Hi all,
I'm struggling to configure correctly Knox in order to publish a Nifi cluster.
Currently I'm using the following topologie :
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>1800</value>
</param>
LDAP_CFG_REDACTED
<param>
<name>redirectToUrl</name>
<value>/gateway/discovery-preprod/knoxauth/login.html</value>
</param>
<param>
<name>restrictedCookies</name>
<value>rememberme,WWW-Authenticate</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://host1.sub.dom.tld:9243/gateway/topologie-name/api/v1/websso</value<https://host1.sub.dom.tld:9243/gateway/topologie-name/api/v1/websso%3c/value>>
</param>
</provider>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>csrf.enabled</name>
<value>false</value>
</param>
<param>
<name>csrf.customHeader</name>
<value>X-XSRF-Header</value>
</param>
<param>
<name>csrf.methodsToIgnore</name>
<value>GET,OPTIONS,HEAD</value>
</param>
<param>
<name>xframe.options.enabled</name>
<value>true</value>
</param>
<param>
<name>xss.protection.enabled</name>
<value>false</value>
</param>
<param>
<name>strict.transport.enabled</name>
<value>false</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>hostmap</role>
<name>static</name>
<enabled>true</enabled>
<param>
<name>host1.dom2.tld2</name>
<value>host1.sub.dom.tld</value>
</param>
</provider>
<provider>
<role>authorization</role>
<name>XASecurePDPKnox</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.enable.session</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>360000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^/.*$;^https?://(.+\.sub\.dom\.tld|.+\.dom2\.tld2)(:[0-9]+)(/|/.*)?$</value>
</param>
</service>
<service>
<role>NIFI</role>
<url>https://host1.dom2.tld:9091</url<https://host1.dom2.tld:9091%3c/url>>
<url>https://host2.dom2.tld:9091</url<https://host2.dom2.tld:9091%3c/url>>
<url>https://host3.dom2.tld:9091</url<https://host3.dom2.tld:9091%3c/url>>
<param>
<name>useTwoWaySsl</name>
<value>true</value>
</param>
</service>
<application>
<name>knoxauth</name>
</application>
</topology>
Relevant certs are already created and imported (user cert, key and nifi CA
certificate) in gateway.jks. I set up proxy host, path and knox params in
nifi.properties and disabled other users sources (empty
nifi.security.user.login.identity.provider).
I can successfully authenticate in Nifi with generated certs, so Ranger policy
seems correct.
I observed the following behavior when I enter
https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/nifi :
* Without modification to service.xml:
* Knox redirects the user to
https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html (no
request forwarding to the backend)
* If I manually add
?OriginalUrl=https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/access/knox/callback
. Knox redirects me again to
https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html after
the login attempt
* If I add <policy role="authentication" name="Anonymous" /> in
service.xml: Knox forwards the request to Nifi which finally redirects my
browser under
https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html?OriginalUrl=https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/access/knox/callback
then Nifi redirects back my browser via Knox to the same URL when I
authenticate because in subsequent calls Knox resolve the user to anonymous
(?doAs=anonymous).
I have seen this policy defined for others services like ambari, Yarnuiv2 when
they use tokens provided by knox.
Knox is version 1.0 and Nifi 1.9.
Regards
