Trouble configuring Hadoop Service UIs with KnoxSSO

Fri, 07 Aug 2020 08:00:20 -0700 

Hello.

 

I'm trying to set up authentication on the various HDFS, YARN, and MAPRED
service UIs. I'm not using WebHDFS, but have a requirement to ensure that
even the service UIs can't be accessed anonymously. 

 

I've set up Apache Knox 1.4.0 on my environment and have configured it to
work with an LDAPS server. I am able to authenticate to Knox and access the
admin UI without issue using my LDAPS credentials.

 

I'm having issues figuring out how to get the various service UIs to hide
behind the Knox proxy, though. I'm using this documentation
(https://knox.apache.org/books/knox-1-4-0/user-guide.html#KnoxSSO+Setup+and+
Configuration) to determine how to get this set up. 

 

After configuring everything per the documentation and restarting both the
Knox gateway and the HDFS NameNode, I am still able to access the NameNode
UI on 9871 anonymously. I'm not seeing anything in the HDFS NameNode or
Jetty logs that indicate that it's even trying to reach out to the Knox
server. 

 

Can anyone assist me with this, please?

 

My configs are as follows:

 

----------------------------------------------

Hadoop core-site.xml:

----------------------------------------------

<configuration>

                <property>

                                <name>hadoop.ssl.enabled.protocols</name>

                                <value>TLSv1.1,TLSv1.2</value>

                </property>

                <property>

                                <name>hadoop.http.authentication.type</name>

 
<value>org.apache.hadoop.security.authentication.server.JWTRedirectAuthentic
ationHandler</value>

                </property>

                <property>

 
<name>hadoop.http.authentication.authentication.provider.url</name>

 
<value>https://<knox_GW>:<knox_GW_port>:8443/gateway/knoxsso/api/v1/websso</
value>

                </property>

                <property>

 
<name>hadoop.http.authentication.public.key.pem</name>

                                <value><knox GW cert public key></value>

                </property>       

</configuration>

 

----------------------------------------------

Knox knoxsso.xml topology:

----------------------------------------------

<topology>

                <gateway>

                                <provider>

                                                <role>authentication</role>

                                                <name>ShiroProvider</name>

                                                <enabled>true</enabled>

                                                <param>

 
<name>sessionTimeout</name>

 
<value>30</value>

                                                </param>

                                                <param>

 
<name>redirectToUrl</name>

 
<value>/gateway/knoxsso/knoxauth/login.html</value>

                                                </param>

                                                <param>

 
<name>restrictedCookies</name>

 
<value>rememberme,WWW-Authenticate</value>

                                                </param>

                                                <param>

 
<name>knoxsso.cookie.name</name>

 
<value>hadoop-jwt</value>

                                                </param>

                                                <param>

 
<name>knoxsso.cookie.secure.only</name>

 
<value>true</value>

                                                </param>

                                                <param>

 
<name>urls./**</name>

 
<value>authcBasic</value>

                                                </param>

                                </provider>

                </gateway>

</topology>

Reply via email to