Support Questions
Find answers, ask questions, and share your expertise

Access Ambari UI through Knox configured with HeaderPreAuth

New Contributor

I'm stuck on an logging in to Ambari UI via Knox, I've configured Knox to use HeaderPreAuth(SiteMinder). Is it even possible to access the HDP UI's in that way?

What happens is that I get no further than Amabri's login view.

I've verified that i can use WebHDFS through Knox with the same configuration.

This is the process for what I've tried so far:

I set the SiteMinder header in the browser using a plugin.

I've configured a topology like this

<topology>
    <gateway>
        <provider>
            <role>federation</role>
            <name>HeaderPreAuth</name>
            <enabled>true</enabled>
            <param><name>preauth.validation.method</name><value>preauth.ip.validation</value></param>
            <param><name>preauth.ip.addresses</name><value>my_ip_range</value></param>
            <param><name>preauth.custom.header</name><value>SM_USER</value></param>
        </provider>

        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled> 
        </provider>

        <provider>
            <role>authorization</role>
            <name>AclsAuthz</name>
            <enabled>false</enabled>
        </provider>
.....
        <service>
            <role>AMBARIUI</role>
            <url>my_server_ip:8080</url>
        </service>
</topology>

I also tried adding the AMBARI service role in the topology but it didn't make any difference.

Then I've configured the 'service.xml' file for the AmbariUI service to use the federation policy:

<service role="AMBARIUI" name="ambariui" version="2.2.0">
    <policies>
        <policy role="webappsec"/>
        <policy role="federation"/>
        <policy role="rewrite"/>
        <policy role="identity-assertion"/>
        <policy role="authorization"/>
    </policies>
....
</service>

I can see that the user specified in the SiteMinder header is picked up by Knox in the gateway-audit log file.

I can't find any errors in any logs, the only remotely interesting information is that i seem to get a Response status: 400 in the gateway-audit logs when i perform the request.

Any ideas why this isn't working? Have I missed some important step?

1 REPLY 1

Re: Access Ambari UI through Knox configured with HeaderPreAuth

Contributor

I am not sure if Ambari supports HeaderPreAuth yet, it supports KnoxSSO though but it needs to be configured.