Greetings, I’m working on enabling knox-sso authentication in Zeppelin. I configured Zeppelin UI host in the topology XML , made the configuration changes to enable zeppelin in knox ( suggested in the documentation ). Now I’m facing few issues on accessing the zeppelin via knox gateway url, which I have detailed below. Could anyone please help me in this, would be very helpful to proceed further.
I’m seeing the below log error messages on starting the zeppelin. [cid:image001.png@01D42F1D.6BACC9B0] Configuration changes: 1. Zeppelin : shiro.ini knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm knoxJwtRealm.providerUrl = https://<dns-domain>:8446/<https://%3cdns-domain%3e:8446/> knoxJwtRealm.login = gateway/knoxsso/api/v1/websso knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout knoxJwtRealm.logoutAPI = true knoxJwtRealm.redirectParam = originalUrl knoxJwtRealm.cookieName = hadoop-jwt knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem knoxJwtRealm.groupPrincipalMapping = group.principal.mapping knoxJwtRealm.principalMapping = principal.mapping authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter 1. Knoxsso.xml <?xml version="1.0" encoding="utf-8"?> <topology> <gateway> <provider> <role>federation</role> <name>pac4j</name> <enabled>true</enabled> <param> <name>pac4j.session.store</name> <value>J2ESessionStore</value> </param> <param> <name>pac4j.callbackUrl</name> <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso<https://%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso></value> </param> <param> <name>clientName</name> <value>SAML2Client</value> </param> <param> <name>saml.identityProviderMetadataPath</name> <value>/tmp/preprod_metadata_SP.xml</value> </param> <param> <name>saml.serviceProviderMetadataPath</name> <value>/tmp/preprod_metadata_SP.xml</value> </param> <param> <name>saml.serviceProviderEntityId</name> <value>https:// <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true<https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>&client_name=SAML2Client</value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> <provider> <role>hostmap</role> <name>static</name> <enabled>true</enabled> <param> <name>localhost</name> <value>XXX.vpc.internal</value> </param> </provider> </gateway> <service> <role>KNOXSSO</role> <param> <name>knoxsso.cookie.domain.suffix</name> <value>.######</value> </param> <param> <name>knoxsso.cookie.secure.only</name> <value>false</value> </param> <param> <name>knoxsso.enable.session</name> <value>true</value> </param> <param> <name>knoxsso.cookie.max.age</name> <value>session</value> </param> <param> <name>knoxsso.token.ttl</name> <value>100000</value> </param> <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/( <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> </param> </service> </topology> 1. gate1.xml (topology xml) <?xml version="1.0" encoding="utf-8"?> <topology> <gateway> <provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param> <name>cors.enabled</name> <value>true</value> </param> </provider> <provider> <role>federation</role> <name>SSOCookieProvider</name> <enabled>true</enabled> <param> <name>sso.authentication.provider.url</name> <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso<https://%3cdns-name%3e:8446/gateway/knoxsso/api/v1/websso></value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> </gateway> <service> <role>YARNUI</role> <url>http://XXXX.vpc.internal:8088</url> </service> <service> <role>SPARKHISTORYUI</role> <url>http://XXXXX.vpc.internal:18080/</url> </service> <service> <role>ZEPPELINWS</role> <url>ws://XXXXXXX.vpc.internal:8890/ws</url> </service> <service> <role>ZEPPELINUI</role> <url>http://XXXXXXX.vpc.internal:8890</url> </service> </topology> Thanks, Praveen.R
