Support Questions
Find answers, ask questions, and share your expertise

Help - AD Integration with Knox

Help - AD Integration with Knox

Explorer

@Ali Bajwa or others can you help me on this.

Your help is very much appreciated.

Issue:

***************************************************************************************************************

Unable to integrate AD with Knox and below issue is observed:

[root@master ~]# curl -i -k -u hr1:Passw0rd1! -X GET 'https://master.lab.hortonworks.net:8443/gateway/default/webhdfs/v1/user/?op=LISTSTATUS' HTTP/1.1 403 Forbidden Date: Thu, 20 Apr 2017 08:11:08 GMT Set-Cookie: JSESSIONID=blc9haea897l1iutkqvh488tl;Path=/gateway/default;Secure;HttpOnly Set-Cookie: rememberMe=deleteMe; Path=/gateway/default; Max-Age=0; Expires=Wed, 19-Apr-2017 08:11:08 GMT Content-Type: text/html; charset=ISO-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 316 Server: Jetty(9.2.15.v20160210) <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 403 Forbidden</title> </head> <body><h2>HTTP ERROR 403</h2> <p>Problem accessing /gateway/default/webhdfs/v1/user/. Reason: <pre> Forbidden</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> [root@master ~]# id hr1

uid=1515401116(hr1) gid=1515400513(domain users) groups=1515400513(domain users),1515401122(hr) [root@master ~]#

***************************************************************************************************************

knox properties are present in the attachment - knox-ad-properties-advanced-topology.txt

Can someone please help me on this.

Many Many thanks for your valuable time.

5 REPLIES 5

Re: Help - AD Integration with Knox

Super Collaborator

@HadoopAdmin India

Check the gateway.log and gateway-audit.log that will have clear exception about why hr1 user is forbidden access to url.

And the topology file doesnt seems to be correct, I dont see any URl info for webhdfs or anyother service.

Re: Help - AD Integration with Knox

Expert Contributor

Does your user have access to HDFS defined in Ranger?

Re: Help - AD Integration with Knox

Explorer

Hi All,

Many thanks for your time on this query.

I resolved the issue and the problem is below one:

<provider> <role>authorization</role> <name>XASecurePDPKnox</name> <enabled>true</enabled> </provider>

I changed it to:

<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> </provider>

It is working now.

Below error is observed in the gateway log which made me to change the authorization to AclsAuthz:

2017-04-24 02:03:05,611 ERROR knox.RangerPDPKnoxFilter (RangerPDPKnoxFilter.java:getKnoxSubject(205)) - Failed to get Storm server login subject javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.initiate at javax.security.auth.login.LoginContext.init(LoginContext.java:264) at javax.security.auth.login.LoginContext.<init>(LoginContext.java:348) at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.getKnoxSubject(RangerPDPKnoxFilter.java:199) at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.init(RangerPDPKnoxFilter.java:69) at org.apache.ranger.authorization.knox.RangerPDPKnoxFilter.init(RangerPDPKnoxFilter.java:129) at org.apach

Re: Help - AD Integration with Knox

Expert Contributor

@HadoopAdmin India

Glad to hear you resolved it.

Thats why I asked whether you gave access to the resource via Ranger. "XASecurePDPKnox" is Ranger authorization.

Re: Help - AD Integration with Knox

Explorer

rguruvannagari thanks for your tip.

@Edgar Ranger plugin is not enabled for Knox, yet.