Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

KNOX SSO ambari login redirect Issue

Highlighted

KNOX SSO ambari login redirect Issue

New Contributor

I have installed ambari-server and knox in two different server and done all necessary setups for ldaps and sso.but when i log in to ambari, it is sucessfully getting redirected to knox gateway and after i give credentials it goes to ambari ui and then coming back to knox gateway log in screen.

In ambari-server.log i dont see any error and on gateway.log i am only seeing below infos:

  1. 2017-08-10 12:35:43,460 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: uid=xx,ou=People,dc=xx,dc=com using dnTemplate for principal: satya 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(102)) - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. 2017-08-10 12:35:43,466 INFO service.knoxsso (WebSSOResource.java:init(109)) - The cookie max age is being set to: session. 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(113)) - The SSO cookie max age configuration is invalid: session - using default. 2017-08-10 12:35:43,467 INFO service.knoxsso (WebSSOResource.java:getCookieValue(318)) - Unable to find cookie with name: original-url 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(292)) - JWT cookie successfully added. 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(202)) - About to redirect to original URL: http://xxxxx:9081/

Appreciate any help to resolve this.

15 REPLIES 15

Re: KNOX SSO ambari login redirect Issue

@soumya swain

Have you checked this tutorial? It has some steps not listed in the official docs.

Re: KNOX SSO ambari login redirect Issue

New Contributor

Can you show me the gateway-audit log located in the same directory?

Re: KNOX SSO ambari login redirect Issue

New Contributor

yes, I am getting below messages in gateway-audit.log

  • 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200 17/08/11 14:55:53 ||690bd0e2-5de7-4fe0-b507-0d6e5a783d59|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/favicon.ico|unavailable|Request method: GET 17/08/11 14:55:53 ||690bd0e2-5de7-4fe0-b507-0d6e5a783d59|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/favicon.ico|success|Response status: 200 17/08/11 14:55:59 ||fc76ac04-b822-49a9-bbfe-efa20dcc6037|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/08/11 14:55:59 ||b03ff0c4-5e76-495f-b15c-4548194f7ab5|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/08/11 14:55:59 ||b03ff0c4-5e76-495f-b15c-4548194f7ab5|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/08/11 14:55:59 ||fc76ac04-b822-49a9-bbfe-efa20dcc6037|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200

Re: KNOX SSO ambari login redirect Issue

Rising Star

@soumya swain Two things that can go wrong here.
1) The KnoxSSO expects a valid hostname with domain name, as the cookie will be set for that specific domain. So your hostname needs to be in format "{somehost}.{someorganisation}.{someTLD}", e.g. knoxhost.example.com. You can achieve this by making an extra entry in your /etc/hosts file at both the nodes.

2) You need to provide Knox SSL certificate as "Public Certificate pem" value when executing "ambari-server setup-sso" command. Easiest way to get it, is below command. Paste the content between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as "Public Certificate pem" value.

openssl s_client -connect knoxhost.example.com:8443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > knoxssoAmbari.crt

Re: KNOX SSO ambari login redirect Issue

New Contributor

You are trying to authenticate to a non secured url (http://xxxxx:9081/) with the below configuration. knoxsso.cookie.secure.only = true.

If its is a dev or test environment change knoxsso.cookie.secure.only to false and make a try.

Re: KNOX SSO ambari login redirect Issue

New Contributor

Anyone made it work? I have tried the above and still in the same situation. Ambari gets redirected again and again to the authentication portal, whatever it is (LDAP, SAML, OpenID).

Any more ideas?

Re: KNOX SSO ambari login redirect Issue

New Contributor

I made it working with CAS server as well as built-in Knox IDP. But the single log out is not working properly.

Re: KNOX SSO ambari login redirect Issue

New Contributor

I have checked my ambari-audit.log and asks for LDAP syncing, however ambari is configured to rely on knox.

I don't think 'ambari-server setup-ldap' would be needed if ambari redirects to knox, right?

2018-01-19T08:54:26.761Z, User(null), RemoteIp(X.X.X.X), Operation(User login), Roles( ), Status(Failed), Reason(Authentication required) 2018-01-19T08:54:26.765Z, User(guest), RemoteIp(X.X.X.X), Operation(User login), Roles( ), Status(Failed), Reason(Cannot find user from JWT. Please, ensure LDAP is configured and users are synced.)

Re: KNOX SSO ambari login redirect Issue

New Contributor

I didn't try with local users. I think it required remote users (LDAP) to work KNOX SSO.