Security
Also available as:
PDF
loading table of contents...

Setting up Knox SSO for Ranger Web UI

This section describes how to configure Ranger to use Knox SSO (Single Sign-on) to authenticate users on an Ambari cluster. With this configuration, unauthenticated users who try to access Ranger are redirected to the Knox SSO login page for authentication.

[Note]Note
  • This task describes Knox SSO as only applied to web UI users. To enable Knox SSO for Ranger REST APIs, see Setting up the Knox Token Service for Ranger APIs.

  • Internal Ranger users have the option to bypass Knox SSO and log in to the Ranger UI directly using the "locallogin" URL: http://<ranger_host>:6080/locallogin.

Use the following steps to configure Knox SSO for Ranger:

  1. Install Ambari with HDP-2.5 or higher. Install Knox along with the other services.

  2. Install Ranger using Ambari.

  3. The Knox SSO topology settings are preconfigured in Knox > Configs > Advanced knoxsso-topology.

  4. Run the following CLI command to export the Knox certificate:

    JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file <cert.pem> -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
    • When prompted, enter the Knox master password.

    • Note the location where you save the cert.pem file.

  5. Select Ranger > Configs > Advanced > Knox SSO Settings and set the following properties:

    • Enable Ranger SSO – Select this check box to enable Ranger SSO.

    • SSO provider urlhttps://<knox_host>:8443/gateway/knoxsso/api/v1/websso

    • SSO public key – Paste in the contents of the cert.pem certificate file exported from Knox.

      When you paste the contents, exclude the header and footer.

    • SSO browser useragent – Preconfigured with Mozilla,chrome.

  6. Click Save to save the new configuration, then click through the confirmation pop-ups.

  7. Restart Ranger. Select Actions > Restart All Required to restart all other services that require a restart.

  8. Knox SSO should now be enabled. Users who try to access Ranger are redirected to the Knox SSO login page for authentication.