Support Questions

soumya_swain2 · ‎08-10-2017

I have installed ambari-server and knox in two different server and done all necessary setups for ldaps and sso.but when i log in to ambari, it is sucessfully getting redirected to knox gateway and after i give credentials it goes to ambari ui and then coming back to knox gateway log in screen.

In ambari-server.log i dont see any error and on gateway.log i am only seeing below infos:

2017-08-10 12:35:43,460 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: uid=xx,ou=People,dc=xx,dc=com using dnTemplate for principal: satya 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(102)) - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. 2017-08-10 12:35:43,466 INFO service.knoxsso (WebSSOResource.java:init(109)) - The cookie max age is being set to: session. 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(113)) - The SSO cookie max age configuration is invalid: session - using default. 2017-08-10 12:35:43,467 INFO service.knoxsso (WebSSOResource.java:getCookieValue(318)) - Unable to find cookie with name: original-url 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(292)) - JWT cookie successfully added. 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(202)) - About to redirect to original URL: http://xxxxx:9081/

Appreciate any help to resolve this.

darvasip · ‎08-10-2017

@soumya swain

Have you checked this tutorial? It has some steps not listed in the official docs.

chouston · ‎08-10-2017

Can you show me the gateway-audit log located in the same directory?

soumya_swain2 · ‎08-11-2017

yes, I am getting below messages in gateway-audit.log

17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200 17/08/11 14:55:53 ||690bd0e2-5de7-4fe0-b507-0d6e5a783d59|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/favicon.ico|unavailable|Request method: GET 17/08/11 14:55:53 ||690bd0e2-5de7-4fe0-b507-0d6e5a783d59|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/favicon.ico|success|Response status: 200 17/08/11 14:55:59 ||fc76ac04-b822-49a9-bbfe-efa20dcc6037|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/08/11 14:55:59 ||b03ff0c4-5e76-495f-b15c-4548194f7ab5|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/08/11 14:55:59 ||b03ff0c4-5e76-495f-b15c-4548194f7ab5|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/08/11 14:55:59 ||fc76ac04-b822-49a9-bbfe-efa20dcc6037|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200

WhiteHa · ‎08-18-2017

@soumya swain Two things that can go wrong here.
1) The KnoxSSO expects a valid hostname with domain name, as the cookie will be set for that specific domain. So your hostname needs to be in format "{somehost}.{someorganisation}.{someTLD}", e.g. knoxhost.example.com. You can achieve this by making an extra entry in your /etc/hosts file at both the nodes.

2) You need to provide Knox SSL certificate as "Public Certificate pem" value when executing "ambari-server setup-sso" command. Easiest way to get it, is below command. Paste the content between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as "Public Certificate pem" value.

openssl s_client -connect knoxhost.example.com:8443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > knoxssoAmbari.crt

renjithdotnet · ‎11-15-2017

You are trying to authenticate to a non secured url (http://xxxxx:9081/) with the below configuration. knoxsso.cookie.secure.only = true.

If its is a dev or test environment change knoxsso.cookie.secure.only to false and make a try.

rafael_leon · ‎01-18-2018

Anyone made it work? I have tried the above and still in the same situation. Ambari gets redirected again and again to the authentication portal, whatever it is (LDAP, SAML, OpenID).

Any more ideas?

renjithdotnet · ‎01-18-2018

I made it working with CAS server as well as built-in Knox IDP. But the single log out is not working properly.

rafael_leon · ‎01-19-2018

I have checked my ambari-audit.log and asks for LDAP syncing, however ambari is configured to rely on knox.

I don't think 'ambari-server setup-ldap' would be needed if ambari redirects to knox, right?

2018-01-19T08:54:26.761Z, User(null), RemoteIp(X.X.X.X), Operation(User login), Roles( ), Status(Failed), Reason(Authentication required) 2018-01-19T08:54:26.765Z, User(guest), RemoteIp(X.X.X.X), Operation(User login), Roles( ), Status(Failed), Reason(Cannot find user from JWT. Please, ensure LDAP is configured and users are synced.)

renjithdotnet · ‎01-19-2018

I didn't try with local users. I think it required remote users (LDAP) to work KNOX SSO.

Cloudera Community

Support Questions

KNOX SSO ambari login redirect Issue