Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Can't Logout from Ambari with Knox SSO

Labels:
avatar
author-rank kei_miyauchi_
Explorer

Created ‎11-26-2018 05:32 AM

Hi, I'm using Knox to login Ambari 2.7 and other components.
I found that I can't logout from Ambari.
When I click "Sign out" button, it redirects to Ambari's login view(/#/login), and then redirects to Dashboard.(/#/main/dashboard/metrics). Login state remains.
How could I fix that?

6,968 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank gyadav author-rank
Rising Star

Created ‎11-27-2018 02:55 PM

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

View solution in original post

6,585 Views
0 Kudos
9 REPLIES 9

avatar
author-rank smore author-rank
Rising Star

Created ‎11-26-2018 06:18 PM

What error do you see in the logs ?

6,585 Views
0 Kudos

avatar
author-rank kei_miyauchi_
Explorer

Created ‎11-27-2018 12:17 AM

Hi, @Sandeep More

When I try to log out, the log below leaves on ambari-audit.log.

2018-11-27T09:12:37.720+0900, User(my user), RemoteIp(ip), Operation(Logout), Status(Success)
2018-11-27T09:12:37.925+0900, User(null), RemoteIp(ip), Operation(User login), Roles(
), Status(Failed), Reason(Authentication required), Consecutive failures(UNKNOWN USER)
2018-11-27T09:12:37.927+0900, User(my user), RemoteIp(ip), Operation(User login), Roles(
    SmartSense View: View User, View User, View User, View User, View User, View User, View User, View User
    (my domain): Cluster Administrator
    Hive View 2.0: View User
    Hive View: View User
    Ambari: Ambari Administrator
    Files View: View User
    Tez View: View User
    YARN Queue Manager: View User
), Status(Success)
<br>
6,585 Views
0 Kudos

avatar
author-rank gyadav author-rank
Rising Star

Created ‎11-27-2018 02:55 PM

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

6,586 Views
0 Kudos

avatar
author-rank kei_miyauchi_
Explorer

Created ‎11-28-2018 03:00 AM

@gyadav

I found that knoxsso.token.ttl was 10 hours. I set it 30 seconds and it worked.
However, I want to set long TTL because I'm using other components which authenticates users by Knox only. If I set TTL 30 seconds, such components wil require login every 30 seconds.

Is there a way like this?
1. make Ambari invalidate JWT not only its own session when I logout from Ambari
2. make Ambari authenticate users by Knox only(forbid to have its own session)

Any information helps.

6,585 Views
0 Kudos

avatar
author-rank Gazal
Explorer

Created on ‎10-17-2019 02:19 AM - edited ‎10-17-2019 02:37 AM

@gyadav

I tried this option of changing the ttl value. It is still not working for me. After I logout it redirects to login page and automatically logins in. 

Please can you help me.

 

Thanks,

Gazal

6,390 Views
0 Kudos

avatar
author-rank somesh
Explorer

Created ‎08-05-2021 07:18 AM

Hi @gyadav ,

I have configured the knox-sso for ranger,hdfs,yarn ui but getting the username and password is incorrect error.I have checked knox-audit log and also ambari logs but not able to find root cause and hdp env is 3.0.1
Thanks in advance.

 

 

4,449 Views
0 Kudos

avatar
author-rank gyadav author-rank
Rising Star

Created ‎11-28-2018 05:30 AM

@Kei Miyauchi,

Great it worked!!!! Kindly accept my previous answer.

Regarding your query, Which all components you are using to authenticate via knox.

6,585 Views
0 Kudos

avatar
author-rank kei_miyauchi_
Explorer

Created ‎11-28-2018 07:47 AM

@gyadav

I'm using NiFi, and Oozie's web UI.

6,585 Views
0 Kudos

avatar
author-rank kei_miyauchi_
Explorer

Created ‎11-29-2018 05:29 AM

I created another Knox topology whose token has long TTL, and assigned it to NiFi.
It's not SSO because Token is separated. I should type my username and password to Ambari even if I already logged in to NiFi. But at least I can logout from Ambari(and don't have to re-login to NiFi each 30 seconds).

Thank you for all your help.

6,585 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements