Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Authentication to Knox

Authentication to Knox

New Contributor

Hi, I am writing a Java application that needs to access to HDP services through Knox. I want to have authentication at Knox to protect my cluster. I understand that I'll connect Knox to my LDAP server. How can my application will authenticate to Knox in order to access to HDP services ? can I avoid sending username/password when call Knox API ?

I am on HDP 2.5

5 REPLIES 5

Re: Authentication to Knox

New Contributor

To be more accurate, when a user call a service through Knox, he provides user-name/password in the curl command.

Are these credentials sent unencrypted over the wire and hence can be spoofed ? if yes, does ssl provide a solution for this ?

How can a client authenticate to Knox without provide these information ? (tokens, or other solution)

I have been reading about SPENGO but I don't understand how all these protocols interact.

Re: Authentication to Knox

Rising Star

@Adel Ouazani Knox requires User to provide Username/Password for authentication. Knox can be configured to use Basic/LDAP/AD/Single Sign-On (SAML based Identity Provider e.g. Okta or default Form-based authentication provided with Knox). Knox uses HTTPS by default and out-of-the-box and hence credentials won't be sent unencrypted. After successful authentication, Knox uses it's own SPNEGO (Kerberos) keytab to authenticate with other hadoop services e.g. WebHDFS, Hive, Oozie, etc.

Re: Authentication to Knox

New Contributor
I would like to know what the username / password is required

Re: Authentication to Knox

Rising Star

@xu yadong Depends on the configuration. For example, If you have integrated Knox to use Active Directory, use your AD credentials. If you are using Knox DemoLDAP, check users.ldif file.

Re: Authentication to Knox

New Contributor

@Krishna Pandey Suppose we want a specific node to be authenticated by Knox such that whenever a request comes from the node it is entertained without requiring username-password. How can it be done?

I have asked it here at https://community.hortonworks.com/questions/155452/how-can-we-authenticate-a-node-via-knox.html

Don't have an account?
Coming from Hortonworks? Activate your account here