Re: Trouble configuring Hadoop Service UIs with KnoxSSO

Sun, 09 Aug 2020 06:48:58 -0700 

Hello,

you have to setup kerberos.

Regards,

Antonio

Il 07/08/20 16:59, jw4306...@gmail.com ha scritto:


Hello.
I'm trying to set up authentication on the various HDFS, YARN, and MAPRED service UIs. I'm not using WebHDFS, but have a requirement to ensure that even the service UIs can't be accessed anonymously.
I've set up Apache Knox 1.4.0 on my environment and have configured it to work with an LDAPS server. I am able to authenticate to Knox and access the admin UI without issue using my LDAPS credentials.
I'm having issues figuring out how to get the various service UIs to hide behind the Knox proxy, though. I'm using this documentation (https://knox.apache.org/books/knox-1-4-0/user-guide.html#KnoxSSO+Setup+and+Configuration) to determine how to get this set up.
After configuring everything per the documentation and restarting both the Knox gateway and the HDFS NameNode, I am still able to access the NameNode UI on 9871 anonymously. I'm not seeing anything in the HDFS NameNode or Jetty logs that indicate that it's even trying to reach out to the Knox server. 

Can anyone assist me with this, please?

My configs are as follows:

----------------------------------------------

Hadoop core-site.xml:

----------------------------------------------

<configuration>

                <property>

<name>hadoop.ssl.enabled.protocols</name>

<value>TLSv1.1,TLSv1.2</value>

                </property>

                <property>

<name>hadoop.http.authentication.type</name>

<value>org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler</value>

                </property>

                <property>

<name>hadoop.http.authentication.authentication.provider.url</name>

<value>https://<knox_GW>:<knox_GW_port>:8443/gateway/knoxsso/api/v1/websso</value>

                </property>

                <property>

<name>hadoop.http.authentication.public.key.pem</name>

<value><knox GW cert public key></value>

                </property>

</configuration>

----------------------------------------------

Knox knoxsso.xml topology:

----------------------------------------------

<topology>

                <gateway>

<provider>

<role>authentication</role>

<name>ShiroProvider</name>

<enabled>true</enabled>

<param>

<name>sessionTimeout</name>

<value>30</value>

</param>

<param>

<name>redirectToUrl</name>

<value>/gateway/knoxsso/knoxauth/login.html</value>

</param>

<param>

<name>restrictedCookies</name>

<value>rememberme,WWW-Authenticate</value>

</param>

<param>

<name>knoxsso.cookie.name</name>

<value>hadoop-jwt</value>

</param>

<param>

<name>knoxsso.cookie.secure.only</name>

<value>true</value>

</param>

<param>

<name>urls./**</name>

<value>authcBasic</value>

</param>

</provider>

                </gateway>

</topology>

Reply via email to