Configuring Apache Knox SSO
Also available as:
PDF

Setting Up Knox SSO

Knox SSO provides web UI SSO capabilities to your cluster. Knox SSO enables your users to login once and gain access to cluster resources.

Context

The flexibility of the Apache Knox authentication and federation providers allows KnoxSSO to provide normalization of authentication events through token exchange, resulting in a common JWT (JSON WebToken)-based token.

KnoxSSO provides an abstraction for integrating any number of authentication systems and SSO solutions, and enables participating web applications to scale to those solutions more easily. Without the token exchange capabilities offered by KnoxSSO, each component UI would need to integrate with each desired solution on its own. With KnoxSSO, they only need to integrate with the single solution and common token.

Configuring Knox SSO Workflow Overview

There are two ways to set up Knox SSO:
  • LDAP/AD: Uses the default form-based identity provider, Shiro.
  • SAML: Uses the pac4j provider and integrates with the identity provider Okta.
To set up Knox SSO with LDAP/AD, complete the following:
  1. Install Knox.
  2. Configure Ambari Authentication for LDAP/AD.
  3. Configure an LDAP/AD Identity Provider (IdP).
  4. Set up Knox SSO via the Ambari CLI.
  5. Set up Knox SSO via Component Config Files.
  6. Restart all services that require a restart via Ambari.
To set up Knox SSO with SAML/Okta, complete the following:
  1. Install Knox.
  2. Configure an Okta Identity Provider (IdP).
  3. Set up Knox SSO via the Ambari CLI.
  4. Set up Knox SSO via Component Config Files.
  5. Restart all services that require a restart via Ambari.

Knox-Supported Services with SSO

Apache Knox supports the following services versions in both Kerberized and Non-Kerberized clusters.

Table 1. Knox Supported Components
Component SSO
Ambari
Ambari Metrics/Grafana
Atlas
HBase
HDFS
Hive (via JDBC)
Hive (via WebHCat)
Livy
Log Search
MapReduce2
Oozie
Ranger 1
SmartSense
Spark 2/Spark History Server
WebHCat/Templeton
WebHDFS
YARN
Zeppelin
Note
Note

APIs, UIs, and SSO in the Apache Knox project that are not listed above are considered Community Features.

Community Features are developed and tested by the Apache Knox community but are not officially supported by Hortonworks. These features are excluded for a variety of reasons, including insufficient reliability or incomplete test case coverage, declaration of non-production readiness by the community at large, and feature deviation from Hortonworks best practices. Do not use these features in your production environments.​

1 Admin Console