question Re: Authentication Issue in Apache Knox ldap in Archives of Support Questions (Read Only)

Authentication Issue in Apache Knox ldap

munnyrahul — Mon, 03 Apr 2017 16:03:05 GMT

I have installed knox as a service using Ambari(on Edge Node) on my 6 Node HDP 2.5 cluster(1 Edge Node, 1 Namenode, 1 Secondary Namenode and 3 Slave Nodes). Knox gateway and ldap Server is up and running on Edge Node.

I am also able to authenticate to webhdfs using existing users like guest, tom, sam in users.ldif file. But when i add a new user i.e. scott into users.ldif file it is showing Unauthorized error in HDFS? I have copied the template of existing user "tom" and added new user as mentioned below. Any idea why i am facing such issue?

dn: uid=steve,ou=people,dc=hadoop,dc=apache,dc=org

objectclass:top

objectclass:person

objectclass:organizationalPerson

objectclass:inetOrgPerson

cn: scott

sn: scott

uid: scott

userPassword:steve-password

I am facing below mentioned error for new users

[LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=steve,ou=people,dc=hadoop,dc=apache,dc=org]

Re: Authentication Issue in Apache Knox ldap

munnyrahul — Mon, 03 Apr 2017 17:08:58 GMT

@Deepak Sharma @Rahul Pathak

Could you help?

Re: Authentication Issue in Apache Knox ldap

dsharma — Mon, 03 Apr 2017 17:52:12 GMT

rahul gulati , are you able to do ldap search for that user? ,

this is the issue with user addition , it seems user is not added to the ldap , just run ldap search for this user and confirm if it is added properly

and what is the command you are running from knox ? , you need to provide username and password while running it from knox, curl -u steve:steve-password

Re: Authentication Issue in Apache Knox ldap

munnyrahul — Mon, 03 Apr 2017 17:58:06 GMT

@Deepak Sharma

I am running below mentioned command

curl -iku steve:steve-password -X GET "https://{lknox_gateway}:8443/gateway/default/webhdfs/v1/tmp?op=LISTSTATUS"

While running below it is also getting failed with error below

. knoxcli.sh --d user-auth-test --cluster default --u steve --p steve-password

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user uid=steve,ou=people,dc=hadoop,dc=apache,dc=org]

How to do ldap seach? I am using internal ldap provided with knox with default topology file(default.xml)

I have copied the same template for other users(i.e. tom,guest) present in users.ldif file and modified it to match steve. I am not understanding why is it not working although the steps looks right? Do i need to modify any other file as well in addition to users.ldif?

Re: Authentication Issue in Apache Knox ldap

dsharma — Mon, 03 Apr 2017 18:13:29 GMT

one more thing did you restart the ldap after adding the user ? , because i am able to use the user the way you added it , just make sure you restart the ldap server after adding new user in user.ldif

Re: Authentication Issue in Apache Knox ldap

munnyrahul — Mon, 03 Apr 2017 18:40:14 GMT

@Deepak Sharma

Yeah i missed the main thing. Was not restarting ldap service. Thanks for the answer.

Anyways do u have any reference links to help me connect to hive through knox?

Thanks

Re: Authentication Issue in Apache Knox ldap

dsharma — Mon, 03 Apr 2017 18:53:34 GMT

@rahul gulati this is how I connect to hive via knox through beeline:

beeline --silent=true -u "jdbc:hive2://<knox_host>:8443/;ssl=true;sslTrustStore=/usr/hdp/current/knox-server/data/security/keystores/gateway.jks;trustStorePassword=knoxsecret;transportMode=http;httpPath=gateway/default/hive;hive.server2.use.SSL=true" -d org.apache.hive.jdbc.HiveDriver -n sam -p sam-password

and there are few references too:

https://cwiki.apache.org/confluence/display/KNOX/Examples+Hive

https://community.hortonworks.com/questions/16887/beeline-connect-via-knox-ssl-issue.html