<?xml version="1.0" encoding="utf-8"?>
<Configuration>
    <Properties>
        <Property name="app.log.dir">${env:KNOX_GATEWAY_LOG_DIR}</Property>
        <Property name="app.log.file">${sys:launcher.name}.log</Property>
    </Properties>
    <Appenders>
        <Console name="stdout" target="SYSTEM_OUT">
            <PatternLayout pattern="%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n" />
        </Console>
        <RollingFile name="drfa" fileName="${app.log.dir}/${app.log.file}" filePattern="${app.log.dir}/${app.log.file}.%d{yyyy-MM-dd}">
            <PatternLayout pattern="%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n" />
            <TimeBasedTriggeringPolicy />
        </RollingFile>
    </Appenders>
    <Loggers>
        <Logger name="org.apache.http.impl.client" level="INFO" />
        <Logger name="org.apache.http.client" level="INFO" />
        <Logger name="org.apache.http.impl.conn" level="INFO" />
        <Root level="ERROR">
            <AppenderRef ref="drfa" />
        </Root>
    </Loggers>
</Configuration>
Found a mistake? Seleсt text and press Ctrl+Enter to report it