[
https://issues.apache.org/jira/browse/KNOX-907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
SuryaKranthi Koneru updated KNOX-907:
-------------------------------------
Description:
Ambari URL:-
http://hostname:8080/#/main/views/HIVE/2.0.0/AUTO_HIVE20_INSTANCE
Knox proxy enabled for Ambari:-
https://hostname:8443/gateway/ui/ambari/#/main/views/HIVE/2.0.0/AUTO_HIVE20_INSTANCE
steps to reproduce:-
1- Configure Knox Proxy for Ambari.
create ui.xml in /usr/hdp/current/knox-server/conf/topologies
Note:- I have already deployed ui.xml topology in this path. There is no Knox
restart required.
below is the sample ui.xml
2- Invoke Ambari through knox proxy
https://hostname:8443/gateway/ui/ambari/#/login
3- Click on hive2.0 view
Notice all the service checks failed messages. Attached is screenshot
Note:- If you go through Ambari URL then you will be able to access HIVE2.0
view.
http://hostname:8080/#/main/views/HIVE/2.0.0/AUTO_HIVE20_INSTANCE
ui.xml:-
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://<ldapinstance>:<ldapport></value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>AMBARI</role>
<url>http://hostname:8080</url>
</service>
<service>
<role>AMBARIUI</role>
<url>http://hostname:8080</url>
</service>
</topology>
was:
When issuing the KnoxToken, the requesting client IP address should be added to
the resulting token. This IP address will then need to be validated against the
IP address of any incoming request that presents the bearer token as proof of
identity.
This will prevent the misappropriation of a token from allowing access from any
other machine.
We will also want to make this binding requirement configurable and provide
appropriate warning messages when not in use.
> Knox Proxy - Ambari HIVE2.0 view doesn't showup due to Servicecheck issues
> --------------------------------------------------------------------------
>
> Key: KNOX-907
> URL: https://issues.apache.org/jira/browse/KNOX-907
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: SuryaKranthi Koneru
> Assignee: Larry McCay
> Priority: Critical
> Labels: kip-4
> Fix For: 0.13.0
>
>
> Ambari URL:-
> http://hostname:8080/#/main/views/HIVE/2.0.0/AUTO_HIVE20_INSTANCE
> Knox proxy enabled for Ambari:-
> https://hostname:8443/gateway/ui/ambari/#/main/views/HIVE/2.0.0/AUTO_HIVE20_INSTANCE
> steps to reproduce:-
> 1- Configure Knox Proxy for Ambari.
> create ui.xml in /usr/hdp/current/knox-server/conf/topologies
> Note:- I have already deployed ui.xml topology in this path. There is no Knox
> restart required.
> below is the sample ui.xml
> 2- Invoke Ambari through knox proxy
> https://hostname:8443/gateway/ui/ambari/#/login
> 3- Click on hive2.0 view
> Notice all the service checks failed messages. Attached is screenshot
> Note:- If you go through Ambari URL then you will be able to access HIVE2.0
> view.
> http://hostname:8080/#/main/views/HIVE/2.0.0/AUTO_HIVE20_INSTANCE
> ui.xml:-
> <topology>
> <gateway>
> <provider>
> <role>authentication</role>
> <name>ShiroProvider</name>
> <enabled>true</enabled>
> <param>
> <name>sessionTimeout</name>
> <value>30</value>
> </param>
> <param>
> <name>main.ldapRealm</name>
>
> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
> </param>
> <param>
> <name>main.ldapRealm.userDnTemplate</name>
>
> <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory.url</name>
> <value>ldap://<ldapinstance>:<ldapport></value>
> </param>
> <param>
>
> <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
> <value>simple</value>
> </param>
> <param>
> <name>urls./**</name>
> <value>authcBasic</value>
> </param>
> </provider>
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> </provider>
> </gateway>
> <service>
> <role>AMBARI</role>
> <url>http://hostname:8080</url>
> </service>
> <service>
> <role>AMBARIUI</role>
> <url>http://hostname:8080</url>
> </service>
> </topology>
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
