Community Articles
Find and share helpful community-sourced technical articles
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (2)
Cloudera Employee

Short description: This article describes how to enable Knox SSO authentication on Kerberos enabled Oozie UI

The goal is to provide a single authentication handler for redirecting to an external endpoint for acquiring a JWT (JSONWebToken) token to be used as a SSO representation of an authentication event.

The hadoop common JWTRedirectAuthenticationHandler can be used to add this support to component UIs. It is an extension of AltKerberosAuthenticationHandler, which require kerberos to be enabled on the HTTP endpoints in order to work. This means that UIs will use SSO for authentication, but at the same time REST APIs will still be using kerberos.

For authenticating REST APIs with Knox SSO as well, there is a filter based authentication provider in Knox.

SSL must be enabled on Oozie server to be able to use redirection. Enable SSL on Oozie

Configuration in Ambari

Set the following properties at the Oozie config page:



optional: oozie.authentication.expected.jwt.audiences={audiences} (default: EMPTY; which means ALL)

optional: oozie.authentication.jwt.cookie={cookie_name} (default: hadoop-jwt)

How to export Knox public key

keytool -export -alias gateway-identity -rfc -file cert.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
  • Copy the content of cert.pem without header/footer, and add it to the public.key.pem property value.



What version of Oozie and HDP is this support available in?

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎01-10-2018 11:47 AM
Updated by:
Top Kudoed Authors