Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Knox Response status: 401

Labels:
avatar
author-rank shota
Contributor

Created ‎12-28-2017 05:39 PM

Hi all

I am trying figure out knox gateway

but I have problem when I access services like WEBHDFS

this is error log from /var/log/knox/gateway-audit.log:

17/12/28 21:30:30 ||de5c4e70-c89c-487e-8fea-6260c6701efb|audit|IPADDR|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1|unavailable|Request method: GET
17/12/28 21:30:30 ||de5c4e70-c89c-487e-8fea-6260c6701efb|audit|IPADDR|WEBHDFS||||access|uri|/gateway/default/webhdfs/v1|success|Response status: 401

this is my topology configuration:

        <topology>


            <gateway>


                <provider>
                    <role>authentication</role>
                    <name>ShiroProvider</name>
                    <enabled>true</enabled>


            <param>
                <name>sessionTimeout</name>
                <value>15</value>
            </param>            


            <param>
                <name>main.ldapRealm</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>


            <param>
                <name>main.ldapContextFactory</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>


            <param>
                <name>main.ldapRealm.contextFactory</name>
                <value>$ldapContextFactory</value>
            </param>


            <param>
                <name>main.ldapRealm.contextFactory.url</name>
                <value>ldap://ragaca.com:389</value>
            </param>


            <param>
                <name>main.ldapRealm.authorizationEnabled</name>
                <value>true</value>
            </param>


            <param>
                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                <value>simple</value>
            </param>


            <param>
                <name>main.ldapRealm.userDnTemplate</name>
                <value>sAMAccountName={0}</value>
            </param>


            <param>
                <name>main.ldapRealm.userSearchAttributeName</name>
                <value>sAMAccountName</value>
            </param>


            <param>
                <name>main.ldapRealm.userObjectClass</name>
                <value>person</value>
            </param>


            <param>
                <name>main.ldapRealm.contextFactory.systemUsername</name>
                <value>CN=testUser,OU=testUsers,DC=ragaca,DC=com</value>
            </param>


            <param>
                <name>main.ldapRealm.contextFactory.systemPassword</name>
                <value>*********</value>
            </param>


            <param>
                <name>main.ldapRealm.searchBase</name>
                <value>OU=Domain Users & Groups,DC=ragaca,DC=com</value>
            </param>


            <param>
                <name>main.ldapRealm.userSearchBase</name>
                <value>Users,OU=Domain Users & Groups,DC=ragaca,DC=com</value>
            </param>


            <param>
                <name>main.ldapRealm.userSearchScope</name>
                <value>subtree</value>
            </param>


            <param>
                <name>main.ldapRealm.groupSearchBase</name>
                <value>OU=Groups,OU=Domain Users & Groups,DC=ragaca,DC=com</value>
            </param>


            <param>
                <name>main.ldapRealm.groupObjectClass</name>
                <value>group</value>
            </param>


            <param>
                <name>main.ldapRealm.memberAttribute</name>
                <value>member</value>
            </param>




            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>


                </provider>


                <provider>
                    <role>identity-assertion</role>
                    <name>Default</name>
                    <enabled>true</enabled>
                </provider>


                <provider>
                    <role>authorization</role>
                    <name>AclsAuthz</name>
                    <enabled>true</enabled>
                </provider>


            </gateway>


            <service>
                <role>NAMENODE</role>
                <url>hdfs://namenode1.ragaca.com:8020</url>
            </service>


            <service>
                <role>JOBTRACKER</role>
                <url>rpc://jt.ragaca.com:8050</url>
            </service>


            <service>
                <role>WEBHDFS</role>
                <url>http://namenode1.ragaca.com:50070/</url>
                <url>http://namenode2.ragaca.com:50070/</url>
            </service>

        </topology>

I also have hadoop.proxyuser.knox.hosts=* and hadoop.proxyuser.knox.groups=* in the core-site of the HDFS configuration

could anyone guess what am I missing

Thank you very much and happy new year

6,285 Views
0 Kudos
7 REPLIES 7

avatar
author-rank mvaradkar author-rank
Contributor

Created ‎01-04-2018 09:01 AM

@Shota Akhalaia, can you try below code block in your topology,

<service>
  <role>WEBHDFS</role>
  <url>http://namenode1.ragaca.com:50070/webhdfs</url>
</service>

Refer this link.

5,419 Views
0 Kudos

avatar
author-rank shota
Contributor

Created ‎01-05-2018 08:40 AM

@mvaradkar thank you

tryed but same 401 status in the logs

btw after I enter url in the internet browser (h t t p s :// knox . ragaca . com : 8443/gateway/default/webhdfs/v1) there is 401 not only when I enter my real existing AD username and password but when I enter random symbols in the login prompt there are same "response status 401" in the gateway-audit.log every time

5,419 Views
0 Kudos

avatar
author-rank mvaradkar author-rank
Contributor

Created ‎01-05-2018 12:34 PM

Can check main.ldapRealm.contextFactory.systemPassword value in your topology, refer link.

5,419 Views
0 Kudos

avatar
author-rank pbhagade author-rank
Expert Contributor

Created ‎01-06-2018 03:33 AM

can you correct the user search base seems to be incorrect.
Refer : Using Apache Knox with ActiveDirector

             <param>
                <name>main.ldapRealm.userSearchBase</name>
                <value>Users,OU=Domain Users & Groups,DC=ragaca,DC=com</value>
            </param>
5,419 Views
0 Kudos

avatar
author-rank shota
Contributor

Created ‎01-06-2018 07:50 AM

userSearchBase system usernames and passwords are correct, I copied them from working shiro.ini of zeppelin service

5,419 Views
0 Kudos

avatar
author-rank pbhagade author-rank
Expert Contributor

Created ‎01-06-2018 07:57 AM

Is it possible to share the ldapsearch output for a specific user you're trying to access webhdfs.

or use main.ldapRealm.userSearchBase=OU=Domain Users & Groups,DC=ragaca,DC=com and let me know if it works

5,419 Views
0 Kudos

avatar
author-rank mister_letaz
Explorer

Created ‎05-31-2018 07:57 AM

Hi Shota,

Have you fixed your problem ?

I am currently facing same issue.

Thx.

5,419 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements