Hello Gard, Could it be possible you are hitting the wrong topology, what you are getting back looks like JWT token IMO. Looking at your topology you do not seem to have it configured.
Best, Sandeep On Tue, Mar 14, 2017 at 6:23 AM, Gard Skauge <[email protected]> wrote: > Hi, > > We have Knox 0.9.0 in front of a Kerberized cluster, and we are struggling > to set it up. > > We have the following topology: > > > <topology> > <gateway> > > <provider> > <role>authentication</role> > <name>ShiroProvider</name> > <enabled>true</enabled> > <param name="main.ldapRealm" value="org.apache.hadoop. > gateway.shirorealm.KnoxLdapRealm"/> > <param name="main.ldapContextFactory" value="org.apache.hadoop. > gateway.shirorealm.KnoxLdapContextFactory"/> > <param name="main.ldapRealm.contextFactory" > value="$ldapContextFactory"/> > > <param name="main.ldapRealm.contextFactory.url" value="XXXX"/> > <param name="main.ldapRealm.contextFactory.systemUsername" > value=«CN=XXXX"/> > <param name="main.ldapRealm.contextFactory.systemPassword" > value=«XXXXX"/> > > <param name="main.ldapRealm.searchBase" value=«XXX» /> > <param name="main.ldapRealm.userSearchAttributeName" > value="sAMAccountName"/> > <param name="main.ldapRealm.userObjectClass" value="user"/> > > <param name="main.ldapRealm.authorizationEnabled" value="true"/> > <param name="main.ldapRealm.groupSearchBase" value=«XXX"/> > <param name="main.ldapRealm.groupObjectClass" value="group"/> > <param name="main.ldapRealm.groupIdAttribute" > value="sAMAccountName"/> > <param name="main.ldapRealm.memberAttribute" value="member"/> > > > <param name="urls./**" value="authcBasic"/> > </provider> > <provider> > <role>authorization</role> > <name>AclsAuthz</name> > <enabled>true</enabled> > <param name="knox.acl" value="*;*;*"/> > </provider> > </gateway> > > <service> > <role>NAMENODE</role> > <url>hdfs://XXX:8020</url> > </service> > > <service> > <role>JOBTRACKER</role> > <url>rpc://XXX:8050</url> > </service> > > <service> > <role>WEBHDFS</role> > <url>http:/XXX:50070/webhdfs</url> > > </service> > > <service> > <role>WEBHCAT</role> > <url>http://XXX:50111/templeton</url> > </service> > > <service> > <role>OOZIE</role> > <url>http://XXX:11000/oozie</url> > </service> > </topology> > > > (We have verified that the authentication/authorization works using the > knoxcli.sh command) > > > > But using cURL to test: > > curl -v -u <username>:<password> -ik 'https://localhost:9443/gateway/ > <topology>/webhdfs/v1/?op=GETHOMEDIRECTORY' > > > Returns: > > {"sub":null,"aud":null,"code":"eyJhbGciOiJSUzI1NiJ9. > eyJzdWIiOiJIRFAgQSBSYW5nZXIgQWRtaW4iLCJpc3MiOiJLTk9YU1NPIn0. > DAKyBrlsExR8NytbNzKnC15oDQMAfKLZ4z1WxwD_vo3Vvc86okoEymWg10UvI5ohoum0F5 > iH3KTMW_lCDdkfNieORsSNU35DLI0VLhkp98FMWSgPVAOczXtoxUPrCCTv7irtqF9p68_ > 03HDAyvhhEoBvvxxliPTXJM1RsW3EX0Y","iss":"KNOXSSO","exp":null} > > > Any idea what´s happening here? > > > > Thanks in advance, > Gard > > >
