Hello,
I am looking to create a set up using an SSO provider (such as ForgeRocks
OpenAM) to issue JWT authentication tokens that allow access to cluster
services through Knox. So far having followed the available documentation I
haven't been able to get SSO working in Knox.
My set up consists of Knox running in a sandbox with the rest of HDP 2.3,
and OpenAM running as a tomcat webapp on my local machine.
I have added the following to my topology:
<gateway>
<provider>
<role>federation</role>
<name>HeaderPreAuth</name>
<enabled>true</enabled>
<param>
<name>preauth.validation.method</name>
<value>preauth.ip.validation</value>
</param>
<param>
<name>preauth.ip.addresses</name>
<value>127.100.0.1,127.0.0.1,10.0.2.2</value>
</param>
<param>
<name>preauth.custom.header</name>
<value>USER</value>
</param>
</provider>
Using this configuration and executing the following command returns the
listing of HDFS user folders, however performs no validation on the USER
header 'root'. The logs suggest OpenAM isn't being used to validate it.
curl -ik --header "USER:root" '
https://127.0.0.1:8443/gateway/default/webhdfs/v1/user?op=LISTSTATUS'
It is not clear to me how Knox should be configured to use the correct SSO
provider, such as the URL, port and protocol. Would you be able to provide
any information as to how this can currently be done on the Knox platform?
Many Thanks,
Andrew Bumstead
--
*NOTICE AND DISCLAIMER*
This email (including attachments) is confidential. If you are not the
intended recipient, notify the sender immediately, delete this email from
your system and do not disclose or use for any purpose.
Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United
Kingdom
Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United
Kingdom
Big Data Partnership Limited is a company registered in England & Wales
with Company No 7904824
