Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

KNOX SSO ambari login redirect Issue

avatar
Contributor

I have installed ambari-server and knox in two different server and done all necessary setups for ldaps and sso.but when i log in to ambari, it is sucessfully getting redirected to knox gateway and after i give credentials it goes to ambari ui and then coming back to knox gateway log in screen.

In ambari-server.log i dont see any error and on gateway.log i am only seeing below infos:

  1. 2017-08-10 12:35:43,460 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: uid=xx,ou=People,dc=xx,dc=com using dnTemplate for principal: satya 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(102)) - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. 2017-08-10 12:35:43,466 INFO service.knoxsso (WebSSOResource.java:init(109)) - The cookie max age is being set to: session. 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(113)) - The SSO cookie max age configuration is invalid: session - using default. 2017-08-10 12:35:43,467 INFO service.knoxsso (WebSSOResource.java:getCookieValue(318)) - Unable to find cookie with name: original-url 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(292)) - JWT cookie successfully added. 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(202)) - About to redirect to original URL: http://xxxxx:9081/

Appreciate any help to resolve this.

16 REPLIES 16

avatar

@soumya swain

Have you checked this tutorial? It has some steps not listed in the official docs.

avatar
Explorer

Can you show me the gateway-audit log located in the same directory?

avatar
Contributor

yes, I am getting below messages in gateway-audit.log

  • 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/08/11 14:55:53 ||abcb2bad-986f-46f4-a7e6-8b18306eaf3b|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200 17/08/11 14:55:53 ||690bd0e2-5de7-4fe0-b507-0d6e5a783d59|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/favicon.ico|unavailable|Request method: GET 17/08/11 14:55:53 ||690bd0e2-5de7-4fe0-b507-0d6e5a783d59|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/favicon.ico|success|Response status: 200 17/08/11 14:55:59 ||fc76ac04-b822-49a9-bbfe-efa20dcc6037|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/08/11 14:55:59 ||b03ff0c4-5e76-495f-b15c-4548194f7ab5|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/08/11 14:55:59 ||b03ff0c4-5e76-495f-b15c-4548194f7ab5|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/08/11 14:55:59 ||fc76ac04-b822-49a9-bbfe-efa20dcc6037|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200

avatar
Expert Contributor

@soumya swain Two things that can go wrong here.
1) The KnoxSSO expects a valid hostname with domain name, as the cookie will be set for that specific domain. So your hostname needs to be in format "{somehost}.{someorganisation}.{someTLD}", e.g. knoxhost.example.com. You can achieve this by making an extra entry in your /etc/hosts file at both the nodes.

2) You need to provide Knox SSL certificate as "Public Certificate pem" value when executing "ambari-server setup-sso" command. Easiest way to get it, is below command. Paste the content between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as "Public Certificate pem" value.

openssl s_client -connect knoxhost.example.com:8443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > knoxssoAmbari.crt

avatar
New Contributor

You are trying to authenticate to a non secured url (http://xxxxx:9081/) with the below configuration. knoxsso.cookie.secure.only = true.

If its is a dev or test environment change knoxsso.cookie.secure.only to false and make a try.

avatar
New Contributor

Anyone made it work? I have tried the above and still in the same situation. Ambari gets redirected again and again to the authentication portal, whatever it is (LDAP, SAML, OpenID).

Any more ideas?

avatar
New Contributor

I made it working with CAS server as well as built-in Knox IDP. But the single log out is not working properly.

avatar
New Contributor

I have checked my ambari-audit.log and asks for LDAP syncing, however ambari is configured to rely on knox.

I don't think 'ambari-server setup-ldap' would be needed if ambari redirects to knox, right?

2018-01-19T08:54:26.761Z, User(null), RemoteIp(X.X.X.X), Operation(User login), Roles( ), Status(Failed), Reason(Authentication required) 2018-01-19T08:54:26.765Z, User(guest), RemoteIp(X.X.X.X), Operation(User login), Roles( ), Status(Failed), Reason(Cannot find user from JWT. Please, ensure LDAP is configured and users are synced.)

avatar
New Contributor

I didn't try with local users. I think it required remote users (LDAP) to work KNOX SSO.