Support Questions

Find answers, ask questions, and share your expertise

Help - AD Integration with Knox


@Ali Bajwa or others can you help me on this.

Your help is very much appreciated.



Unable to integrate AD with Knox and below issue is observed:

[root@master ~]# curl -i -k -u hr1:Passw0rd1! -X GET '' HTTP/1.1 403 Forbidden Date: Thu, 20 Apr 2017 08:11:08 GMT Set-Cookie: JSESSIONID=blc9haea897l1iutkqvh488tl;Path=/gateway/default;Secure;HttpOnly Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 19-Apr-2017 08:11:08 GMT Content-Type: text/html; charset=ISO-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 316 Server: Jetty(9.2.15.v20160210) <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 403 Forbidden</title> </head> <body><h2>HTTP ERROR 403</h2> <p>Problem accessing /gateway/default/webhdfs/v1/user/. Reason: <pre> Forbidden</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> [root@master ~]# id hr1

uid=1515401116(hr1) gid=1515400513(domain users) groups=1515400513(domain users),1515401122(hr) [root@master ~]#


knox properties are present in the attachment - knox-ad-properties-advanced-topology.txt

Can someone please help me on this.

Many Many thanks for your valuable time.


Super Collaborator

@HadoopAdmin India

Check the gateway.log and gateway-audit.log that will have clear exception about why hr1 user is forbidden access to url.

And the topology file doesnt seems to be correct, I dont see any URl info for webhdfs or anyother service.

Expert Contributor

Does your user have access to HDFS defined in Ranger?


Hi All,

Many thanks for your time on this query.

I resolved the issue and the problem is below one:

<provider> <role>authorization</role> <name>XASecurePDPKnox</name> <enabled>true</enabled> </provider>

I changed it to:

<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> </provider>

It is working now.

Below error is observed in the gateway log which made me to change the authorization to AclsAuthz:

2017-04-24 02:03:05,611 ERROR knox.RangerPDPKnoxFilter ( - Failed to get Storm server login subject No LoginModules configured for at at<init>( at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.getKnoxSubject( at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.init( at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.init( at org.apach

Expert Contributor

@HadoopAdmin India

Glad to hear you resolved it.

Thats why I asked whether you gave access to the resource via Ranger. "XASecurePDPKnox" is Ranger authorization.


rguruvannagari thanks for your tip.

@Edgar Ranger plugin is not enabled for Knox, yet.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.