Support Questions

Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Can't Logout from Ambari with Knox SSO

Hi, I'm using Knox to login Ambari 2.7 and other components.
I found that I can't logout from Ambari.
When I click "Sign out" button, it redirects to Ambari's login view(/#/login), and then redirects to Dashboard.(/#/main/dashboard/metrics). Login state remains.
How could I fix that?

1 ACCEPTED SOLUTION

Cloudera Employee

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

View solution in original post

9 REPLIES 9

Contributor

What error do you see in the logs ?

Hi, @Sandeep More

When I try to log out, the log below leaves on ambari-audit.log.

2018-11-27T09:12:37.720+0900, User(my user), RemoteIp(ip), Operation(Logout), Status(Success)
2018-11-27T09:12:37.925+0900, User(null), RemoteIp(ip), Operation(User login), Roles(
), Status(Failed), Reason(Authentication required), Consecutive failures(UNKNOWN USER)
2018-11-27T09:12:37.927+0900, User(my user), RemoteIp(ip), Operation(User login), Roles(
    SmartSense View: View User, View User, View User, View User, View User, View User, View User, View User
    (my domain): Cluster Administrator
    Hive View 2.0: View User
    Hive View: View User
    Ambari: Ambari Administrator
    Files View: View User
    Tez View: View User
    YARN Queue Manager: View User
), Status(Success)
<br>

Cloudera Employee

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

@gyadav

I found that knoxsso.token.ttl was 10 hours. I set it 30 seconds and it worked.
However, I want to set long TTL because I'm using other components which authenticates users by Knox only. If I set TTL 30 seconds, such components wil require login every 30 seconds.

Is there a way like this?
1. make Ambari invalidate JWT not only its own session when I logout from Ambari
2. make Ambari authenticate users by Knox only(forbid to have its own session)

Any information helps.

Explorer

@gyadav

I tried this option of changing the ttl value. It is still not working for me. After I logout it redirects to login page and automatically logins in. 

Please can you help me.

 

Thanks,

Gazal

Explorer

Hi @gyadav ,

I have configured the knox-sso for ranger,hdfs,yarn ui but getting the username and password is incorrect error.I have checked knox-audit log and also ambari logs but not able to find root cause and hdp env is 3.0.1
Thanks in advance.

 

 

Cloudera Employee

@Kei Miyauchi,

Great it worked!!!! Kindly accept my previous answer.

Regarding your query, Which all components you are using to authenticate via knox.

@gyadav

I'm using NiFi, and Oozie's web UI.

I created another Knox topology whose token has long TTL, and assigned it to NiFi.
It's not SSO because Token is separated. I should type my username and password to Ambari even if I already logged in to NiFi. But at least I can logout from Ambari(and don't have to re-login to NiFi each 30 seconds).

Thank you for all your help.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.