Configuring NiFi Authentication and Proxying with Apache Knox
Also available as:
PDF

Configuring Knox SSO

  1. If you want to use Knox SSO authentication, perform the following steps:
    1. On each cluster node with Knox installed, replace the ShiroProvider federation provider in the flow-management.xml file with the following content:
      <provider>
         <role>federation</role>
         <name>SSOCookieProvider</name>
         <enabled>true</enabled>
         <param>
            <name>sso.authentication.provider.url</name>
            <value>https://$KNOX_HOSTNAME:$KNOX_PORT/gateway/knoxsso/api/v1/websso</value>
         </param>
      </provider>
      

      where:

      • $KNOX_HOSTNAME is the FQDN of the Knox host.

      • $KNOX_PORT is the port Knox is using.

      Your new flow-management.xml file looks similar to the following:

      <?xml version="1.0" encoding="utf-8"?>
      <!--
        Licensed to the Apache Software Foundation (ASF) under one or more
        contributor license agreements.  See the NOTICE file distributed with
        this work for additional information regarding copyright ownership.
        The ASF licenses this file to You under the Apache License, Version 2.0
        (the "License"); you may not use this file except in compliance with
        the License.  You may obtain a copy of the License at
      
            http://www.apache.org/licenses/LICENSE-2.0
      
        Unless required by applicable law or agreed to in writing, software
        distributed under the License is distributed on an "AS IS" BASIS,
        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
        See the License for the specific language governing permissions and
        limitations under the License.
      -->
      <topology>
        <gateway>
          <provider>
            <role>federation</role>
            <name>SSOCookieProvider</name>
            <enabled>true</enabled>
            <param>
              <name>sso.authentication.provider.url</name>
              <value>https://hdf-test.field.hortonworks.com:8443/gateway/knoxsso/api/v1/websso</value>
            </param>
          </provider>
          <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
          </provider>
        </gateway>
        <service>
          <role>NIFI</role>
          <url>https://hdf-test-nifi.field.hortonworks.com:9091</url>
          <param>
            <name>useTwoWaySsl</name>
            <value>true</value>
          </param>
        </service>
      </topology>
      
    2. If you want to access NiFi directly and still use Knox SSO:
      • Export the Knox SSO certificate:
         $KNOX_INSTALL_DIR/bin/knoxcli.sh export-cert 
      • Set the following properties in the Advanced nifi-properties section in Ambari:
        nifi.security.user.knox.url=https://$KNOX_HOSTNAME:$KNOX_PORT/gateway/knoxsso/api/v1/websso
        nifi.security.user.knox.publicKey=<path-to>/gateway-identity.pem
        nifi.security.user.knox.cookieName=hadoop-jwt
        nifi.security.user.knox.audiences=
        

        The cookieName property must align with what is configured in Knox. The audiences property is used to only accept tokens from a particular audience. The audiences value is configured as part of Knox SSO.

  2. Save the configuration and restart Knox.