Command Line Installation
Also available as:
PDF
loading table of contents...

Configuring Knox Single Sign-on (SSO)

Knox Single Sign-on (SSO) introduces the ability to configure a single username and password for access control to multiple web UIs. This feature leverages the hadoop-auth module in Hadoop common to use a common SSO cookie for web UIs while retaining the non-web browser authentication through kerberos/SPNEGO. To configure the Knox SSO feature, complete the following step.

Configure the following properties in the knoxsso.xml file located in {GATEWAY_HOME}/conf/topologies.

ParameterDescriptionDefault
knoxsso.cookie.secure.onlyThis determines whether the browser is allowed to send the cookie over unsecured channels. This should always be set to true in production systems. If during development a relying party is not running ssl then you can turn this off. Running with it off exposes the cookie and underlying token for capture and replay by others.true
knoxsso.cookie.max.ageoptional: This indicates that a cookie can only live for a specified amount of time - in seconds. This should probably be left to the default which makes it a session cookie. Session cookies are discarded once the browser session is closed.session
knoxsso.cookie.domain.suffixoptional: This indicates the portion of the request hostname that represents the domain to be used for the cookie domain. For single host development scenarios the default behavior should be fine. For production deployments, the expected domain should be set and all configured URLs that are related to SSO should use this domain. Otherwise, the cookie is not presented by the browser to mismatched URLs.Default cookie domain or a domain derived from a hostname that includes more than 2 dots.
knoxsso.token.ttlThis indicates the lifespan of the token within the cookie. Once it expires a new cookie must be acquired from KnoxSSO. This is in milliseconds. The 36000000 in the topology above gives you 10 hrs.30000 That is 30 seconds.
knoxsso.token.ttlThis is a comma separated list of audiences to add to the JWT token. This is used to ensure that a token received by a participating application knows that the token was intended for use with that application. It is optional. In the event that an application has expected audiences and they are not present the token must be rejected. In the event where the token has audiences and the application has none expected then the token is accepted. OPEN ISSUE - not currently being populated in WebSSOResource.empty
knoxsso.redirect.whitelist.regexA semicolon separated list of regex expressions. The incoming originalUrl must match one of the expressions in order for KnoxSSO to redirect to it after authentication. Defaults to only relative paths and localhost with or without SSL for development usecases. This needs to be opened up for production use and actual participating applications. Note that cookie use is still constrained to redirect destinations in the same domain as the KnoxSSO service - regardless of the expressions specified here.^/.*$;^https?://localhost:\d{0,9}/.*$

The following is a sample KnoxSSO topology.

<topology>
    		<gateway>
        		<provider>
            		<role>authentication</role>
            		<name>ShiroProvider</name>
            		<enabled>true</enabled>
            		<param>
	                	<name>sessionTimeout</name>
                		<value>30</value>
            		</param>
            		<param>
                		<name>main.ldapRealm</name>
                		<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            		</param>
            		<param>
                		<name>main.ldapContextFactory</name>
                		<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            		</param>
            		<param>
                		<name>main.ldapRealm.contextFactory</name>
                		<value>$ldapContextFactory</value>
            		</param>
            		<param>
                		<name>main.ldapRealm.userDnTemplate</name>
                		<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            		</param>
            		<param>
                		<name>main.ldapRealm.contextFactory.url</name>
                		<value>ldap://localhost:33389</value>
            		</param>
            		<param>
                		<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                		<value>simple</value>
            		</param>
            		<param>
                		<name>urls./**</name>
                		<value>authcBasic</value>
            		</param>
        		</provider>
		        <provider>
        		    <role>identity-assertion</role>
            		<name>Default</name>
            		<enabled>true</enabled>
        		</provider>
    		</gateway>
		    <service>
        		<role>KNOXSSO</role>
        		<param>
          			<name>knoxsso.cookie.secure.only</name>
          			<value>true</value>
        		</param>
        		<param>
          			<name>knoxsso.token.ttl</name>
          			<value>100000</value>
        		</param>
        		<param>
          			<name>knoxsso.redirect.whitelist.regex</name>
          			<value>^/.*$;https?://localhost*$</value>
        		</param>
        		<param>
          			<name>knoxsso.cookie.domain.suffix</name>
          			<value>.novalocal</value>
        		</param>
    		</service>
		</topology>

This topology results in a KnoxSSO URL that looks something like:

https://{gateway_host}:{gateway_port}/gateway/knoxsso/api/v1/websso