question Knox SSO to HDFSUI failing in Support Questions

Knox SSO to HDFSUI failing

Hadoop16 — Fri, 10 May 2024 01:12:52 GMT

Configured Knoxsso without Ambari. Knoxsso is configured with Shiro provider and updated the core-site.xml with below configs

hadoop.http.authentication.type
hadoop.http.authentication.authentication.provider.url
hadoop.http.authentication.public.key.pem

Followed: https://knox.apache.org/books/knox-1-6-0/user-guide.html#KnoxSSO+Setup+and+Configuration

After restart, NN UI is redirecting to KnoxSSO and after entering the AD credentials it is throwing below error in the UI. The redirect to originalUrl looks valid from Knoxsso url.

ERROR Invalid Redirect: Possible Phishing Attempt

Any help is appreciated!

Re: Knox SSO to HDFSUI failing

Hadoop16 — Fri, 10 May 2024 09:13:54 GMT

I was able to resolve the "Invalid redirect" by adding knoxsso.redirect.whitelist.regex but when I enter AD credentials in the KnoxSSO page it keeps redirecting to the same login page.

I could see below msgs in gateway.log
2024-05-10 09:04:16,722 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:16,760 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /images/loading.gif
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address:
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:16,762 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:16,795 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /redirecting.jsp
2024-05-10 09:04:16,796 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:16,796 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address:
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:20,773 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /images/loading.gif
2024-05-10 09:04:20,774 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address:
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:20,916 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /api/v1/websso
2024-05-10 09:04:20,943 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /login.html
2024-05-10 09:04:20,944 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:20,944 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address:
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true

Re: Knox SSO to HDFSUI failing

Scharan — Fri, 10 May 2024 10:49:52 GMT

Hello @Hadoop16 Can you disable debug logs and share the information logs from the gateway log file by replicating the issue

Re: Knox SSO to HDFSUI failing

Hadoop16 — Fri, 10 May 2024 14:36:54 GMT

Hello @Scharan Below are the entries populated when reaching HDFSUI via knoxsso
2024-05-10 14:32:54,143 INFO knox.gateway (AclsAuthorizationFilter.java:init(72)) - Initializing AclsAuthz Provider for: knoxauth
2024-05-10 14:32:54,143 INFO knox.gateway (AclParser.java:parseAcls(50)) - ACLs found for: knoxauth
2024-05-10 14:33:04,139 INFO knox.gateway (KnoxLdapRealm.java:getUserDn(721)) - Computed userDn: CN=lastname\, firstname,OU=XXXX,OU=XXXXX,DC=XXX,DC=XXX,DC=com using ldapSearch for principal: userid
2024-05-10 14:33:04,790 INFO knox.gateway (AclsAuthorizationFilter.java:init(72)) - Initializing AclsAuthz Provider for: KNOXSSO
2024-05-10 14:33:04,790 INFO knox.gateway (AclParser.java:parseAcls(50)) - ACLs found for: KNOXSSO
2024-05-10 14:33:06,030 INFO knox.gateway (CookieUtils.java:getCookiesForName(46)) - Unable to find cookie with name: original-url
2024-05-10 14:33:06,095 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(386)) - JWT cookie successfully added.
2024-05-10 14:33:06,095 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(278)) - About to redirect to original URL: http://NN_host50070/index.html

Re: Knox SSO to HDFSUI failing

Hadoop16 — Sat, 11 May 2024 06:37:17 GMT

Hello @Scharan

From the debug log I think the issue is when Knoxsso is redirecting to NN UI, it is sending user as anonymous.
AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous

Do you know what configs at hdfs or Knox could help here?