Configuring Apache Knox SSO
Also available as:
PDF

Set Up Knox SSO via the Ambari CLI

How to use the Ambari CLI to configure Atlas, Ambari, and Ranger UI to use Knox SSO (Single Sign-on) to authenticate users. With this configuration, unauthenticated users who try to access a service (E.G., Ambari, Atlas, etc), are redirected to the Knox SSO login page for authentication.

The Ambari Server must be running.
  1. Log into Ambari as the root user.
  2. Run the following command: ambari-server setup-sso.
  3. When prompted, enter the Ambari Admin credentials.
  4. Depending on your configuration, choose a path:
    • If SSO is not configured, it will prompt Do you want to configure SSO authentication.
      • Enter y to continue through the wizard.
      • Enter n to exit the wizard.
    • If SSO is already configured, it will prompt Do you want to disable SSO authentication.
      • Enter y to disable SSO for Ambari and the services (if services were being managed). Then it will exit the wizard.
      • Enter n to continue through the wizard.
  5. For the provider URL, enter: https://<hostname>:8443/gateway/knoxsso/api/v1/websso.
    https://dw-weekly.field.hortonworks.com:8443/gateway/knoxsso/api/v1/websso
  6. For the Public Certificate PEM (empty line to finish input) field, follow these steps to populate Public Certificate PEM:
    1. Export the Knox certificate: $JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file cert.pem -keystore /usr/$REPO/current/knox-server/data/security/keystores/gateway.jks
      • When prompted, enter the Knox master password.
      • Note the location where you save the cert.pem file.
    2. Verify the location of the pem file: ./knoxcli.sh export-cert --type PEM
      [root@dw-weekly ~]# $JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file cert.pem -keystore /usr/$REPO/current/knox-server/data/security/keystores/gateway.jks
      [root@dw-weekly ~]# cd /usr/$REPO/current/knox-server/bin
      [root@dw-weekly bin]# ./knoxcli.sh export-cert --type PEM
      Certificate gateway-identity has been successfully exported to: /usr/$REPO/$VERSION/knox/data/security/keystores/gateway-identity.pem
      [root@dw-weekly bin]# vi /usr/$REPO/$VERSION/knox/data/security/keystores/gateway-identity.pem
      And copy the contents of the file, excluding the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
    3. When prompted Public Certificate PEM (empty line to finish input), enter the contents of the pem file.
      MIIoqToofo6gfwIffgIIfJG6+oql7YUwGQYJKoqIhvoNfQZFfQfwGTZLMfkGf1UZfhMoVVMxGTfL
      fgNVffgTfFRlo3QxGTfLfgNVffoTfFRlo3QxGqfNfgNVffoTfkhhqG9voGZNMfsGf1UZoxMZVGVq
      GGZoMoYGf1UZfxMfqHotG2Vlf2x5LmqpqWxkLmhvonRvfnGvomtqLmNvfTfZFw0xOGf2MTUxNjU0
      MjffFw0xOTf2MTUxNjU0MjffMHUxoqfJfgNVffYTflVTMQ0wowYGVQQIZwRUqXN0MQ0wowYGVQQH
      ZwRUqXN0MQ8wGQYGVQQKZwqIYWRvf3fxGTfLfgNVffsTfFRlo3QxKGfmfgNVffMTH2R3LXGlqWts
      ZS5mfWVsqo5of3J0f253f3Jroy5jf20wgq8wGQYJKoqIhvoNfQZffQfGgY0fMIGJfoGffMjs9Q6M
      f4f4Ussf/Yffpfr7k3Gx8v0/Vlum6OL3Mr0vYQFtNSvGMZTZ25QQ8YHOvGf4frqi9lqwj6qwZYWf
      RQUTIxuiOGPiMhK70onmLflmqpoGYmSJ3/shfOUoyN7+JiImYYn/rJvt4Yt362gGvJynfsZGGKko
      johF4v0FLoqGfgMfffZwGQYJKoqIhvoNfQZFfQfGgYZfZomm8ZTJJufW4vfp8O51Qx7J4ioY6G69
      qgf76j4Oh8fqGqRVfoKYvrIZuJsZKHpIPGhtnVtqHG8YYf6vffSXoMmGpp5qfvZLfqnR1HNl6oZq
      qf7J9qn9MPZqlrf5/kOGY85w0UUkVqotRLjsK/niHhojGKffJrok7hMUo7TYwfQ=
      
      
      If you run ambari-server setup-sso for a successive time, and the PEM file was previously set, you will be prompted The SSO provider's public certificate has already set. Do you want to change it [y/n]?.
  7. When prompted Use SSO for Ambari [y/n] (n)?, enter:
    • y to use SSO for Ambari.
    • n to not use SSO for Ambari.
    Ambari does not need to be configured for SSO in order for the services to be configured for SSO (and vice-versa).
  8. When prompted Manage SSO configurations for eligible services [y/n] (n)?, enter your selection.
    • y will begin the service SSO setup wizard. The configurations for each eligible service will be changed depending on the your selection when prompted.
    • n will exit the SSO setup wizard, saving your PEM setup and Ambari SSO selections. Ambari will not alter the existing configuration for any service. This is important if the cluster was setup using Blueprints and you do not want Ambari to change the SSO settings explicitly set.
  9. If you chose y, you will be prompted Use SSO for all services [y/n] (y)?.
    • y will automatically set up SSO for all available services.
    • n will enter SSO set up for each individual service, allowing you to choose for which services you wish to enable SSO.
  10. For the JWT Cookie name (), hadoop-jwt is the default.
  11. Leave JWT audiences list empty.
    The prompt returns Ambari Server 'setup-sso' completed successfully.
  12. Select Ambari > Actions > Restart All Required to restart all other services that require a restart.

Example Knox SSO via ambari-server setup-sso

[root@dw-weekly ~]# $JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file cert.pem -keystore /usr/$REPO/current/knox-server/data/security/keystores/gateway.jks
[root@dw-weekly ~]# cd /usr/$REPO/current/knox-server/bin
[root@dw-weekly bin]# ./knoxcli.sh export-cert --type PEM
Certificate gateway-identity has been successfully exported to: /usr/$REPO/$VERSION/knox/data/security/keystores/gateway-identity.pem
[root@dw-weekly bin]# vi /usr/$REPO/$VERSION/knox/data/security/keystores/gateway-identity.pem
// <copy the certificate>
[root@dw-weekly ~]# ambari-server setup-sso
Using python  /usr/bin/python
Setting up SSO authentication properties...
Enter Ambari Admin login: admin
Enter Ambari Admin password: 

SSO is currently not configured
Do you want to configure SSO authentication [y/n] (y)? y
Provider URL (https://knox.example.com:8443/gateway/knoxsso/api/v1/websso): https://dw-weekly.field.hortonworks.com:8443/gateway/knoxsso/api/v1/websso
Public Certificate PEM (empty line to finish input):
MIIoqToofo6gfwIffgIIfJG6+oql7YUwGQYJKoqIhvoNfQZFfQfwGTZLMfkGf1UZfhMoVVMxGTfL
fgNVffgTfFRlo3QxGTfLfgNVffoTfFRlo3QxGqfNfgNVffoTfkhhqG9voGZNMfsGf1UZoxMZVGVq
GGZoMoYGf1UZfxMfqHotG2Vlf2x5LmqpqWxkLmhvonRvfnGvomtqLmNvfTfZFw0xOGf2MTUxNjU0
MjffFw0xOTf2MTUxNjU0MjffMHUxoqfJfgNVffYTflVTMQ0wowYGVQQIZwRUqXN0MQ0wowYGVQQH
ZwRUqXN0MQ8wGQYGVQQKZwqIYWRvf3fxGTfLfgNVffsTfFRlo3QxKGfmfgNVffMTH2R3LXGlqWts
ZS5mfWVsqo5of3J0f253f3Jroy5jf20wgq8wGQYJKoqIhvoNfQZffQfGgY0fMIGJfoGffMjs9Q6M
f4f4Ussf/Yffpfr7k3Gx8v0/Vlum6OL3Mr0vYQFtNSvGMZTZ25QQ8YHOvGf4frqi9lqwj6qwZYWf
RQUTIxuiOGPiMhK70onmLflmqpoGYmSJ3/shfOUoyN7+JiImYYn/rJvt4Yt362gGvJynfsZGGKko
johF4v0FLoqGfgMfffZwGQYJKoqIhvoNfQZFfQfGgYZfZomm8ZTJJufW4vfp8O51Qx7J4ioY6G69
qgf76j4Oh8fqGqRVfoKYvrIZuJsZKHpIPGhtnVtqHG8YYf6vffSXoMmGpp5qfvZLfqnR1HNl6oZq
qf7J9qn9MPZqlrf5/kOGY85w0UUkVqotRLjsK/niHhojGKffJrok7hMUo7TYwfQ=

Use SSO for Ambari [y/n] (n)? y
Manage SSO configurations for eligible services [y/n] (n)? y
 Use SSO for all services [y/n] (n)? y
JWT Cookie name (hadoop-jwt): hadoop-jwt
JWT audiences list (comma-separated), empty for any (): 
Ambari Server 'setup-sso' completed successfully.
[root@dw-weekly ~]# ambari-server restart
Continue to “Set up Knox SSO via Component Config Files”.