question Knox LDAP Group Look up not working for UI's (works for KNOX API service) in Archives of Support Questions (Read Only) https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-LDAP-Group-Look-up-not-working-for-UI-s-works-for-KNOX/m-p/168739#M41733 <P>Hello,</P><P>I have setup knox to authenticate with our LDAP server and everything is working except when accessing the Hadoop UI's. Users that are not part of the group i've defined in AclsAuthz are still able to login. This works as expected when trying to access KNOX API. </P><P> see below: </P><P>Knox topology - i expect only users in "knox" group to be able to have access.</P><PRE> &lt;provider&gt; &lt;role&gt;authorization&lt;/role&gt; &lt;name&gt;AclsAuthz&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param name="knox.acl" value="*;knox;*"/&gt; &lt;/provider&gt;</PRE><P>/bin/knoxcli.sh user-auth-test --cluster default --u mliem --p '*******' --g</P><P>LDAP authentication successful!</P><P>mliem is a member of: admin</P><P>mliem is a member of: knox</P><P>mliem is a member of: developers</P><P>/bin/knoxcli.sh user-auth-test --cluster default --u jdoe --p '*******'' --g</P><P>LDAP authentication successful!</P><P>jdoe is a member of: developers</P><P>--------------------------------------------------------</P><P>curl -u mliem:'*****' -ik 'https://&lt;knox_ip&gt;:8443/gateway/default/api/v1/version'</P><P>HTTP/1.1 200 OK</P><P>curl -u jdoe:'*****' -ik 'https://&lt;knox_ip&gt;:8443/gateway/default/api/v1/version'</P><P>HTTP/1.1 403 Forbidden</P><P>Now when I access the UI's as defined in my topology: </P><PRE> &lt;service&gt; &lt;role&gt;YARNUI&lt;/role&gt; &lt;url&gt;http://{{rm_host}}:{{rm_port}}&lt;/url&gt; &lt;/service&gt;</PRE><P>Both mliem (expected) and jdoe can access. </P><P>Is there anything additional I need to add to my topology in order to leverage the groups i've defined in my LDAP server?</P><P>Thanks</P><P>,</P> Sun, 25 Sep 2016 08:00:07 GMT mliem 2016-09-25T08:00:07Z Knox LDAP Group Look up not working for UI's (works for KNOX API service) https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-LDAP-Group-Look-up-not-working-for-UI-s-works-for-KNOX/m-p/168739#M41733 <P>Hello,</P><P>I have setup knox to authenticate with our LDAP server and everything is working except when accessing the Hadoop UI's. Users that are not part of the group i've defined in AclsAuthz are still able to login. This works as expected when trying to access KNOX API. </P><P> see below: </P><P>Knox topology - i expect only users in "knox" group to be able to have access.</P><PRE> &lt;provider&gt; &lt;role&gt;authorization&lt;/role&gt; &lt;name&gt;AclsAuthz&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param name="knox.acl" value="*;knox;*"/&gt; &lt;/provider&gt;</PRE><P>/bin/knoxcli.sh user-auth-test --cluster default --u mliem --p '*******' --g</P><P>LDAP authentication successful!</P><P>mliem is a member of: admin</P><P>mliem is a member of: knox</P><P>mliem is a member of: developers</P><P>/bin/knoxcli.sh user-auth-test --cluster default --u jdoe --p '*******'' --g</P><P>LDAP authentication successful!</P><P>jdoe is a member of: developers</P><P>--------------------------------------------------------</P><P>curl -u mliem:'*****' -ik 'https://&lt;knox_ip&gt;:8443/gateway/default/api/v1/version'</P><P>HTTP/1.1 200 OK</P><P>curl -u jdoe:'*****' -ik 'https://&lt;knox_ip&gt;:8443/gateway/default/api/v1/version'</P><P>HTTP/1.1 403 Forbidden</P><P>Now when I access the UI's as defined in my topology: </P><PRE> &lt;service&gt; &lt;role&gt;YARNUI&lt;/role&gt; &lt;url&gt;http://{{rm_host}}:{{rm_port}}&lt;/url&gt; &lt;/service&gt;</PRE><P>Both mliem (expected) and jdoe can access. </P><P>Is there anything additional I need to add to my topology in order to leverage the groups i've defined in my LDAP server?</P><P>Thanks</P><P>,</P> Sun, 25 Sep 2016 08:00:07 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-LDAP-Group-Look-up-not-working-for-UI-s-works-for-KNOX/m-p/168739#M41733 mliem 2016-09-25T08:00:07Z Re: Knox LDAP Group Look up not working for UI's (works for KNOX API service) https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-LDAP-Group-Look-up-not-working-for-UI-s-works-for-KNOX/m-p/168740#M41734 <P>Hello <A rel="user" href="https://community.cloudera.com/users/11088/mliem.html" nodeid="11088">@mliem</A> </P><P>You almost got it right. The missing piece is the ACL param for YARNUI service. So in your Knox topology, the authorization provider should look like this:</P><PRE> &lt;provider&gt; &lt;role&gt;authorization&lt;/role&gt; &lt;name&gt;AclsAuthz&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param name="knox.acl" value="*;knox;*"/&gt; &lt;param name="yarnui.acl" value="*;knox;*"/&gt; &lt;/provider&gt;</PRE><P>Hope this helps. Do let us know the results.</P> Sun, 25 Sep 2016 17:08:41 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Knox-LDAP-Group-Look-up-not-working-for-UI-s-works-for-KNOX/m-p/168740#M41734 VR46 2016-09-25T17:08:41Z