Hi Sandeep, Thanks for your answer. We realized that we were actually missing an identity asserter in this topology.
I added it like this: <provider> <role>identity-assertion</role> <name>Pseudo</name> <enabled>true</enabled> </provider> …and then it worked. > 14. mar. 2017 kl. 13.36 skrev Sandeep More <[email protected]>: > > Hello Gard, > > Could it be possible you are hitting the wrong topology, what you are getting > back looks like JWT token IMO. > Looking at your topology you do not seem to have it configured. > > Best, > Sandeep > > On Tue, Mar 14, 2017 at 6:23 AM, Gard Skauge <[email protected] > <mailto:[email protected]>> wrote: > Hi, > > We have Knox 0.9.0 in front of a Kerberized cluster, and we are struggling to > set it up. > > We have the following topology: > > > <topology> > <gateway> > > <provider> > <role>authentication</role> > <name>ShiroProvider</name> > <enabled>true</enabled> > <param name="main.ldapRealm" > value="org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm"/> > <param name="main.ldapContextFactory" > value="org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory"/> > <param name="main.ldapRealm.contextFactory" > value="$ldapContextFactory"/> > > <param name="main.ldapRealm.contextFactory.url" value="XXXX"/> > <param name="main.ldapRealm.contextFactory.systemUsername" > value=«CN=XXXX"/> > <param name="main.ldapRealm.contextFactory.systemPassword" > value=«XXXXX"/> > > <param name="main.ldapRealm.searchBase" value=«XXX» /> > <param name="main.ldapRealm.userSearchAttributeName" > value="sAMAccountName"/> > <param name="main.ldapRealm.userObjectClass" value="user"/> > > <param name="main.ldapRealm.authorizationEnabled" value="true"/> > <param name="main.ldapRealm.groupSearchBase" value=«XXX"/> > <param name="main.ldapRealm.groupObjectClass" value="group"/> > <param name="main.ldapRealm.groupIdAttribute" value="sAMAccountName"/> > <param name="main.ldapRealm.memberAttribute" value="member"/> > > > <param name="urls./**" value="authcBasic"/> > </provider> > <provider> > <role>authorization</role> > <name>AclsAuthz</name> > <enabled>true</enabled> > <param name="knox.acl" value="*;*;*"/> > </provider> > </gateway> > > <service> > <role>NAMENODE</role> > <url>hdfs://XXX:8020</url> > </service> > > <service> > <role>JOBTRACKER</role> > <url>rpc://XXX:8050</url> > </service> > > <service> > <role>WEBHDFS</role> > <url>http:/XXX:50070/webhdfs</url> > > </service> > > <service> > <role>WEBHCAT</role> > <url>http://XXX:50111/templeton > <http://xxx:50111/templeton></url> > </service> > > <service> > <role>OOZIE</role> > <url>http://XXX:11000/oozie <http://xxx:11000/oozie></url> > </service> > </topology> > > > (We have verified that the authentication/authorization works using the > knoxcli.sh command) > > > > But using cURL to test: > > curl -v -u <username>:<password> -ik 'https://localhost:9443/gateway/ > <https://localhost:9443/gateway/><topology>/webhdfs/v1/?op=GETHOMEDIRECTORY' > > > Returns: > > {"sub":null,"aud":null,"code":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJIRFAgQSBSYW5nZXIgQWRtaW4iLCJpc3MiOiJLTk9YU1NPIn0.DAKyBrlsExR8NytbNzKnC15oDQMAfKLZ4z1WxwD_vo3Vvc86okoEymWg10UvI5ohoum0F5iH3KTMW_lCDdkfNieORsSNU35DLI0VLhkp98FMWSgPVAOczXtoxUPrCCTv7irtqF9p68_03HDAyvhhEoBvvxxliPTXJM1RsW3EX0Y","iss":"KNOXSSO","exp":null} > > > Any idea what´s happening here? > > > > Thanks in advance, > Gard > > >
