You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Topology Policy Separation

Introduction

Since the very beginning of the Knox design though the current release of 0.4.0, the topology file used to deploy cluster topologies as consisted of both policy enforcement "provider" definitions and service definitions.

There are a couple problems with this approach.

  1. expected sources of topology information will not contain the information and configuration required for policy enforcement or provider selection
  2. the configuration of the providers within each topology are often redundant and can present a management issue when changes are required to deployed topologies
  3. the topology file ends up much more like a configuration file than a deployment descriptor

As Apache Knox matures it needs to start providing management capabilities consisting of:

  • Management APIs
  • Console Applications/UIs and/or Ambari Views
  • Centralized Policy Management
  • Topology Discovery through Ambari, ZooKeeper or other registries

This document will discuss policy management details and how to separate policy from topology information and organize it within a policy store.

High Level Reusable Policy Files

Let's start with a highly readable policy file syntax that encompasses all of the pertinent semantics without requiring the low level details for enforcement.

JSON presents a good choice for this as it is very readable yet structured.

The following non-normative example demonstrates the:

  • removal of the notion of "role" - role becomes the policy type
  • removal of the notion of "enabled" - inclusion implies enabled
  • removal of the low-level config details
  • reference to the needed details
  • ability to compose reusable policies with reusable config

Let's consider this the default topology policy:

 

default-policy.json
{

    "authentication" {

        "name" : "shiro",

        "config" : "basic-ldap-1"

    },

    "identity-assertion" {

        "name" : "kerberos",

        "config" : "kdc-1"

    },

    "authorization" {

        "name" : "AclsAuthz",

        "config" : "default-authz"

    },

    "host-mapping" {

        "name" : "hostmap",

        "config" : "sandbox"

    }

}

  • No labels