Hi Tony, I should have specified that this is something I added to the master branch. The Anonymous provider is not in a release yet, but will be in the upcoming 0.9.0 release.
Sumit. From: hdp <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, March 24, 2016 at 2:32 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re:Re: Knox Integration in Ranger [*] Hi Sumit I get error as below when configuring the Anonymous provider in knox topology file. Failed to contribute provider. Role: authentication Name: Anonymous. Please check the topology for errors in name and role and that the provider is on the classpath I use knox0.7. I found that knox0.7 has no anonymous authentication provider , neither knox0.8. Thanks Tony At 2016-03-02 22:13:43, "Sumit Gupta" <[email protected]<mailto:[email protected]>> wrote: Hi Timea, This is great that you are getting the Ranger UI to work behind Knox. I hope you are willing to contribute back your work. We have a JIRA here: https://issues.apache.org/jira/browse/KNOX-668 I was also going to work on this later so I’d be very interested in helping you get to a working solution. The Ambari UI has a similar situation with authentication as you expressed. Please look at the commit for this JIRA: https://issues.apache.org/jira/browse/KNOX-669 The essence of what you need is: 1. The authentication provider in the JIRA that creates an anonymous user. To configure this, do something like the following in your topology file: <gateway> <provider> <role>authentication</role> <name>Anonymous</name> <enabled>true</enabled> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>false</enabled> </provider> </gateway> Please note that there is some slight issue we have with defaulting of identity assertion provider which we should fix soon, but until then you need to also specify the identity-assertion provider and mark it enabled equals false. 2. You need a special dispatch that does not exclude any headers. I will be pushing one soon but until then please look at one posted earlier on this list. Also look at org.apache.hadoop.gateway.dispatch.DefaultDispatch and the exclude headers part. Essentially you want all the headers to back all the way to the browser. I hope this helps. I haven’t looked at your service and rewrite files in detail but I will point out that the UI uses the REST API so you will likely also need a service and rewrite file for the Ranger REST API. Sumit. From: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, March 2, 2016 at 5:14 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Knox Integration in Ranger [*] Hi, following the descriptions of Kevin Minder on adding a new service to Apache Knox under the following link: http://kminder.github.io/knox/2015/11/16/adding-a-service-to-knox.html we are currently trying to accomplish a Knox Integration in the Ranger UI. The following steps have been taken by us internally to integrate Knox into Ranger so far: 1. The service component Ranger was added to the default.xml Knox topology file under /etc/knox/4.1.0.0/0/topologies/default.xml as follows: <service> <role>RANGERUI</role> <url>http://<ranger_host>:6080<http://fi02b000.fidudom.fiducia.de:6080/></url> </service> 2. Ranger was added as a service by creating the directory structure ranger-ui/0.5.0 under /var/lib/knox/data/services and adding the rewrite.xml and service.xml files analogously to the cases enlisted above, with the following details: ############# rewrite.xml ###################### <rules> <!-- Inbound rewrite rules --> <rule dir="IN" name="RANGERUI/ranger/inbound/root" pattern="*://*:*/**/ranger/"> <rewrite template="{$serviceUrl[RANGERUI]}"/> </rule> <rule dir="IN" name="RANGERUI/ranger/inbound/path" pattern="*://*:*/**/ranger/{**}"> <rewrite template="{$serviceUrl[RANGERUI]}/{**}"/> </rule> <rule dir="IN" name="RANGERUI/ranger/inbound/query" pattern="*://*:*/**/ranger/{**}?{**}"> <rewrite template="{$serviceUrl[RANGERUI]}/{**}?{**}"/> </rule> <!-- redirection (302) matching rules for above --> <filter> <content type="application/x-http-headers"> <apply path="Location" rule="RANGERUI/ranger/outbound/login"/> </content> </filter> <rule dir="OUT" name="RANGERUI/ranger/outbound/login"> <match pattern="*://*:*/{**}"/> <rewrite template="{gateway.url}/ranger/{**}"/> </rule> --> </rules> ######## service.xml ######### <service role="RANGERUI" name="rangeui" version="0.5.0"> <routes> <route path="/ranger/"/> <route path="/ranger/**"/> <route path="/ranger/**?**"/> <route path="/ranger/**"> <rewrite apply="RANGERUI/ranger/outbound/login" to="response.headers"/> </route> </routes> </service> Additionally the XAPrelogin.js (part of the ranger admin plugin) file under /usr/iop/4.1.0.0/ranger-admin/ews/webapp/scripts/prelogin has been adjusted as follows: 98 function getBaseUrl(){ 99 if(!window.location.origin){ 100 window.location.origin = window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port: ''); 101 } 102 return window.location.origin 103 + window.location.pathname.substring(window.location.pathname 104 .lastIndexOf("/") + 1, 0); otherwise the gateway_url is modified by the corresponding js file in a way (parts of the gateway_url are trimmed), that a 404 HTTP Status Code will be produced all the time. The Ranger UI has the specialty, compared to other UIs already supported by Knox, that one must authenticate and send his/her credentials within an ajax request to come to the main page where the plugin repositories can be seen/created and further access rules can be created among others. When adding further outbound rule for invoking the index.html file in the rewrite.xml file like this: <rule dir="OUT" name="RANGERUI/ranger/outbound/login/authenticate"> <match pattern="*://*:*/{**}"/> <rewrite template="{gateway.url}/ranger/{**}"/> </rule> the following routing "error" occurs: (Siehe angehängte Datei: KnoxRanger_01.PNG) (Siehe angehängte Datei: KnoxRanger_2.PNG) It is unclear how to define the above outbound rule correctly though, since we couldn't find any documentation for the case that one has to authenticate and provide some user credentials via ajax. The current assumption is that the user credentials cannot be transmitted properly and this is the reason for the routing back to the login.jsp file instead of moving to index.html. Fiducia & GAD IT AG | www.fiduciagad.de AG Frankfurt a. M. HRB 102381 | Sitz der Gesellschaft: Hahnstr. 48, 60528 Frankfurt a. M. | USt-IdNr. DE 143582320 Vorstand: Klaus-Peter Bruns (Vorsitzender), Claus-Dieter Toben (stv. Vorsitzender), Jens-Olaf Bartels, Martin Beyer, Jörg Dreinhöfer, Wolfgang Eckert, Steffen Jentsch, Carsten Pfläging, Jörg Staff Vorsitzender des Aufsichtsrats: Jürgen Brinkmann
