Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can't Logout from Ambari with Knox SSO

Solved Go to solution

Can't Logout from Ambari with Knox SSO

New Contributor

Hi, I'm using Knox to login Ambari 2.7 and other components.
I found that I can't logout from Ambari.
When I click "Sign out" button, it redirects to Ambari's login view(/#/login), and then redirects to Dashboard.(/#/main/dashboard/metrics). Login state remains.
How could I fix that?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Can't Logout from Ambari with Knox SSO

New Contributor

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

7 REPLIES 7

Re: Can't Logout from Ambari with Knox SSO

Contributor

What error do you see in the logs ?

Re: Can't Logout from Ambari with Knox SSO

New Contributor

Hi, @Sandeep More

When I try to log out, the log below leaves on ambari-audit.log.

2018-11-27T09:12:37.720+0900, User(my user), RemoteIp(ip), Operation(Logout), Status(Success)
2018-11-27T09:12:37.925+0900, User(null), RemoteIp(ip), Operation(User login), Roles(
), Status(Failed), Reason(Authentication required), Consecutive failures(UNKNOWN USER)
2018-11-27T09:12:37.927+0900, User(my user), RemoteIp(ip), Operation(User login), Roles(
    SmartSense View: View User, View User, View User, View User, View User, View User, View User, View User
    (my domain): Cluster Administrator
    Hive View 2.0: View User
    Hive View: View User
    Ambari: Ambari Administrator
    Files View: View User
    Tez View: View User
    YARN Queue Manager: View User
), Status(Success)
<br>

Re: Can't Logout from Ambari with Knox SSO

New Contributor

@Kei Miyauchi,

Do you see any error like this in your ambari-server logs and ambari-agent logs.

30 Oct 2018 17:12:14,908 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.
30 Oct 2018 17:12:14,910 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token
30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:381 - JWT expiration date validation failed.

30 Oct 2018 17:12:19,922 WARN [ambari-client-thread-8243] JwtAuthenticationFilter:173 - JWT authentication failed - Invalid JWT token.

If this is the case then you should check the knosso.token.ttl property. This you can find in Ambari > Knox > Configs > Advanced knoxsso-topology.

knosso.token.ttl should be 30 seconds by default. checkout the below kb article.

https://community.hortonworks.com/content/supportkb/223278/errorjwt-authentication-failed-invalid-jw...

and if this is not the issue then can you please upload the ambari-sever logs ambari-audit logs.

Hope this helps!!!!!!!!

Re: Can't Logout from Ambari with Knox SSO

New Contributor

@gyadav

I found that knoxsso.token.ttl was 10 hours. I set it 30 seconds and it worked.
However, I want to set long TTL because I'm using other components which authenticates users by Knox only. If I set TTL 30 seconds, such components wil require login every 30 seconds.

Is there a way like this?
1. make Ambari invalidate JWT not only its own session when I logout from Ambari
2. make Ambari authenticate users by Knox only(forbid to have its own session)

Any information helps.

Re: Can't Logout from Ambari with Knox SSO

New Contributor

@Kei Miyauchi,

Great it worked!!!! Kindly accept my previous answer.

Regarding your query, Which all components you are using to authenticate via knox.

Re: Can't Logout from Ambari with Knox SSO

New Contributor

@gyadav

I'm using NiFi, and Oozie's web UI.

Re: Can't Logout from Ambari with Knox SSO

New Contributor

I created another Knox topology whose token has long TTL, and assigned it to NiFi.
It's not SSO because Token is separated. I should type my username and password to Ambari even if I already logged in to NiFi. But at least I can logout from Ambari(and don't have to re-login to NiFi each 30 seconds).

Thank you for all your help.