Created 09-25-2016 01:00 AM
Hello,
I have setup knox to authenticate with our LDAP server and everything is working except when accessing the Hadoop UI's. Users that are not part of the group i've defined in AclsAuthz are still able to login. This works as expected when trying to access KNOX API.
see below:
Knox topology - i expect only users in "knox" group to be able to have access.
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param name="knox.acl" value="*;knox;*"/> </provider>
/bin/knoxcli.sh user-auth-test --cluster default --u mliem --p '*******' --g
LDAP authentication successful!
mliem is a member of: admin
mliem is a member of: knox
mliem is a member of: developers
/bin/knoxcli.sh user-auth-test --cluster default --u jdoe --p '*******'' --g
LDAP authentication successful!
jdoe is a member of: developers
--------------------------------------------------------
curl -u mliem:'*****' -ik 'https://<knox_ip>:8443/gateway/default/api/v1/version'
HTTP/1.1 200 OK
curl -u jdoe:'*****' -ik 'https://<knox_ip>:8443/gateway/default/api/v1/version'
HTTP/1.1 403 Forbidden
Now when I access the UI's as defined in my topology:
<service> <role>YARNUI</role> <url>http://{{rm_host}}:{{rm_port}}</url> </service>
Both mliem (expected) and jdoe can access.
Is there anything additional I need to add to my topology in order to leverage the groups i've defined in my LDAP server?
Thanks
,
Created 09-25-2016 10:08 AM
Hello @mliem
You almost got it right. The missing piece is the ACL param for YARNUI service. So in your Knox topology, the authorization provider should look like this:
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param name="knox.acl" value="*;knox;*"/> <param name="yarnui.acl" value="*;knox;*"/> </provider>
Hope this helps. Do let us know the results.
Created 09-25-2016 10:08 AM
Hello @mliem
You almost got it right. The missing piece is the ACL param for YARNUI service. So in your Knox topology, the authorization provider should look like this:
<provider> <role>authorization</role> <name>AclsAuthz</name> <enabled>true</enabled> <param name="knox.acl" value="*;knox;*"/> <param name="yarnui.acl" value="*;knox;*"/> </provider>
Hope this helps. Do let us know the results.