Hello,
you have to setup kerberos.
Regards,
Antonio
Il 07/08/20 16:59, jw4306...@gmail.com ha scritto:
Hello.
I'm trying to set up authentication on the various HDFS, YARN, and
MAPRED service UIs. I'm not using WebHDFS, but have a requirement to
ensure that even the service UIs can't be accessed anonymously.
I've set up Apache Knox 1.4.0 on my environment and have configured it
to work with an LDAPS server. I am able to authenticate to Knox and
access the admin UI without issue using my LDAPS credentials.
I'm having issues figuring out how to get the various service UIs to
hide behind the Knox proxy, though. I'm using this documentation
(https://knox.apache.org/books/knox-1-4-0/user-guide.html#KnoxSSO+Setup+and+Configuration)
to determine how to get this set up.
After configuring everything per the documentation and restarting both
the Knox gateway and the HDFS NameNode, I am still able to access the
NameNode UI on 9871 anonymously. I'm not seeing anything in the HDFS
NameNode or Jetty logs that indicate that it's even trying to reach
out to the Knox server.
Can anyone assist me with this, please?
My configs are as follows:
----------------------------------------------
Hadoop core-site.xml:
----------------------------------------------
<configuration>
<property>
<name>hadoop.ssl.enabled.protocols</name>
<value>TLSv1.1,TLSv1.2</value>
</property>
<property>
<name>hadoop.http.authentication.type</name>
<value>org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler</value>
</property>
<property>
<name>hadoop.http.authentication.authentication.provider.url</name>
<value>https://<knox_GW>:<knox_GW_port>:8443/gateway/knoxsso/api/v1/websso</value>
</property>
<property>
<name>hadoop.http.authentication.public.key.pem</name>
<value><knox GW cert public key></value>
</property>
</configuration>
----------------------------------------------
Knox knoxsso.xml topology:
----------------------------------------------
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>redirectToUrl</name>
<value>/gateway/knoxsso/knoxauth/login.html</value>
</param>
<param>
<name>restrictedCookies</name>
<value>rememberme,WWW-Authenticate</value>
</param>
<param>
<name>knoxsso.cookie.name</name>
<value>hadoop-jwt</value>
</param>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
</gateway>
</topology>