Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can't Logout from Ambari with Knox SSO

Solved Go to solution
Highlighted

Can't Logout from Ambari with Knox SSO

Hi, I'm using Knox to login Ambari 2.7 and other components.
I found that I can't logout from Ambari.
When I click "Sign out" button, it redirects to Ambari's login view(/#/login), and then redirects to Dashboard.(/#/main/dashboard/metrics). Login state remains.
How could I fix that?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Can't Logout from Ambari with Knox SSO

Cloudera Employee

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

View solution in original post

8 REPLIES 8
Highlighted

Re: Can't Logout from Ambari with Knox SSO

Contributor

What error do you see in the logs ?

Highlighted

Re: Can't Logout from Ambari with Knox SSO

Hi, @Sandeep More

When I try to log out, the log below leaves on ambari-audit.log.

2018-11-27T09:12:37.720+0900, User(my user), RemoteIp(ip), Operation(Logout), Status(Success)
2018-11-27T09:12:37.925+0900, User(null), RemoteIp(ip), Operation(User login), Roles(
), Status(Failed), Reason(Authentication required), Consecutive failures(UNKNOWN USER)
2018-11-27T09:12:37.927+0900, User(my user), RemoteIp(ip), Operation(User login), Roles(
    SmartSense View: View User, View User, View User, View User, View User, View User, View User, View User
    (my domain): Cluster Administrator
    Hive View 2.0: View User
    Hive View: View User
    Ambari: Ambari Administrator
    Files View: View User
    Tez View: View User
    YARN Queue Manager: View User
), Status(Success)
<br>
Highlighted

Re: Can't Logout from Ambari with Knox SSO

Cloudera Employee

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

View solution in original post

Highlighted

Re: Can't Logout from Ambari with Knox SSO

@gyadav

I found that knoxsso.token.ttl was 10 hours. I set it 30 seconds and it worked.
However, I want to set long TTL because I'm using other components which authenticates users by Knox only. If I set TTL 30 seconds, such components wil require login every 30 seconds.

Is there a way like this?
1. make Ambari invalidate JWT not only its own session when I logout from Ambari
2. make Ambari authenticate users by Knox only(forbid to have its own session)

Any information helps.

Re: Can't Logout from Ambari with Knox SSO

Explorer

@gyadav

I tried this option of changing the ttl value. It is still not working for me. After I logout it redirects to login page and automatically logins in. 

Please can you help me.

 

Thanks,

Gazal

Highlighted

Re: Can't Logout from Ambari with Knox SSO

Cloudera Employee

@Kei Miyauchi,

Great it worked!!!! Kindly accept my previous answer.

Regarding your query, Which all components you are using to authenticate via knox.

Highlighted

Re: Can't Logout from Ambari with Knox SSO

@gyadav

I'm using NiFi, and Oozie's web UI.

Highlighted

Re: Can't Logout from Ambari with Knox SSO

I created another Knox topology whose token has long TTL, and assigned it to NiFi.
It's not SSO because Token is separated. I should type my username and password to Ambari even if I already logged in to NiFi. But at least I can logout from Ambari(and don't have to re-login to NiFi each 30 seconds).

Thank you for all your help.

Don't have an account?
Coming from Hortonworks? Activate your account here