Hello,
I have setup knox to authenticate with our LDAP server and everything is working except when accessing the Hadoop UI's. Users that are not part of the group i've defined in AclsAuthz are still able to login. This works as expected when trying to access KNOX API.
see below:
Knox topology - i expect only users in "knox" group to be able to have access.
<provider>
<role>authorization</role>
<name>AclsAuthz</name>
<enabled>true</enabled>
<param name="knox.acl" value="*;knox;*"/>
</provider>/bin/knoxcli.sh user-auth-test --cluster default --u mliem --p '*******' --g
LDAP authentication successful!
mliem is a member of: admin
mliem is a member of: knox
mliem is a member of: developers
/bin/knoxcli.sh user-auth-test --cluster default --u jdoe --p '*******'' --g
LDAP authentication successful!
jdoe is a member of: developers
--------------------------------------------------------
curl -u mliem:'*****' -ik 'https://<knox_ip>:8443/gateway/default/api/v1/version'
HTTP/1.1 200 OK
curl -u jdoe:'*****' -ik 'https://<knox_ip>:8443/gateway/default/api/v1/version'
HTTP/1.1 403 Forbidden
Now when I access the UI's as defined in my topology:
<service>
<role>YARNUI</role>
<url>http://{{rm_host}}:{{rm_port}}</url>
</service>Both mliem (expected) and jdoe can access.
Is there anything additional I need to add to my topology in order to leverage the groups i've defined in my LDAP server?
Thanks
,
