Installing DPS
Also available as:
PDF

Configure Knox SSO between DPS and HDP

This topic provides an overview of how to configure Knox SSO in your HDP cluster to work with DPS. Refer to the HDP documentation for details that might be applicable to your specific HDP configuration and setup.

  • You will be configuring Knox SSO in your HDP cluster to work with your DP instance.
  • You must have installed and configured DPS.
  • You must have configured Knox SSO on your clusters.

    See Knox SSO with DPS for details.

  • Knox SSO, LDAP, and Ranger must have been configured for HDP and Ambari.
  • You must have an SSL certificate (such as a .pem file) available and have access to the public key in the file.
  • Knox host FQDN must be DNS addressable and available from your DPS environment.

    If it is not, the Knox IP address must be in the /etc/hosts file on the DP environment. Refer to the DPS Administration Guidefor details on how to add Knox to the DPS environment hosts.

  1. In a terminal, SSH to the DPS host.
  2. Navigate to $DP_INSTALL_HOME/certs/.
    cd /usr/dp/current/core/bin/certs/
  3. Display the content of the ssl-cert.pem file.
    cat ssl-cert.pem
  4. Copy and retain the DPS public key displayed in the certificate between “Begin Certificate” and “End Certificate”, because you need it in a succeeding step.

    The public key looks similar to the following:

    -----BEGIN CERTIFICATE-----

    NIICzTCCAaKjAwIBAgIIVJzHWfmsfP8wDQYJK0ZIhvcNAQEFCQAwXzELMAkGA1UE
    BhMCVVMxDTALBgMVBAgTBFRlc4QxDTALBgNVBAcTBFRlc3QxFzANBgNVBAoTBkhH
    ZG9vcDETMAsGA1WECxMEVGvzdDESMBAGA4UEAxMJbG9jYWxob3N0MB2XDTE3MDcx
    MjEzMTUxMVoXDTE0MDcxMjEzMTUxMVoWxzELMAkGA1UCBhMCVVMxDTALBgNVBAgT
    BFRlc9QxDTALBgNVBCcTBFRlc3QxFzANBgNVBAoTBkhhZG9vcDENNAsGA5UECxMF
    VGvzdDESMBBGA1UEAxMJbG8jYWxob3N2MIGfMA0GCSqGSIb3DQLBAQUAA4GNAKCB
    iQKBgQcYLhQDwCcQa12BZ2+v1gWICsFxOplW+EA6tBCJtMJDs5sNSV/XiomPxY2D
    8OU3oY68DiLs/U+la4K2mHp+gvh5+91EuMvXHtkui++7zDtD+cfBmsY5peAFwZ6g
    2NBwIjyMsKSiJWtT4syKMnAB5yv2p8xp3Z6c+0GCmZ+EeguWVQyDAQABMA0GCSqG
    zIb3DQEBbQUAA9GBAJAeMEFZY1Q4mK+RFq6wbshUOSQR+wB8zDkxAtgPfQINR9tK
    5MA8Iy6J90/eBUqGvAoN8PbEnTHU5VsL6m3J0vPmJ4EzFqCwI5VjeWdIMdoPPB/b
    QfmRZb0bpriGv6TrNdr9SKDTlchxW2tBbB1PaiR5yi3oEsuAaNKsi7GeT2wa

    -----END CERTIFICATE-----

  5. On your HDP cluster Knox host, create a token.xml topology file.
    vi /etc/knox/conf/topologies/token.xml
  6. Add the required content to the token.xml file:
    1. Add the basic topology content.

      You can copy and paste the following content into the file and modify the content as needed.

      
      <?xml version="1.0" encoding="UTF-8"?>
      <topology>
         <uri>https://$KNOX_HOSTNAME_FQDN:8443/gateway/token</uri>
         <name>token</name>
         <gateway>
            <provider>
               <role>federation</role>
               <name>SSOCookieProvider</name>
               <enabled>true</enabled>
               <param>
                  <name>sso.authentication.provider.url</name>
                  <value>https://$KNOX_HOSTNAME_FQDN:8443/gateway/knoxsso/api/v1/websso</value>
               </param>
               <param>
                  <name>sso.token.verification.pem</name>
                  <value>
                      $ADD_THE_PUBLIC_KEY_HERE
                  </value>
               </param>
            </provider>
            <provider>
               <role>identity-assertion</role>
               <name>HadoopGroupProvider</name>
               <enabled>true</enabled>
            </provider>
            <provider>
               <role>authorization</role>
               <name>XASecurePDPKnox</name>
               <enabled>true</enabled>
            </provider>
         </gateway>
      
         <service>
            <role>KNOXTOKEN</role>
            <param>
               <name>knox.token.ttl</name>
               <value>500000</value>
            </param>
            <param>
               <name>knox.token.client.data</name>
               <value>cookie.name=hadoop-jwt</value>
            </param>
            <param>
               <name>main.ldapRealm.authorizationEnabled</name>
               <value>true</value>
            </param>
         </service>
      </topology>

      HadoopGroupProvider enables the Hadoop user-group mapping, which identifies the groups to which users belong.

      The authorization=XASecurePDPKnox parameter and main.ldapRealm.authorizationEnabled=true parameter enable Ranger authorization with the token topologies in Knox.

    2. Replace $KNOX_HOSTNAME_FQDN with the fully qualified domain name of the host.
    3. In the sso.token.verification.pem parameter, paste in the public key value that you copied in a previous step, replacing $ADD_THE_PUBLIC_KEY_HERE.
  7. Perform a secure copy of the token.xml topology file to a Knox-enabled node on the HDP cluster.
  8. Verify that Knox has picked up the files:
    1. Log in to the Knox-enabled node.
    2. Ensure that a directory called token.topo.<number> is present in the path /var/lib/knox/data-<version>/deployments/.
      If the file is not present, verify that the content in the token.xml file is correct. You can check the Knox gateway logs for error information.
  9. Log in to each additional cluster used with DPS and repeat Step 5 (create a token.xml file) through Step 8 (verify copy of the file).
  10. Configure the Knox SSO topology to point to an LDAP instance for DPS to use.
    1. Open the file <knox_gateway_home>/topologies/knoxsso.xml.
    2. Modify the following properties with appropriate values for your environment:
      • main.ldapRealm.userDnTemplate
      • main.ldapRealm.contextFactory.url
      • knoxsso.redirect.whitelist.regex
      Sample configuration for using packaged LDAP:
       <param>
      	   <name>main.ldapRealm.userDnTemplate</name>
      	   <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
         </param>
         <param>
      	   <name>main.ldapRealm.contextFactory.url</name>
      	   <value>ldap://localhost:33389</value>
         </param>
       <param>
              <name>knoxsso.redirect.whitelist.regex</name>
              <value>.*;^/.*$;https?://localhost*$;^http.*$</value>
          </param>