I suspect this is a Zeppelin project and more than likely version issue. You probably want to check your deployed version of Zeppelin and see whether it has support for KnoxSSO. If it does then you need to move this discussion to their list.
Keep us posted. On Wed, Aug 8, 2018 at 4:40 PM, Ravikumar, Praveen Krishnamoorthy < rpkr...@amazon.com> wrote: > Greetings, > > > > I’m working on enabling knox-sso authentication in Zeppelin. I configured > Zeppelin UI host in the topology XML , made the configuration changes to > enable zeppelin in knox ( suggested in the documentation ). Now I’m facing > few issues on accessing the zeppelin via knox gateway url, which I have > detailed below. Could anyone please help me in this, would be very helpful > to proceed further. > > > > I’m seeing the below log error messages on starting the zeppelin. > > > > > > > > *Configuration changes:* > > > > 1. Zeppelin : shiro.ini > > > > knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm > > knoxJwtRealm.providerUrl = https://<dns-domain>:8446/ > > knoxJwtRealm.login = gateway/knoxsso/api/v1/websso > > knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout > > knoxJwtRealm.logoutAPI = true > > knoxJwtRealm.redirectParam = originalUrl > > knoxJwtRealm.cookieName = hadoop-jwt > > knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem > > knoxJwtRealm.groupPrincipalMapping = group.principal.mapping > > knoxJwtRealm.principalMapping = principal.mapping > > authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter > > > > 1. Knoxsso.xml > > > > <?xml version="1.0" encoding="utf-8"?> > > <topology> > > <gateway> > > <provider> > > <role>federation</role> > > <name>pac4j</name> > > <enabled>true</enabled> > > <param> > > <name>pac4j.session.store</name> > > <value>J2ESessionStore</value> > > </param> > > <param> > > <name>pac4j.callbackUrl</name> > > <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso > </value> > > </param> > > > > <param> > > <name>clientName</name> > > <value>SAML2Client</value> > > </param> > > > > <param> > > <name>saml.identityProviderMetadataPath</name> > > <value>/tmp/preprod_metadata_SP.xml</value> > > </param> > > > > <param> > > <name>saml.serviceProviderMetadataPath</name> > > <value>/tmp/preprod_metadata_SP.xml</value> > > </param> > > > > <param> > > <name>saml.serviceProviderEntityId</name> > > <value>https:// <dnsname>:8446/gateway/knoxsso/api/v1/websso? > pac4jCallback=true > <https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true> > &client_name=SAML2Client</value> > > </param> > > </provider> > > <provider> > > <role>identity-assertion</role> > > <name>Default</name> > > <enabled>true</enabled> > > </provider> > > <provider> > > <role>hostmap</role> > > <name>static</name> > > <enabled>true</enabled> > > <param> > > <name>localhost</name> > > <value>XXX.vpc.internal</value> > > </param> > > </provider> > > </gateway> > > <service> > > <role>KNOXSSO</role> > > <param> > > <name>knoxsso.cookie.domain.suffix</name> > > <value>.######</value> > > </param> > > <param> > > <name>knoxsso.cookie.secure.only</name> > > <value>false</value> > > </param> > > <param> > > <name>knoxsso.enable.session</name> > > <value>true</value> > > </param> > > <param> > > <name>knoxsso.cookie.max.age</name> > > <value>session</value> > > </param> > > <param> > > <name>knoxsso.token.ttl</name> > > <value>100000</value> > > </param> > > <param> > > <name>knoxsso.redirect.whitelist.regex</name> > > <value>^https?:\/\/( <dnsname>|localhost|127\.0\.0\ > .1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> > > </param> > > </service> > > </topology> > > > > 1. gate1.xml (topology xml) > > > > <?xml version="1.0" encoding="utf-8"?> > > <topology> > > <gateway> > > <provider> > > <role>webappsec</role> > > <name>WebAppSec</name> > > <enabled>true</enabled> > > <param> > > <name>cors.enabled</name> > > <value>true</value> > > </param> > > </provider> > > <provider> > > <role>federation</role> > > <name>SSOCookieProvider</name> > > <enabled>true</enabled> > > <param> > > <name>sso.authentication.provider.url</name> > > <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso > </value> > > </param> > > </provider> > > <provider> > > <role>identity-assertion</role> > > <name>Default</name> > > <enabled>true</enabled> > > </provider> > > </gateway> > > <service> > > <role>YARNUI</role> > > <url>http://XXXX.vpc.internal:8088</url> > > </service> > > <service> > > <role>SPARKHISTORYUI</role> > > <url>http://XXXXX.vpc.internal:18080/</url> > > </service> > > <service> > > <role>ZEPPELINWS</role> > > <url>ws://XXXXXXX.vpc.internal:8890/ws</url> > > </service> > > <service> > > <role>ZEPPELINUI</role> > > <url>http://XXXXXXX.vpc.internal:8890</url> > > </service> > > </topology> > > > > > > Thanks, > > Praveen.R > > >
