Security
Also available as:
PDF
loading table of contents...

Setting up Knox SSO for Apache Atlas

This section describes how to configure Apache Atlas to use Knox SSO (Single Sign-on) to authenticate users on an Ambari cluster. With this configuration, unauthenticated users who try to access Atlas are redirected to the Knox SSO login page for authentication.

[Note]Note

  • Atlas SSO is only applied to web UI users.

  • Internal Atlas users have the option to bypass Knox SSO and log in to the Atlas UI directly using the "login.jsp" URL: http://<atlas_host>:21000/login.jsp.

Use the following steps to configure Knox SSO for Atlas:

  1. Install Ambari with HDP-2.6 or higher. Install Knox along with the other services.

  2. Install Atlas using Ambari.

  3. The Knox SSO topology settings are preconfigured in Knox > Configs > Advanced knoxsso-topology.

  4. Run the following CLI command to export the Knox certificate:

    JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file knox-pub-key.cert -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks

    • When prompted, enter the Knox master password.

    • Note the location where you save the cert.pem file.

  5. Select Atlas > Configs > Authentication.

  6. Select the Enable Knox SSO check box, then set the following properties:

    • atlas.sso.knox.providerurl – Enter the Knox SSO Provider URL:

      https://<knox_host>:8443/gateway/knoxsso/api/v1/websso

    • atlas.sso.knox.publicKey – Paste in the contents of the cert.pem certificate file exported from Knox, excluding the header and footer.

    • atlas.sso.knox.browser.useragent – Enter the browsers to use with Knox SSO, for example:

      Mozilla,chrome

  7. Click Save to save the new configuration, then click through the confirmation pop-ups.

  8. Restart Atlas. Select Actions > Restart All Required to restart all other services that require a restart.

  9. Knox SSO should now be enabled. Users who try to access Atlas are redirected to the Knox SSO login page for authentication.