Support Questions

Find answers, ask questions, and share your expertise

Help - AD Integration with Knox

Explorer

@Ali Bajwa or others can you help me on this.

Your help is very much appreciated.

Issue:

***************************************************************************************************************

Unable to integrate AD with Knox and below issue is observed:

[root@master ~]# curl -i -k -u hr1:Passw0rd1! -X GET 'https://master.lab.hortonworks.net:8443/gateway/default/webhdfs/v1/user/?op=LISTSTATUS' HTTP/1.1 403 Forbidden Date: Thu, 20 Apr 2017 08:11:08 GMT Set-Cookie: JSESSIONID=blc9haea897l1iutkqvh488tl;Path=/gateway/default;Secure;HttpOnly Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 19-Apr-2017 08:11:08 GMT Content-Type: text/html; charset=ISO-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 316 Server: Jetty(9.2.15.v20160210) <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 403 Forbidden</title> </head> <body><h2>HTTP ERROR 403</h2> <p>Problem accessing /gateway/default/webhdfs/v1/user/. Reason: <pre> Forbidden</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> [root@master ~]# id hr1

uid=1515401116(hr1) gid=1515400513(domain users) groups=1515400513(domain users),1515401122(hr) [root@master ~]#

***************************************************************************************************************

knox properties are present in the attachment - knox-ad-properties-advanced-topology.txt

Can someone please help me on this.

Many Many thanks for your valuable time.

5 REPLIES 5

Super Collaborator

@HadoopAdmin India

Check the gateway.log and gateway-audit.log that will have clear exception about why hr1 user is forbidden access to url.

And the topology file doesnt seems to be correct, I dont see any URl info for webhdfs or anyother service.

Expert Contributor

Does your user have access to HDFS defined in Ranger?

Explorer

Hi All,

Many thanks for your time on this query.

I resolved the issue and the problem is below one:

<provider> <role>authorization</role> <name>XASecurePDPKnox</name> <enabled>true</enabled> </provider>

I changed it to:

<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> </provider>

It is working now.

Below error is observed in the gateway log which made me to change the authorization to AclsAuthz:

2017-04-24 02:03:05,611 ERROR knox.RangerPDPKnoxFilter (RangerPDPKnoxFilter.java:getKnoxSubject(205)) - Failed to get Storm server login subject javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.initiate at javax.security.auth.login.LoginContext.init(LoginContext.java:264) at javax.security.auth.login.LoginContext.<init>(LoginContext.java:348) at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.getKnoxSubject(RangerPDPKnoxFilter.java:199) at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.init(RangerPDPKnoxFilter.java:69) at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.init(RangerPDPKnoxFilter.java:129) at org.apach

Expert Contributor

@HadoopAdmin India

Glad to hear you resolved it.

Thats why I asked whether you gave access to the resource via Ranger. "XASecurePDPKnox" is Ranger authorization.

Explorer

rguruvannagari thanks for your tip.

@Edgar Ranger plugin is not enabled for Knox, yet.