Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Failed to implement Knox Gateway

Highlighted

Failed to implement Knox Gateway

Hello, We are trying to set up Knox in SSO mode as a gateway (the default mode works).

Here is the error in the gateway.log logs: https://HOST:8443/gateway/knoxsso/ambari/

“2018-05-17 15:17:45,622 WARN  hadoop.gateway (GatewayFilter.java:doFilter(162)) - Failed to 
match path /ambari/”

And for this request GET : https://HOST:8443/gateway/knoxsso/knoxauth/login.html

2018-05-17 15:20:15,978 ERROR hadoop.gateway (GatewayServlet.java:service(146)) 
- Gateway processing failed: javax.servlet.ServletException: 
java.lang.NullPointerException
javax.servlet.ServletException: 
java.lang.NullPointerException at org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196)

The configuration files are as follows:

Advanced topology

      <topology>
            <gateway>
                <provider>
                    <role>authentication</role>
                    <name>ShiroProvider</name>
                    <enabled>true</enabled>
                    <param>
                        <name>sessionTimeout</name>
                        <value>30</value>


                    </param>


                    <param>


                        <name>main.ldapRealm</name>


                        <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>


                    </param>


                    <param>


                        <name>main.ldapRealm.userDnTemplate</name>


                        <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>


                    </param>


                    <param>


                        <name>main.ldapRealm.contextFactory.url</name>


                        <value>ldap://{{knox_host_name}}:33389</value>


                    </param>


                    <param>


                        <name>main.ldapRealm.contextFactory.authenticationMechanism</name>


                        <value>simple</value>


                    </param>


                    <param>


                        <name>urls./**</name>


                        <value>authcBasic</value>


                    </param>


                </provider>


                <provider>


                    <role>identity-assertion</role>


                    <name>Default</name>


                    <enabled>true</enabled>


                </provider>
                <provider>


                    <role>authorization</role>


                    <name>AclsAuthz</name>


                    <enabled>true</enabled>


                </provider>


            </gateway>


            <service>


                <role>NAMENODE</role>


                <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url>


            </service>




            <service>


                <role>JOBTRACKER</role>


                <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>


            </service>


 


            <service>


                <role>WEBHDFS</role>


                {{webhdfs_service_urls}}


            </service>




            <service>


                <role>WEBHCAT</role>


                <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>


            </service>


 


            <service>


                <role>OOZIE</role>


                <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>


            </service>


 


            <service>


                <role>WEBHBASE</role>


                <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>


            </service>


 


            <service>


                <role>HIVE</role>


                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>


            </service>


 


            <service>


                <role>RESOURCEMANAGER</role>


                <url>http://{{rm_host}}:{{rm_port}}/ws</url>


            </service>


 


            <service>


                <role>DRUID-COORDINATOR-UI</role>


                {{druid_coordinator_urls}}


            </service>


 


            <service>


                <role>DRUID-COORDINATOR</role>


                {{druid_coordinator_urls}}


            </service>


 


            <service>


                <role>DRUID-OVERLORD-UI</role>


                {{druid_overlord_urls}}


            </service>


 


            <service>


                <role>DRUID-OVERLORD</role>


                {{druid_overlord_urls}}


            </service>


 


            <service>


                <role>DRUID-ROUTER</role>


                {{druid_router_urls}}


            </service>


 


            <service>


                <role>DRUID-BROKER</role>


                {{druid_broker_urls}}


            </service>


 


            <service>


                <role>ZEPPELINUI</role>


                {{zeppelin_ui_urls}}


            </service>
            <service>


                <role>ZEPPELINWS</role>


                {{zeppelin_ws_urls}}


            </service>


 


			<service>
				<role>AMBARIUI</role>
				<url>http://HOST:8080</url>
			</service>
        </topology>


Advanced knoxsso-topology

  <topology>
          <gateway>
              <provider>
                  <role>webappsec</role>
                  <name>WebAppSec</name>
                  <enabled>true</enabled>
                  <param><name>xframe.options.enabled</name><value>true</value></param>
              </provider>
			<provider>


                  <role>authentication</role>


                  <name>ShiroProvider</name>


                  <enabled>true</enabled>


                  <param>


                      <name>sessionTimeout</name>


                      <value>30</value>


                  </param>


                  <param>


                      <name>redirectToUrl</name>


                      <value>/gateway/knoxsso/knoxauth/login.html</value>


                  </param>


                  <param>


                      <name>restrictedCookies</name>


                      <value>rememberme,WWW-Authenticate</value>


                  </param>


                  <param>


                      <name>main.ldapRealm</name>


                      <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>


                  </param>


                  <param>


                      <name>main.ldapContextFactory</name>


                      <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>


                  </param>


                  <param>


                      <name>main.ldapRealm.contextFactory</name>


                      <value>$ldapContextFactory</value>


                  </param>


                  <param>


                      <name>main.ldapRealm.userDnTemplate</name>


                      <value>uid={0},cn=users,cn=accounts,dc=pocbigdata,dc=hpmetier,dc=sf,dc=intra,dc=toto,dc=fr</value>


                  </param>


                  <param>


                      <name>main.ldapRealm.contextFactory.url</name>


                      <value>ldap://HOST:389</value>


                  </param>    


                  <param>


                      <name>main.ldapRealm.authenticationCachingEnabled</name>


                      <value>false</value>


                  </param>


                  <param>


                      <name>main.ldapRealm.contextFactory.authenticationMechanism</name>


                      <value>simple</value>


                  </param>


                  <param>


                      <name>urls./**</name>


                      <value>authcBasic</value>


                  </param>


 


                                               <param>


                                                           <name>main.ldapRealm.userSearchAttributeName</name>


                                                           <value>uid</value>


                                               </param>


 


                                               


                                               <param>


                                                           <name>main.ldapRealm.authorizationEnabled</name>


                                                           <value>true</value>


                                               </param>


 


                                               


                                               <param>


                                                           <name>main.ldapRealm.contextFactory.systemUsername</name>


                                                           <value>uid=bigdata,cn=sysaccounts,dc=pocbigdata,dc=toto,dc=sf,dc=intra,dc=toto,dc=fr</value>


                                               </param>        


                                                           


                                               <param>


                                                           <name>main.ldapRealm.contextFactory.systemPassword</name>


                                                           <value>bigdata</value>


                                               </param>


                                                 


                                                 


              </provider>


 


              <provider>


                  <role>identity-assertion</role>


                  <name>Default</name>


                  <enabled>true</enabled>


              </provider>


          </gateway>


 


          <application>


            <name>knoxauth</name>


          </application>


 


          <service>


              <role>KNOXSSO</role>


              <param>


                  <name>knoxsso.cookie.secure.only</name>


                  <value>false</value>


              </param>


              <param>


                  <name>knoxsso.token.ttl</name>


                  <value>30000</value>


              </param>


              <param>


                 <name>knoxsso.redirect.whitelist.regex</name>


                 <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>


              </param>


          </service>


      </topology>


Don't have an account?
Coming from Hortonworks? Activate your account here