slachterman/topology.xml

## topology.xml
        <topology>

            <gateway>

                <provider>
                    <role>authentication</role>
                    <name>ShiroProvider</name>
                    <enabled>true</enabled>
                    <param>
                        <name>sessionTimeout</name>
                        <value>30</value>
                    </param>
                    <param>
                        <name>main.ldapRealm</name>
                        <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                    </param>

<!-- changes for AD/user sync -->

<param>
    <name>main.ldapContextFactory</name>
    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>

<!-- main.ldapRealm.contextFactory needs to be placed before other main.ldapRealm.contextFactory* entries  -->
<param>
    <name>main.ldapRealm.contextFactory</name>
    <value>$ldapContextFactory</value>
</param>

<!-- AD url -->
<param>
    <name>main.ldapRealm.contextFactory.url</name>
    <value>ldap://ad01.lab.hortonworks.net:389</value>
</param>

<!-- system user -->
<param>
    <name>main.ldapRealm.contextFactory.systemUsername</name>
    <value>cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net</value>
</param>

<!-- pass in the password using the alias created earlier -->
<param>
    <name>main.ldapRealm.contextFactory.systemPassword</name>
    <value>${ALIAS=knoxLdapSystemPassword}</value>
</param>

                    <param>
                        <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                        <value>simple</value>
                    </param>
                    <param>
                        <name>urls./**</name>
                        <value>authcBasic</value>
                    </param>

<!--  AD groups of users to allow -->
<param>
    <name>main.ldapRealm.searchBase</name>
    <value>ou=CorpUsers,dc=lab,dc=hortonworks,dc=net</value>
</param>
<param>
    <name>main.ldapRealm.userObjectClass</name>
    <value>person</value>
</param>
<param>
    <name>main.ldapRealm.userSearchAttributeName</name>
    <value>sAMAccountName</value>
</param>

<!-- changes needed for group sync-->
<param>
    <name>main.ldapRealm.authorizationEnabled</name>
    <value>true</value>
</param>
<param>
    <name>main.ldapRealm.groupSearchBase</name>
    <value>ou=CorpUsers,dc=lab,dc=hortonworks,dc=net</value>
</param>
<param>
    <name>main.ldapRealm.groupObjectClass</name>
    <value>group</value>
</param>
<param>
    <name>main.ldapRealm.groupIdAttribute</name>
    <value>cn</value>
</param>


                </provider>

                <provider>
                    <role>identity-assertion</role>
                    <name>Default</name>
                    <enabled>true</enabled>
                </provider>

                <provider>
                    <role>authorization</role>
                    <name>XASecurePDPKnox</name>
                    <enabled>true</enabled>
                </provider>

<!--
  Knox HaProvider for Hadoop services
  -->
<provider>
     <role>ha</role>
     <name>HaProvider</name>
     <enabled>true</enabled>
     <param>
         <name>OOZIE</name>
         <value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true</value>
     </param>
     <param>
         <name>HBASE</name>
         <value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true</value>
     </param>
     <param>
         <name>WEBHCAT</name>
         <value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true</value>
     </param>
     <param>
         <name>WEBHDFS</name>
         <value>maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true</value>
     </param>
     <param>
        <name>HIVE</name>
        <value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true;zookeeperEnsemble=machine1:2181,machine2:2181,machine3:2181;
       zookeeperNamespace=hiveserver2</value>
     </param>
</provider>
<!--
  END Knox HaProvider for Hadoop services
  -->


            </gateway>

            <service>
                <role>NAMENODE</role>
                <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url>
            </service>

            <service>
                <role>JOBTRACKER</role>
                <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
            </service>

            <service>
                <role>WEBHDFS</role>
                <url>http://{{namenode_host}}:{{namenode_http_port}}/webhdfs</url>
            </service>

            <service>
                <role>WEBHCAT</role>
                <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
            </service>

            <service>
                <role>OOZIE</role>
                <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
            </service>

            <service>
                <role>WEBHBASE</role>
                <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
            </service>

            <service>
                <role>HIVE</role>
                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>

            <service>
                <role>RESOURCEMANAGER</role>
                <url>http://{{rm_host}}:{{rm_port}}/ws</url>
            </service>
        </topology>
	<topology>

	<gateway>

	<provider>
	<role>authentication</role>
	<name>ShiroProvider</name>
	<enabled>true</enabled>
	<param>
	<name>sessionTimeout</name>
	<value>30</value>
	</param>
	<param>
	<name>main.ldapRealm</name>
	<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
	</param>

	<!-- changes for AD/user sync -->

	<param>
	<name>main.ldapContextFactory</name>
	<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
	</param>

	<!-- main.ldapRealm.contextFactory needs to be placed before other main.ldapRealm.contextFactory* entries -->
	<param>
	<name>main.ldapRealm.contextFactory</name>
	<value>$ldapContextFactory</value>
	</param>

	<!-- AD url -->
	<param>
	<name>main.ldapRealm.contextFactory.url</name>
	<value>ldap://ad01.lab.hortonworks.net:389</value>
	</param>

	<!-- system user -->
	<param>
	<name>main.ldapRealm.contextFactory.systemUsername</name>
	<value>cn=ldap-reader,ou=ServiceUsers,dc=lab,dc=hortonworks,dc=net</value>
	</param>

	<!-- pass in the password using the alias created earlier -->
	<param>
	<name>main.ldapRealm.contextFactory.systemPassword</name>
	<value>${ALIAS=knoxLdapSystemPassword}</value>
	</param>

	<param>
	<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
	<value>simple</value>
	</param>
	<param>
	<name>urls./**</name>
	<value>authcBasic</value>
	</param>

	<!-- AD groups of users to allow -->
	<param>
	<name>main.ldapRealm.searchBase</name>
	<value>ou=CorpUsers,dc=lab,dc=hortonworks,dc=net</value>
	</param>
	<param>
	<name>main.ldapRealm.userObjectClass</name>
	<value>person</value>
	</param>
	<param>
	<name>main.ldapRealm.userSearchAttributeName</name>
	<value>sAMAccountName</value>
	</param>

	<!-- changes needed for group sync-->
	<param>
	<name>main.ldapRealm.authorizationEnabled</name>
	<value>true</value>
	</param>
	<param>
	<name>main.ldapRealm.groupSearchBase</name>
	<value>ou=CorpUsers,dc=lab,dc=hortonworks,dc=net</value>
	</param>
	<param>
	<name>main.ldapRealm.groupObjectClass</name>
	<value>group</value>
	</param>
	<param>
	<name>main.ldapRealm.groupIdAttribute</name>
	<value>cn</value>
	</param>


	</provider>

	<provider>
	<role>identity-assertion</role>
	<name>Default</name>
	<enabled>true</enabled>
	</provider>

	<provider>
	<role>authorization</role>
	<name>XASecurePDPKnox</name>
	<enabled>true</enabled>
	</provider>

	<!--
	Knox HaProvider for Hadoop services
	-->
	<provider>
	<role>ha</role>
	<name>HaProvider</name>
	<enabled>true</enabled>
	<param>
	<name>OOZIE</name>
	<value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true</value>
	</param>
	<param>
	<name>HBASE</name>
	<value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true</value>
	</param>
	<param>
	<name>WEBHCAT</name>
	<value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true</value>
	</param>
	<param>
	<name>WEBHDFS</name>
	<value>maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true</value>
	</param>
	<param>
	<name>HIVE</name>
	<value>maxFailoverAttempts=3;failoverSleep=1000;enabled=true;zookeeperEnsemble=machine1:2181,machine2:2181,machine3:2181;
	zookeeperNamespace=hiveserver2</value>
	</param>
	</provider>
	<!--
	END Knox HaProvider for Hadoop services
	-->


	</gateway>

	<service>
	<role>NAMENODE</role>
	<url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url>
	</service>

	<service>
	<role>JOBTRACKER</role>
	<url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
	</service>

	<service>
	<role>WEBHDFS</role>
	<url>http://{{namenode_host}}:{{namenode_http_port}}/webhdfs</url>
	</service>

	<service>
	<role>WEBHCAT</role>
	<url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
	</service>

	<service>
	<role>OOZIE</role>
	<url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
	</service>

	<service>
	<role>WEBHBASE</role>
	<url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
	</service>

	<service>
	<role>HIVE</role>
	<url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
	</service>

	<service>
	<role>RESOURCEMANAGER</role>
	<url>http://{{rm_host}}:{{rm_port}}/ws</url>
	</service>
	</topology>