Support Questions
Find answers, ask questions, and share your expertise

How to use Knox for SSO?

The requirement is to open Ambari UI without giving any credentials and only using the credentials used to login to the system, can this be done using Knox?

Thanks in advance

7 REPLIES 7

Super Mentor

@Aishwarya Dixit

Can you try Ambari SPNEGO authentication? Ambari Server Kerberos authentication is not related to the Ambari feature that enables Kerberos for a Hadoop cluster.

By default Ambari requires that a user authenticate using a user name and password. Ambari uses this authentication mechanism whether you configure it to authenticate using its internal database or synchronized with an external source, like LDAP or Active Directory. Optionally, you can configure Ambari to authenticate using Kerberos tokens via SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism).

https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/configuring_amba...

Rising Star

@Aishwarya Dixit You can achieve this using Knox as SSO mechanism for Ambari. Follow the documentation here for enabling Ambari for KnoxSSO and configure Form-based Identity Provider in Knox for SSO by following this link. Knox provides you a way to configure PAM-based authentication for unix-based systems. Follow the documentation here to configure the Knox topology accordingly.

Use ShiroProvider with below config:

<provider>
    <role>authentication</role>
    <name>ShiroProvider</name>
    <enabled>true</enabled>
    <param>
        <name>sessionTimeout</name>
        <value>30</value>
    </param>
    <param>
        <name>main.pamRealm</name>
        <value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>
    </param>
    <param>
       <name>main.pamRealm.service</name>
       <value>login</value>
    </param>
    <param>
       <name>urls./**</name>
       <value>authcBasic</value>
   </param>
</provider>

Hi @Krishna Pandey, @Jay Kumar SenSharma,

Thanks for the answer, that is of huge help.

I had one small query, the requirement is "Whenever any user logs in to his system(laptop/desktop), the credentials entered have to be stored and then used to validate his/her login to Ambari, he/she need not enter the credentials again". Is this possible using Knox or PAM-based authentication?

Thanks in advance

Rising Star

@Aishwarya Dixit You can use large value for below parameters in Knox-SSO topology to configure the time cookie/token remains valid, but I won't recommend setting it to a big number for security reasons.

  1. knoxsso.token.ttl
  2. knoxsso.cookie.max.age

@Krishna Pandey Hi, thanks for the reply,

Major concern is if this implementation would take the credentials from the system rather than giving it while logging in to Ambari.

Rising Star

@Aishwarya Dixit I didn't realize you are talking about bypassing built-in authentication completely for Ambari and allow the User access Ambari coz it authenticated to the host where service is installed. In the above approach with Knox, you need to authenticate at least once with Knox using any local user credentials. Please see if setting up HeaderPreAuth Federation Provider can help in this regard. Don't have any other suggestion.

@Krishna Pandey Thank you so much for the reply. Will look into this.