Installing Apache Knox
Also available as:
PDF

Set up Knox SSO via Component Config Files

Some components (Ambari, Atlas, and Ranger) can be set up for SSO using ambari-server setup-sso. Other components (HDFS, Oozie, MapReduce2, Zeppelin, and YARN) must be configured manually in the config files. This section describes the manual SSO steps.

  1. Log into Ambari as the root user.
  2. Install Ambari with HDP-3.0.0 or higher. Install Knox along with the other services.
  3. Install the components you need.
  4. If you need to, run the following CLI command to export the Knox certificate:
    JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file <cert.pem> -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
    • When prompted, enter the Knox master password.

    • Note the location where you save the cert.pem file.

  5. Set the following properties for your components:
    • HDFS: core-site.xml
      "hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
      "hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
      "hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
    • Oozie: oozie-site.xml
      oozie.authentication.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
      oozie.authentication.authentication.provider.url=https://$KNOX_HOST:8443/gateway/knoxsso/api/v1/websso
      oozie.authentication.public.key.pem=$KNOX_PUBLIC_KEY
      optional: oozie.authentication.expected.jwt.audiences=$AUDIENCES (default: EMPTY; which means ALL)
      optional: oozie.authentication.jwt.cookie=$COOKIE-NAME (default: hadoop-jwt)
    • MapReduce2: core-site.xml
      "hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
      "hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
      "hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
    • Zeppelin: Advanced zeppelin-shiro-ini > shiro_ini_content
      knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
      knoxJwtRealm.providerUrl = $PROVIDERURL
      knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
      knoxJwtRealm.publicKeyPath = $PATH_OF_KNOX-SSO.PEM
      knoxJwtRealm.logoutAPI = false
      knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
      knoxJwtRealm.cookieName = hadoop-jwt
      knoxJwtRealm.redirectParam = originalUrl
      knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
      knoxJwtRealm.principalMapping = principal.mapping
      authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
    • Zeppelin: Advanced spark2-env, for SPARK_HISTORY_OPTS
      export SPARK_HISTORY_OPTS=’
      -Dspark.ui.filters=org.apache.hadoop.security.authentication.server.AuthenticationFilter
      -Dspark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.params ="type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler,
      kerberos.principal=$SPARK_HISTORY_KERBEROS_PRINCIPAL,
      kerberos.keytab=$SPNEGO_KEYTAB,
      authentication.provider.url=$PROVIDER_URL ,
      public.key.pem=$PUBLIC_KEY”’
    • YARN: core-site.xml
      "hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
      "hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
      "hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
  6. Click Save to save the new configuration(s), then click through the confirmation pop-ups.
  7. Select Ambari > Actions > Restart All Required to restart all other services that require a restart.
  8. Knox SSO should now be enabled. Users who try to access Ranger are redirected to the Knox SSO login page for authentication.