question Re: Knox sso for ambari and ranger does not work in Support Questions https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118516#M81299 <P>Can you provide the complete logs to debug further.</P> Wed, 22 Feb 2017 17:03:37 GMT Anishkumarv 2017-02-22T17:03:37Z Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118514#M81297 <P>hi all:</P><P>i config the knox sso for ambari use this doc,<A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/setting_up_knox_sso_for_ambari.html" rel="nofollow noopener noreferrer" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/setting_up_knox_sso_for_ambari.html</A>, but when i submit the login page, then the page redirect to the ambari login page,and the redirect back again.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11816-knox-sso.png" style="width: 554px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/22976i50D805B675323DFD/image-size/medium?v=v2&amp;px=400" role="button" title="11816-knox-sso.png" alt="11816-knox-sso.png" /></span></P><P> here is the amabri-server.log:</P><P>User(null), RemoteIp(192.168.XX.XX), Operation(User login), Roles( ), Status(Failed), Reason(Authentication required).</P><P>and knox gateway.log:</P><P>ed310ab8-e377-4781-adfb-27f94d472e90|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fbigdata%3A8080%2F%23%2Flogin?redirected=true|success|Response status: 401</P> Mon, 19 Aug 2019 10:45:17 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118514#M81297 leezy 2019-08-19T10:45:17Z Re: Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118515#M81298 <P>Can you provide KnoxSSO topology from Knox configuration? Also try to authenticate using an User in Knox, as you are getting 401.</P> Wed, 22 Feb 2017 16:52:15 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118515#M81298 WhiteHa 2017-02-22T16:52:15Z Re: Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118516#M81299 <P>Can you provide the complete logs to debug further.</P> Wed, 22 Feb 2017 17:03:37 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118516#M81299 Anishkumarv 2017-02-22T17:03:37Z Re: Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118517#M81300 <P> &lt;topology&gt; &lt;gateway&gt; &lt;provider&gt; &lt;role&gt;webappsec&lt;/role&gt; &lt;name&gt;WebAppSec&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param&gt;&lt;name&gt;xframe.options.enabled&lt;/name&gt;&lt;value&gt;true&lt;/value&gt;&lt;/param&gt; &lt;/provider&gt; &lt;provider&gt; &lt;role&gt;authentication&lt;/role&gt; &lt;name&gt;ShiroProvider&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param&gt; &lt;name&gt;sessionTimeout&lt;/name&gt; &lt;value&gt;30&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;redirectToUrl&lt;/name&gt; &lt;value&gt;/gateway/knoxsso/knoxauth/login.html&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;restrictedCookies&lt;/name&gt; &lt;value&gt;rememberme,WWW-Authenticate&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm&lt;/name&gt; &lt;value&gt;org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapContextFactory&lt;/name&gt; &lt;value&gt;org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory&lt;/value&gt; &lt;/param&gt;&lt;param&gt; &lt;name&gt;main.ldapRealm.contextFactory&lt;/name&gt; &lt;value&gt;$ldapContextFactory&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm.userDnTemplate&lt;/name&gt; &lt;value&gt;uid={0},ou=people,dc=VENUS,dc=COM&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm.contextFactory.url&lt;/name&gt; &lt;value&gt;ldap://bigdata7:389&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm.authenticationCachingEnabled&lt;/name&gt; &lt;value&gt;false&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm.contextFactory.authenticationMechanism&lt;/name&gt; &lt;value&gt;simple&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;urls./**&lt;/name&gt; &lt;value&gt;authcBasic&lt;/value&gt; &lt;/param&gt; &lt;/provider&gt; &lt;provider&gt; &lt;role&gt;identity-assertion&lt;/role&gt; &lt;name&gt;Default&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;/provider&gt; &lt;/gateway&gt; &lt;application&gt; &lt;name&gt;knoxauth&lt;/name&gt; &lt;/application&gt; &lt;service&gt; &lt;role&gt;KNOXSSO&lt;/role&gt; &lt;param&gt; &lt;name&gt;knoxsso.cookie.secure.only&lt;/name&gt; &lt;value&gt;false&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;knoxsso.token.ttl&lt;/name&gt; &lt;value&gt;30000&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;knoxsso.redirect.whitelist.regex&lt;/name&gt; &lt;value&gt;^https?:\/\/(bigdata[0-9]|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*{replace15}lt;/value&gt; &lt;/param&gt;&lt;/service&gt; &lt;/topology&gt;</P><P>this is my knox sso topology, and my knox and ambari-server is not in the same machine.</P> Wed, 22 Feb 2017 17:27:57 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118517#M81300 leezy 2017-02-22T17:27:57Z Re: Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118518#M81301 <P>17/02/22 17:46:07 ||f67516cd-e553-43c8-9666-4dfd95b63a3c|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://bigdata6:8080/|unavailable|Request method: POST 17/02/22 17:46:07 ||f67516cd-e553-43c8-9666-4dfd95b63a3c|audit|KNOXSSO|venus|||authentication|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://bigdata6:8080/|success| 17/02/22 17:46:07 ||f67516cd-e553-43c8-9666-4dfd95b63a3c|audit|KNOXSSO|venus|||authentication|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://bigdata6:8080/|success|Groups: [] 17/02/22 17:46:07 ||f67516cd-e553-43c8-9666-4dfd95b63a3c|audit|KNOXSSO|venus|||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://bigdata6:8080/|success|Response status: 303 17/02/22 17:46:07 ||cc006ac5-1b98-4d20-bbdd-03a30f26fda4|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/redirecting.html?originalUrl=http://bigdata6:8080/|unavailable|Request method: GET 17/02/22 17:46:07 ||cc006ac5-1b98-4d20-bbdd-03a30f26fda4|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/redirecting.html?originalUrl=http://bigdata6:8080/|success|Response status: 200 17/02/22 17:46:07 ||2f023049-55b3-4bd9-879d-2430bde60f1f|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/02/22 17:46:07 ||2f023049-55b3-4bd9-879d-2430bde60f1f|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200 17/02/22 17:46:07 ||a0848c4b-637b-4699-8cec-efc85f425f6f|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/02/22 17:46:07 ||a0848c4b-637b-4699-8cec-efc85f425f6f|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/02/22 17:46:07 ||cd5a3a24-5332-45c2-80b6-edbb8298cd07|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/loading.gif|unavailable|Request method: GET 17/02/22 17:46:07 ||cd5a3a24-5332-45c2-80b6-edbb8298cd07|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/loading.gif|success|Response status: 200 17/02/22 17:46:08 ||ded2eb86-5184-4c17-bfe2-ca557ae16fac|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fbigdata6%3A8080%2F%23%2Flogin?redirected=true|unavailable|Request method: GET 17/02/22 17:46:08 ||ded2eb86-5184-4c17-bfe2-ca557ae16fac|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fbigdata6%3A8080%2F%23%2Flogin?redirected=true|success|Response status: 401 17/02/22 17:46:08 ||6eb6e25a-4321-4c69-a7f5-aa7ea15ceb57|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http%3A%2F%2Fbigdata6%3A8080%2F%23%2Flogin?redirected=true|unavailable|Request method: GET 17/02/22 17:46:08 ||6eb6e25a-4321-4c69-a7f5-aa7ea15ceb57|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http%3A%2F%2Fbigdata6%3A8080%2F%23%2Flogin?redirected=true|success|Response status: 200 17/02/22 17:46:08 ||6e3bca36-1991-40bc-9587-fe35c3ecc61d|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/02/22 17:46:08 ||f355e30a-2159-42b9-8659-043dc3ef9496|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/02/22 17:46:08 ||f355e30a-2159-42b9-8659-043dc3ef9496|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/02/22 17:46:08 ||6e3bca36-1991-40bc-9587-fe35c3ecc61d|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200</P><P>this is log that visit one time</P> Wed, 22 Feb 2017 17:29:28 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118518#M81301 leezy 2017-02-22T17:29:28Z Re: Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118519#M81302 <P>the ambari and knox sso use the same user, and knox use ldap</P> Wed, 22 Feb 2017 17:31:13 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118519#M81302 leezy 2017-02-22T17:31:13Z Re: Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118520#M81303 <P>I think the problem is your hostname which does not have FQDN. e.g. somehost.abc.com , Try putting /etc/hosts entries with FQDN for your "bigdata[0-9]" hosts. KnoxSSO requires host TLD to set cookies for that domain.</P> Wed, 22 Feb 2017 17:43:08 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118520#M81303 WhiteHa 2017-02-22T17:43:08Z Re: Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118521#M81304 <P>yes,thank you,the knox host and ambari host should be the same domain suffix. i've solve this. </P> Thu, 23 Feb 2017 10:18:07 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118521#M81304 leezy 2017-02-23T10:18:07Z Re: Knox sso for ambari and ranger does not work https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118522#M81305 <P>I have meet the same problem,but I don`t know how to setup my own domain.</P><P>May you have solved this problem,If you have some suggest will be will kind for me.</P><P>Thanks!</P> Mon, 20 Mar 2017 16:35:46 GMT https://community.cloudera.com/t5/Support-Questions/Knox-sso-for-ambari-and-ranger-does-not-work/m-p/118522#M81305 minskychen 2017-03-20T16:35:46Z