Hello Sandeep,
Sorry, that was an incomplete post earlier.
*myCluster.topology:*
1. <topology>
2. <gateway>
3. <provider>
4. <role>webappsec</role>
5. <name>WebAppSec</name>
6. <enabled>true</enabled>
7. <param>
<name>cors.enabled</name>
<value>true</value>
</param>
8. </provider>
9. <provider>
10. <role>federation</role>
11. <name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso
<https://52.169.143.168:8442/gateway/knoxsso/api/v1/websso></value>
</param>
12. </provider>
13. <provider>
14. <role>identity-assertion</role>
15. <name>Default</name>
16. <enabled>true</enabled>
17. </provider>
18. </gateway>
19. <service>
<role>NAMENODE</role>
<url>hdfs://myHostname:8020
<http://dap-m1.2mwungiz1ezu3cgpxipb55z2fh.fx.internal.cloudapp.net:8020/></url>
</service>
<service>
<role>JOBTRACKER</role>
<url>rpc://myHostname:8050
<http://dap-m1.2mwungiz1ezu3cgpxipb55z2fh.fx.internal.cloudapp.net:8050/></url>
</service>
<service>
<role>WEBHDFS</role>
<url>http://myHostname:50070/webhdfs
<http://dap-m1.2mwungiz1ezu3cgpxipb55z2fh.fx.internal.cloudapp.net:50070/webhdfs></url>
</service>
20. </topology>
*Logs: *
gateway.log: Nothing appears when the call starts. The last message is:
2018-02-19 06:28:11,040 INFO hadoop.gateway
(GatewayServer.java:internalActivateTopology(566)) - Activating topology
knoxsso
2018-02-19 06:28:11,040 INFO hadoop.gateway
(GatewayServer.java:internalActivateArchive(576)) - Activating topology
knoxsso archive %2F
gateway-audit.log: Same as shared earlier:
18/02/19 06:30:01
||477ab97f-884b-4421-90f9-70b7925c01b9|audit|WEBHDFS||||access|uri|/gateway/myCluster/webhdfs/v1/user?op=LISTSTATUS|unavailable|Request
method: GET
18/02/19 06:30:01
||477ab97f-884b-4421-90f9-70b7925c01b9|audit|WEBHDFS||||access|uri|/gateway/
myCluster/webhdfs/v1/user?op=LISTSTATUS|success|Response status: 302
18/02/19 06:30:02
||61b0dff1-ca1a-4fc2-868b-2e7b5d771ed0|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=
https://52.169.143.168:8442/gateway/myCluster/webhdfs/v1/user?op=LISTSTATUS|unavailable|Request
method: GET
18/02/19 06:30:02
||61b0dff1-ca1a-4fc2-868b-2e7b5d771ed0|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=
https://52.169.143.168:8442/gateway/myCluster/webhdfs/v1/user?op=LISTSTATUS|success|Response
status: 302
18/02/19 06:31:03
||ea79e31f-00a6-4404-94d6-ddc22d7ab5dd|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzViBkITGagTwTx0uHenFkQaq-6glGCQqPd7qX0buT_7n0nNCrT1Sv3f8dwcv6OzoMFlU-LBynYYhbkxGUX82WndCl3nalcZMsL-PB8TNGjqYx6aJ0k634C6_-1LGdIGsVkTK3urUSozifWRQ8H5o_vfTp-94TMQEVhjIi8VznQaM5jyCXPckolSV8_-ux_tRJG4KDLUy7tSbPTDKSnZUt7uyr_xrwzohscct-_HLACuAUpdz6pl1x-ap6b_dbNTHrrurcDHrFCM5YtJzfxnUTtVzqq-EH1irGrAG7G0DI-cbUETF2RG9B_QaE7nZDpS02LFmKB7Smkyr3KzYaRbCOzYn8e3qxZ2AuXbCNt1s6VSL1lEs2CJgzPB6U39UC93XMxX-9Bm1JfUNs4G8JxUnMblu0yhLfEHNeDeDkg5GMKHA_1CnvudKYyWqR6Jcj4UaJb7bSosM6CK0NO7jGoy1ZGqi_CKc84gKOsGYOTnzC5uLH5vMPWVTNiChCeBrURq339ZwcA01ArcQZmBztEksibU-A_RzZ1ZqqnLxcnByAWhPMjXyF8GwdLkfcGg_qkMEicNIkE4gEdW06TAInh0pZr71V5BvzW2f3qDDN6L_0IAk-aItcsCFs1q8EADk1rdtMbcEyl-ZgLJQuVk7izwn7T2p1p1thL2wpbHQ3ahh_Re5wAnn_0HOCKFXoTZeWSJ3SMq-_Wq9ill8g01ySI2bzbZAuFQhGrodKPCxkYfKO2TcgAA&state=IagOJAVbIKeAQyXMIDjBWJGduIGzCUUPM4RxPVjiHoA&session_state=5bb1f616-d21c-4e70-bbfe-b4458c97f5f8|unavailable|Request
method: GET
18/02/19 06:31:03
||ea79e31f-00a6-4404-94d6-ddc22d7ab5dd|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzViBkITGagTwTx0uHenFkQaq-6glGCQqPd7qX0buT_7n0nNCrT1Sv3f8dwcv6OzoMFlU-LBynYYhbkxGUX82WndCl3nalcZMsL-PB8TNGjqYx6aJ0k634C6_-1LGdIGsVkTK3urUSozifWRQ8H5o_vfTp-94TMQEVhjIi8VznQaM5jyCXPckolSV8_-ux_tRJG4KDLUy7tSbPTDKSnZUt7uyr_xrwzohscct-_HLACuAUpdz6pl1x-ap6b_dbNTHrrurcDHrFCM5YtJzfxnUTtVzqq-EH1irGrAG7G0DI-cbUETF2RG9B_QaE7nZDpS02LFmKB7Smkyr3KzYaRbCOzYn8e3qxZ2AuXbCNt1s6VSL1lEs2CJgzPB6U39UC93XMxX-9Bm1JfUNs4G8JxUnMblu0yhLfEHNeDeDkg5GMKHA_1CnvudKYyWqR6Jcj4UaJb7bSosM6CK0NO7jGoy1ZGqi_CKc84gKOsGYOTnzC5uLH5vMPWVTNiChCeBrURq339ZwcA01ArcQZmBztEksibU-A_RzZ1ZqqnLxcnByAWhPMjXyF8GwdLkfcGg_qkMEicNIkE4gEdW06TAInh0pZr71V5BvzW2f3qDDN6L_0IAk-aItcsCFs1q8EADk1rdtMbcEyl-ZgLJQuVk7izwn7T2p1p1thL2wpbHQ3ahh_Re5wAnn_0HOCKFXoTZeWSJ3SMq-_Wq9ill8g01ySI2bzbZAuFQhGrodKPCxkYfKO2TcgAA&state=IagOJAVbIKeAQyXMIDjBWJGduIGzCUUPM4RxPVjiHoA&session_state=5bb1f616-d21c-4e70-bbfe-b4458c97f5f8|success|Response
status: 302
18/02/19 06:31:04
||a1359a64-b95e-4ba2-b7da-b034e7a5aaef|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzNeoHuSgOIUpFOWWu5xR4oKQv5EMmCyrpR7TqamIS_pvoLeIJyZ3TUZQ09MuUzsyfhu2edGE4kZGdeFApDzU9rkB9548qwrsC4uNeK33suYdcBxMCf8V_T5jTE3vwrfL6XLASVYqCFpvdh8E73F6OmIvPY1CZIuhpoys0hZ_ENcifFW_k1heBkJ7RQEsWPos6r0ySGDrYb6K8FU--MPGCCCGEXyUsqA8winTLoUOFKKSqU5KPpUTeBNiUM5NfaKQ4tfk3WAsVbMhB-ylwctwd36-MzvFVXSPS6oRyc4Qzif2EJucFk34v2Uk8lO1WCa3vCKMzHI_gwPFNB7WqIfguGxgVHx714bWIGh86LxWstVxyX9g5MI2t0kp1VmT06sxy_TRKNNuveUuaNRa65NVSuxNoSCfJR846Ot5mWZfOVGeWPtSZZTgYpSaIAXduoNJ2kdz8rfoGRvJJCLMEJzYto7LcNIAYdu44FNunSa85mPpJmMqGM82OTmHLCNiruuVMYb4i4mULmRbP_HfrCW6CEuQTSKgWl157ntdf_dTfH9BqdMMF3oDBDFJ9_0BlfLB7Ca8a9Nxuf42iW1IZGjYHRg38IshGKza6Bx-aIbCmQafYwvu2qJglA4zv8FavBPWBaQBOAbXUiG5YeKO0iZjVqfcjYs4DhjFC5NXrMVuAvgc5mYWe7tgVr9MuXHpBgLAKFTyJzxh3KHZauNBCTn_l5nnbNLLWZX6gCeQiXaNme8IgAA&state=37Fkr9XwLsNs2cIs3FrFnqt1tnX2FYAks2PWT9QsUiw&session_state=5bb1f616-d21c-4e70-bbfe-b4458c97f5f8|unavailable|Request
method: GET
18/02/19 06:31:04
||a1359a64-b95e-4ba2-b7da-b034e7a5aaef|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_aKT5XrjzxRAtHzNeoHuSgOIUpFOWWu5xR4oKQv5EMmCyrpR7TqamIS_pvoLeIJyZ3TUZQ09MuUzsyfhu2edGE4kZGdeFApDzU9rkB9548qwrsC4uNeK33suYdcBxMCf8V_T5jTE3vwrfL6XLASVYqCFpvdh8E73F6OmIvPY1CZIuhpoys0hZ_ENcifFW_k1heBkJ7RQEsWPos6r0ySGDrYb6K8FU--MPGCCCGEXyUsqA8winTLoUOFKKSqU5KPpUTeBNiUM5NfaKQ4tfk3WAsVbMhB-ylwctwd36-MzvFVXSPS6oRyc4Qzif2EJucFk34v2Uk8lO1WCa3vCKMzHI_gwPFNB7WqIfguGxgVHx714bWIGh86LxWstVxyX9g5MI2t0kp1VmT06sxy_TRKNNuveUuaNRa65NVSuxNoSCfJR846Ot5mWZfOVGeWPtSZZTgYpSaIAXduoNJ2kdz8rfoGRvJJCLMEJzYto7LcNIAYdu44FNunSa85mPpJmMqGM82OTmHLCNiruuVMYb4i4mULmRbP_HfrCW6CEuQTSKgWl157ntdf_dTfH9BqdMMF3oDBDFJ9_0BlfLB7Ca8a9Nxuf42iW1IZGjYHRg38IshGKza6Bx-aIbCmQafYwvu2qJglA4zv8FavBPWBaQBOAbXUiG5YeKO0iZjVqfcjYs4DhjFC5NXrMVuAvgc5mYWe7tgVr9MuXHpBgLAKFTyJzxh3KHZauNBCTn_l5nnbNLLWZX6gCeQiXaNme8IgAA&state=37Fkr9XwLsNs2cIs3FrFnqt1tnX2FYAks2PWT9QsUiw&session_state=5bb1f616-d21c-4e70-bbfe-b4458c97f5f8|success|Response
status: 302
This keeps continuing till the page loads error on browser.
Regards,
Nisha
On Fri, Feb 16, 2018 at 7:25 PM, Sandeep Moré <moresand...@gmail.com> wrote:
> Hello Nisha,
> Can you share details of "mycluster" topology ? also, can you turn up the
> logs to debug and share them along with the audit log that would help us to
> understand the problem better.
>
> Best,
> Sandeep
>
> On Fri, Feb 16, 2018 at 3:16 AM, Nisha Menon <nisha.meno...@gmail.com>
> wrote:
>
>> Hello,
>>
>> I have setup KNOX to connect with Azure AD using pac4j.
>>
>> However, after the authentication at Azure login page, it gets into an
>> infinite loop and does not give back the original REST call response.
>>
>> *Details:*
>>
>> 1. I try to access the original URL eg:
>> *https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS
>> <https://x.x.2.3:8442/gateway/mycluster/webhdfs/v1/user?op=LISTSTATUS>*
>>
>> 2. It redirects to *https://**login.microsoftonline.com
>> <http://login.microsoftonline.com/>* and asks for credentials.
>>
>> 3. After successful login at Azure login page, it redirects to
>> *http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso
>> <http://x.x.2.3:8442/gateway/knoxsso/api/v1/websso>* with code, session
>> and state variables passed as below:
>>
>> *https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C9cIShE7nggAA&state=5dzTZBYhEVDBrA*****************GZRNfANGb5ls&session_state=42f2447b-621***********790eaa2d18
>> <https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4k***********************LFFm7C9cIShE7nggAA&state=5dzTZBYhEVDBrA*****************GZRNfANGb5ls&session_state=42f2447b-621***********790eaa2d18>*
>>
>> 2. Following this call, it *again *calls the *login.microsoftonline.com
>> <http://login.microsoftonline.com/>* like below:
>>
>> *https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&client_id=385*******3-a4bdceaa34&redirect_uri=https%3A%2F%2Fx.x.2.3%3A8442%2Fgateway%2Fknoxsso%2Fapi%2Fv1%2Fwebsso%3Fpac4jCallback%3Dtrue%26client_name%3DOidcClient≻ope=openid+profile+email&state=5dzTZBYhEVDBrAInao9VHDRd33uiRp-GZRNfANGb5ls&nonce=BvCUroM7_aKFjmbLYxaxbS0Mq9SJ8If0CUpITEGB-bw
>> <https://login.microsoftonline.com/f82969ba-b***********c1d0557a/oauth2/authorize?response_type=code&client_id=385*******3-a4bdceaa34&redirect_uri=https%3A%2F%2Fx.x.2.3%3A8442%2Fgateway%2Fknoxsso%2Fapi%2Fv1%2Fwebsso%3Fpac4jCallback%3Dtrue%26client_name%3DOidcClient%E2%89%BBope=openid+profile+email&state=5dzTZBYhEVDBrAInao9VHDRd33uiRp-GZRNfANGb5ls&nonce=BvCUroM7_aKFjmbLYxaxbS0Mq9SJ8If0CUpITEGB-bw>*
>>
>> After this, step 1 and 2 alternate several times and finally lands up in
>> "ERR_TOO_MANY_REDIRECTS"!!!
>>
>> This is my knoxsso.xml:
>>
>>
>> 1. <topology>
>> 2. <gateway>
>> 3. <provider>
>> 4. <role>webappsec</role>
>> 5. <name>WebAppSec</name>
>> 6. <enabled>true</enabled>
>> 7.
>> <param><name>xframe.options.enabled</name><value>true</value></param>
>> 8. </provider>
>> 9. <provider>
>> 10. <role>federation</role>
>> 11. <name>pac4j</name>
>> 12. <enabled>true</enabled>
>> 13. <param>
>> 14. <name>pac4j.callbackUrl</name>
>> 15.
>> <value>https://x.x.2.3:8442/gateway/knoxsso/api/v1/websso</value>
>> 16. </param>
>> 17. <param>
>> 18. <name>clientName</name>
>> 19. <value>OidcClient</value>
>> 20. </param>
>> 21. <param>
>> 22. <name>oidc.id</name>
>> 23. <value>385c2bc*****************2695eaa34</value>
>> 24. </param>
>> 25. <param>
>> 26. <name>oidc.secret</name>
>> 27.
>> <value>Y30wOwM88BY************vYmPp8KMyDY2W+o=</value>
>> 28. </param>
>> 29. <param>
>> 30. <name>oidc.discoveryUri</name>
>> 31.
>> <value>https://login.microsoftonline.com/f82969***********1d0557a/.well-known/openid-configuration</value>
>> 32. </param>
>> 33. </provider>
>> 34. <provider>
>> 35. <role>identity-assertion</role>
>> 36. <name>Default</name>
>> 37. <enabled>true</enabled>
>> 38. </provider>
>> 39. </gateway>
>> 40. <application>
>> 41. <name>knoxauth</name>
>> 42. </application>
>> 43. <service>
>> 44. <role>KNOXSSO</role>
>> 45. <param>
>> 46. <name>knoxsso.cookie.secure.only</name>
>> 47. <value>false</value>
>> 48. </param>
>> 49. <param>
>> 50. <name>knoxsso.token.ttl</name>
>> 51. <value>30000</value>
>> 52. </param>
>> 53. <param>
>> 54. <name>knoxsso.redirect.whitelist.regex</name>
>> 55.
>> <value>^https?:\/\/(dap-e0|x\.x\.2\.3|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$/value>
>> 56. </param>
>> 57. </service>
>> 58. </topology>
>>
>> I tried using response_type "id_token", enabling nonces, knoxsso.secure
>> to true, preferredJwsAlgorithm as RS256 etc. Nothing helps.
>>
>> gateway-audit.log when redirection error starts:
>>
>>
>> 1. 18/02/15 12:38:02
>> ||7a66725e-6d9d-4ef5-9017-2b52d7d15ccf|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?code=AQABAAIAAABHh4kmS_a**********************_WuZRkgVKneLpp83HnSlcntEbAmAgAA&state=0n7h1Y2LTz_**************99P92pZonRN-c&session_state=f0ac55a1-4***********-53e3e126b40e|success|Response
>> status: 302
>>
>> It clearly shows Response status as "302" and not "200". This leads to
>> redirection!
>>
>> What could I be missing here? Any pointers will be greatly appreciated.
>> Regards
>> Nisha
>>
>>
