Community Articles

Short description: This article describes how to enable Knox SSO authentication on Kerberos enabled Oozie UI

The goal is to provide a single authentication handler for redirecting to an external endpoint for acquiring a JWT (JSONWebToken) token to be used as a SSO representation of an authentication event.

The hadoop common JWTRedirectAuthenticationHandler can be used to add this support to component UIs. It is an extension of AltKerberosAuthenticationHandler, which require kerberos to be enabled on the HTTP endpoints in order to work. This means that UIs will use SSO for authentication, but at the same time REST APIs will still be using kerberos.

For authenticating REST APIs with Knox SSO as well, there is a filter based authentication provider in Knox.

SSL must be enabled on Oozie server to be able to use redirection. Enable SSL on Oozie

Configuration in Ambari

Set the following properties at the Oozie config page:

oozie.authentication.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler

oozie.authentication.authentication.provider.url=https://{KNOX_HOST}:8443/gateway/knoxsso/api/v1/websso

oozie.authentication.public.key.pem={knox_public_key)

optional: oozie.authentication.expected.jwt.audiences={audiences} (default: EMPTY; which means ALL)

optional: oozie.authentication.jwt.cookie={cookie_name} (default: hadoop-jwt)

How to export Knox public key

keytool -export -alias gateway-identity -rfc -file cert.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks

• Copy the content of cert.pem without header/footer, and add it to the public.key.pem property value.

References:

https://issues.apache.org/jira/browse/HADOOP-11717

https://svn.apache.org/repos/asf/knox/site/books/knox-0-9-0/knoxsso_integration.html