Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Can't Logout from Ambari with Knox SSO

avatar

Hi, I'm using Knox to login Ambari 2.7 and other components.
I found that I can't logout from Ambari.
When I click "Sign out" button, it redirects to Ambari's login view(/#/login), and then redirects to Dashboard.(/#/main/dashboard/metrics). Login state remains.
How could I fix that?

1 ACCEPTED SOLUTION

avatar
Rising Star

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

View solution in original post

9 REPLIES 9

avatar
Rising Star

What error do you see in the logs ?

avatar

Hi, @Sandeep More

When I try to log out, the log below leaves on ambari-audit.log.

2018-11-27T09:12:37.720+0900, User(my user), RemoteIp(ip), Operation(Logout), Status(Success)
2018-11-27T09:12:37.925+0900, User(null), RemoteIp(ip), Operation(User login), Roles(
), Status(Failed), Reason(Authentication required), Consecutive failures(UNKNOWN USER)
2018-11-27T09:12:37.927+0900, User(my user), RemoteIp(ip), Operation(User login), Roles(
    SmartSense View: View User, View User, View User, View User, View User, View User, View User, View User
    (my domain): Cluster Administrator
    Hive View 2.0: View User
    Hive View: View User
    Ambari: Ambari Administrator
    Files View: View User
    Tez View: View User
    YARN Queue Manager: View User
), Status(Success)
<br>

avatar
Rising Star

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

avatar

@gyadav

I found that knoxsso.token.ttl was 10 hours. I set it 30 seconds and it worked.
However, I want to set long TTL because I'm using other components which authenticates users by Knox only. If I set TTL 30 seconds, such components wil require login every 30 seconds.

Is there a way like this?
1. make Ambari invalidate JWT not only its own session when I logout from Ambari
2. make Ambari authenticate users by Knox only(forbid to have its own session)

Any information helps.

avatar
Explorer

@gyadav

I tried this option of changing the ttl value. It is still not working for me. After I logout it redirects to login page and automatically logins in. 

Please can you help me.

 

Thanks,

Gazal

avatar
Explorer

Hi @gyadav ,

I have configured the knox-sso for ranger,hdfs,yarn ui but getting the username and password is incorrect error.I have checked knox-audit log and also ambari logs but not able to find root cause and hdp env is 3.0.1
Thanks in advance.

 

 

avatar
Rising Star

@Kei Miyauchi,

Great it worked!!!! Kindly accept my previous answer.

Regarding your query, Which all components you are using to authenticate via knox.

avatar

@gyadav

I'm using NiFi, and Oozie's web UI.

avatar

I created another Knox topology whose token has long TTL, and assigned it to NiFi.
It's not SSO because Token is separated. I should type my username and password to Ambari even if I already logged in to NiFi. But at least I can logout from Ambari(and don't have to re-login to NiFi each 30 seconds).

Thank you for all your help.