Yes - a missing identity assertion provider ends up resolving to a random one. We may have addressed this in newer releases - not sure.
I will look for a JIRA. We really should default to the Default provider or fail to deploy. On Tue, Mar 14, 2017 at 12:19 PM, Gard Skauge <[email protected]> wrote: > Hi Sandeep, > > Thanks for your answer. We realized that we were actually missing an > identity asserter in this topology. > > I added it like this: > > <provider> > <role>identity-assertion</role> > <name>Pseudo</name> > <enabled>true</enabled> > </provider> > > > > …and then it worked. > > > 14. mar. 2017 kl. 13.36 skrev Sandeep More <[email protected]>: > > Hello Gard, > > Could it be possible you are hitting the wrong topology, what you are > getting back looks like JWT token IMO. > Looking at your topology you do not seem to have it configured. > > Best, > Sandeep > > On Tue, Mar 14, 2017 at 6:23 AM, Gard Skauge <[email protected]> > wrote: > >> Hi, >> >> We have Knox 0.9.0 in front of a Kerberized cluster, and we are >> struggling to set it up. >> >> We have the following topology: >> >> >> <topology> >> <gateway> >> >> <provider> >> <role>authentication</role> >> <name>ShiroProvider</name> >> <enabled>true</enabled> >> <param name="main.ldapRealm" value="org.apache.hadoop.gatew >> ay.shirorealm.KnoxLdapRealm"/> >> <param name="main.ldapContextFactory" value="org.apache.hadoop.gatew >> ay.shirorealm.KnoxLdapContextFactory"/> >> <param name="main.ldapRealm.contextFactory" >> value="$ldapContextFactory"/> >> >> <param name="main.ldapRealm.contextFactory.url" value="XXXX"/> >> <param name="main.ldapRealm.contextFactory.systemUsername" >> value=«CN=XXXX"/> >> <param name="main.ldapRealm.contextFactory.systemPassword" >> value=«XXXXX"/> >> >> <param name="main.ldapRealm.searchBase" value=«XXX» /> >> <param name="main.ldapRealm.userSearchAttributeName" >> value="sAMAccountName"/> >> <param name="main.ldapRealm.userObjectClass" value="user"/> >> >> <param name="main.ldapRealm.authorizationEnabled" value="true"/> >> <param name="main.ldapRealm.groupSearchBase" value=«XXX"/> >> <param name="main.ldapRealm.groupObjectClass" value="group"/> >> <param name="main.ldapRealm.groupIdAttribute" >> value="sAMAccountName"/> >> <param name="main.ldapRealm.memberAttribute" value="member"/> >> >> >> <param name="urls./**" value="authcBasic"/> >> </provider> >> <provider> >> <role>authorization</role> >> <name>AclsAuthz</name> >> <enabled>true</enabled> >> <param name="knox.acl" value="*;*;*"/> >> </provider> >> </gateway> >> >> <service> >> <role>NAMENODE</role> >> <url>hdfs://XXX:8020</url> >> </service> >> >> <service> >> <role>JOBTRACKER</role> >> <url>rpc://XXX:8050</url> >> </service> >> >> <service> >> <role>WEBHDFS</role> >> <url>http:/XXX:50070/webhdfs</url> >> >> </service> >> >> <service> >> <role>WEBHCAT</role> >> <url>http://XXX:50111/templeton >> <http://xxx:50111/templeton></url> >> </service> >> >> <service> >> <role>OOZIE</role> >> <url>http://XXX:11000/oozie <http://xxx:11000/oozie></u >> rl> >> </service> >> </topology> >> >> >> (We have verified that the authentication/authorization works using the >> knoxcli.sh command) >> >> >> >> But using cURL to test: >> >> curl -v -u <username>:<password> -ik 'https://localhost:9443/gateway/ >> <topology>/webhdfs/v1/?op=GETHOMEDIRECTORY' >> >> >> Returns: >> >> {"sub":null,"aud":null,"code":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIi >> OiJIRFAgQSBSYW5nZXIgQWRtaW4iLCJpc3MiOiJLTk9YU1NPIn0.DAKyBrls >> ExR8NytbNzKnC15oDQMAfKLZ4z1WxwD_vo3Vvc86okoEymWg10UvI5ohoum0 >> F5iH3KTMW_lCDdkfNieORsSNU35DLI0VLhkp98FMWSgPVAOczXtoxUPrCCTv >> 7irtqF9p68_03HDAyvhhEoBvvxxliPTXJM1RsW3EX0Y","iss":"KNOXSSO","exp":null} >> >> >> Any idea what´s happening here? >> >> >> >> Thanks in advance, >> Gard >> >> >> > >
