Knox returns a strange response

[Gard Skauge]

Hi,

We have Knox 0.9.0 in front of a Kerberized cluster, and we are struggling to 
set it up.

We have the following topology:


<topology>
  <gateway>

    <provider>
      <role>authentication</role>
      <name>ShiroProvider</name>
      <enabled>true</enabled>
      <param name="main.ldapRealm" 
value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm"/>
      <param name="main.ldapContextFactory" 
value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory"/>
      <param name="main.ldapRealm.contextFactory" value="$ldapContextFactory"/>

      <param name="main.ldapRealm.contextFactory.url" value="XXXX"/>
      <param name="main.ldapRealm.contextFactory.systemUsername" 
value=«CN=XXXX"/>
      <param name="main.ldapRealm.contextFactory.systemPassword" value=«XXXXX"/>

      <param name="main.ldapRealm.searchBase" value=«XXX»  />
      <param name="main.ldapRealm.userSearchAttributeName" 
value="sAMAccountName"/>
      <param name="main.ldapRealm.userObjectClass" value="user"/>

      <param name="main.ldapRealm.authorizationEnabled" value="true"/>
      <param name="main.ldapRealm.groupSearchBase" value=«XXX"/>
      <param name="main.ldapRealm.groupObjectClass" value="group"/>
      <param name="main.ldapRealm.groupIdAttribute" value="sAMAccountName"/>
      <param name="main.ldapRealm.memberAttribute" value="member"/>


      <param name="urls./**" value="authcBasic"/>
    </provider>
     <provider>
          <role>authorization</role>
          <name>AclsAuthz</name>
          <enabled>true</enabled>
          <param name="knox.acl" value="*;*;*"/>
      </provider>
  </gateway>

   <service>
        <role>NAMENODE</role>
                <url>hdfs://XXX:8020</url>
            </service>

            <service>
                <role>JOBTRACKER</role>
                <url>rpc://XXX:8050</url>
            </service>

            <service>
                <role>WEBHDFS</role>
                <url>http:/XXX:50070/webhdfs</url>

            </service>

            <service>
                <role>WEBHCAT</role>
                <url>http://XXX:50111/templeton</url>
            </service>

            <service>
                <role>OOZIE</role>
                <url>http://XXX:11000/oozie</url>
            </service>
</topology>


(We have verified that the authentication/authorization works using the 
knoxcli.sh command)



But using cURL to test:

curl -v -u <username>:<password> -ik 
'https://localhost:9443/gateway/<topology>/webhdfs/v1/?op=GETHOMEDIRECTORY'


Returns:

{"sub":null,"aud":null,"code":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJIRFAgQSBSYW5nZXIgQWRtaW4iLCJpc3MiOiJLTk9YU1NPIn0.DAKyBrlsExR8NytbNzKnC15oDQMAfKLZ4z1WxwD_vo3Vvc86okoEymWg10UvI5ohoum0F5iH3KTMW_lCDdkfNieORsSNU35DLI0VLhkp98FMWSgPVAOczXtoxUPrCCTv7irtqF9p68_03HDAyvhhEoBvvxxliPTXJM1RsW3EX0Y","iss":"KNOXSSO","exp":null}


Any idea what´s happening here?



Thanks in advance,
Gard