Configuring Proxy with Apache Knox
Also available as:
PDF
loading table of contents...

Setting Up SPNEGO Authentication

SPNEGO/Kerberos authentication is configured by adding a "HadoopAuth" authentication provider to the cluster's topology file. When enabled, the Knox Gateway uses Kerberos/SPNEGO to authenticate users to Knox.

The HadoopAuth authentication provider for Knox integrates the use of the Apache Hadoop module for SPNEGO and delegation token-based authentication. This introduces the same authentication pattern used across much of the Hadoop ecosystem to Apache Knox and allows clients to using the strong authentication and SSO capabilities of Kerberos.
  1. Open the cluster topology descriptor file, $cluster-name.xml, in a text editor.
  2. Add the HadoopAuth authentication provider to /topology/gateway as follows:
    <provider>
      <role>authentication</role>
      <name>HadoopAuth</name>
      <enabled>true</enabled>
      <param>
        <name>config.prefix</name>
        <value>hadoop.auth.config</value>
      </param>
      <param>
        <name>hadoop.auth.config.signature.secret</name>
        <value>knox-signature-secret</value>
      </param>
      <param>
        <name>hadoop.auth.config.type</name>
        <value>kerberos</value>
      </param>
      <param>
        <name>hadoop.auth.config.simple.anonymous.allowed</name>
        <value>false</value>
      </param>
      <param>
        <name>hadoop.auth.config.token.validity</name>
        <value>1800</value>
      </param>
      <param>
        <name>hadoop.auth.config.cookie.domain</name>
        <value>novalocal</value>
      </param>
      <param>
        <name>hadoop.auth.config.cookie.path</name>
        <value>gateway/default</value>
      </param>
      <param>
        <name>hadoop.auth.config.kerberos.principal</name>
        <value>HTTP/localhost@LOCALHOST</value>
      </param>
      <param>
        <name>hadoop.auth.config.kerberos.keytab</name>
        <value>/etc/security/keytabs/spnego.service.keytab</value>
      </param>
      <param>
        <name>hadoop.auth.config.kerberos.name.rules</name>
        <value>DEFAULT</value>
      </param>
    </provider>

    Configuration parameter descrptions:

    Name Description Default
    config.prefix If specified, all other configuration parameter names must start with the prefix. none
    signature.secret This is the secret used to sign the delegation token in the hadoop.auth cookie. This same secret needs to be used across all instances of the Knox gateway in a given cluster. Otherwise, the delegation token will fail validation and authentication will be repeated each request. a simple random number
    type This parameter needs to be set to kerberos. none, would throw exception
    simple.anonymous.allowed This should always be false for a secure deployment. true
    token.validity The validity -in seconds- of the generated authentication token. This is also used for the rollover interval when signer.secret.provider is set to random or zookeeper. 36000 seconds
    cookie.domain domain to use for the HTTP cookie that stores the authentication token null
    cookie.path path to use for the HTTP cookie that stores the authentication token null
    kerberos.principal The web-application Kerberos principal name. The Kerberos principal name must start with HTTP/…. For example: HTTP/localhost@LOCALHOST null
    kerberos.keytab The path to the keytab file containing the credentials for the kerberos principal. For example: /Users/lmccay/lmccay.keytab null
    kerberos.name.rules The name of the ruleset for extracting the username from the kerberos principal. DEFAULT
  3. Save the file.
    The gateway creates a new WAR file with modified timestamp in $gateway/data/deployments.

REST Invocation

Once a user logs in with kinit, their Kerberos session may be used across client requests with things such as curl. The following curl command can be used to request a directory listing from HDFS while authenticating with SPNEGO via the –negotiate flag:
curl -k -i --negotiate -u : https://localhost:8443/gateway/sandbox/webhdfs/v1/tmp?op=LISTSTATUS