Installing Apache Knox
Also available as:
PDF

Example: Configure Knox Gateway for LDAP

This example shows you how to set up the Knox Gateway with ShiroProvider, which involves configuring a provider for LDAP.

Context

LDAP authentication is configured by adding a "ShiroProvider" authentication provider to the cluster's topology file. When enabled, the Knox Gateway uses Apache Shiro (org.apache.shiro.realm.ldap.JndiLdapRealm) to authenticate users against the configured LDAP store.

Setting up Topology File

  1. Login to Ambari and access Knox service page.

    Knox Admin UI link could be found on the right pane of the Ambari’s Knox page.

    Once this link is clicked, user will be asked to provide a username and password. This will be based on the ldap configured for the manager.

  2. Accessing Knox admin UI page for topology creation
    Once admin lands in to the Knox admin UI, there are fundamentally three steps more to create a topology of desired use case.
    1. Create a custom provider configuration
    2. Define Descriptors for the topology to auto-discover services from Ambari
    3. Save and verify the topology which is created
    Next steps will cover topology creation in detail.
  3. Creating a custom Provider Configuration

    Admin can click on the “Provider Configurations” in left panel to list all available providers. Click on the “+” button on the right side to create a new provider.

    Admin can select all the providers which are needed for defining “hdp_ui_provider”
    • Authentication (LDAP)
    • Authorization (AclsAuthz/Access Control Lists)
    • HAProvider (Default)
    • Identity-assertion (Default)
    These 4 providers could be added by selecting each and giving values from the auto populated options. Detailed steps are given below.
    1. Add Authentication>LDAP.
    2. Add Authorization>Access Control Lists.
    3. Add HAProvider>Default.
    4. Add Identity-Assertion>Default.
    5. Save the provider by clicking on save button at right bottom.
  4. Defining Descriptors for topology: Click on “+” button near to Descriptor to define a new custom descriptor.
    1. Add all details for a descriptor:
      • Define a name for the descriptor
      • Select $Services from the below list
      • Configure Ambari address in “Discovery - Address”
      • Configure Ambari cluster name in “Discovery - Cluster”
      • Provide Ambari user name in “Discovery - Username”
      • “Discovery Password Alias” could be left as it is as below manual step to be ran on knox machine to avoid configuring password.
    2. Creating password alias, e.g.,
      [root@ctr-e138-1518143905142-240189-01-046340 services]# /usr/$REPO/$VERSION/knox/bin/knoxcli.sh create-alias ambari.discovery.password
      Enter password:
      Enter password again:
      ambari.discovery.password has been successfully created.
      
    3. Select provider configuration as “hdp_ui_provider”.
    4. Press “Ok” to save the details.
    5. Select “hdp_ui” descriptor to add “$SERVICES”.

      Admin can add custom services which are see on the right pane under “Descriptor Detail”.

      Not all services listed are officially supported. See “Knox- Supported Services” for details on which services are supported.

  5. Verify topology:

    Topologies>Select one topology: This is read-only pane where all configuration which are done for “hdp_ui” could be verified.

Changing QuickLinks for $SERVICE UIs

Admin need to paste below quicklink.json file in Ambari server machine to ensure that $SERVICE UIs quick links are accessible only via proxy.
  1. Quick Link template
    {
      "name": "default",
      "description": "default quick links configuration",
      "configuration": {
        "protocol":
        {
          "type": "HTTPS_ONLY"
        },
        "links": [
          {
            "name": "resourcemanager_ui",
            "label": "ResourceManager UI",
            "requires_user_name": "false",
            "component_name": "KNOX_GATEWAY",
            "url": "%@://%@:%@/gateway/hdp_ui/$SERVICE/",
            "port": {
              "https_property": "gateway.port",
              "https_default_port": "8443",
              "regex": "^(\\d+)$",
              "site": "gateway-site"
            }
          },
          {
            "name": "resourcemanager_logs",
            "label": "ResourceManager logs",
            "requires_user_name": "false",
            "component_name": "KNOX_GATEWAY",
            "url": "%@://%@:%@/gateway/hdp_ui/$service/logs",
            "port": {
              "https_property": "gateway.port",
              "https_default_port": "8443",
              "regex": "^(\\d+)$",
              "site": "gateway-site"
            }
          },
          {
            "name": "resourcemanager_jmx",
            "label":"ResourceManager JMX",
            "requires_user_name": "false",
            "component_name": "KNOX_GATEWAY",
            "url":"%@://%@:%@/gateway/hdp_ui/$service/jmx",
            "port": {
              "https_property": "gateway.port",
              "https_default_port": "8443",
              "regex": "^(\\d+)$",
              "site": "gateway-site"
            }
          },
          {
            "name": "thread_stacks",
            "label":"Thread Stacks",
            "requires_user_name": "false",
            "component_name": "KNOX_GATEWAY",
            "url":"%@://%@:%@/gateway/hdp_ui/$service/stacks",
            "port": {
              "https_property": "gateway.port",
              "https_default_port": "8443",
              "regex": "^(\\d+)$",
              "site": "gateway-site"
            }
          }
        ]
      }
    }
    
  2. Place quicklinks.json in Ambari: In ambari-server host, at following path, place the quicklink file:
    /var/lib/ambari-server/resources/stacks/$REPO/$VERSION/services/$SERVICE/quicklinks/quicklinks.json
    
    Please ensure that existing quicklinks.json in replaced with the attached json file from this document.
  3. Restart Ambari: ambari-server restart
  4. Verify QuickLinks.

    Post these steps, $SERVICE Quick links will be accessible only via knox proxy.