Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Knox SSO integrated with Ranger

Highlighted

Knox SSO integrated with Ranger

New Contributor

I set up Knox(1.2) SSO with Ranger(1.1) follow by this step:

https://community.hortonworks.com/questions/80100/hdp-25-ranger-via-knox-sso-login-redirect-issue.ht...

Ranger admin login page to redirect to Knox and I can login to Ranger using user/password using Knox internal LDAP. But when I try to logout from Ranger, web page stay in user profile page can can't no longer redirect to Knox log in web page. There is a lira for this issue:

https://jira.apache.org/jira/browse/RANGER-1821

I need to clear all browser cache data to visit Knox login page again.

Anyone has this issue, any idea to workaround this?

2 REPLIES 2

Re: Knox SSO integrated with Ranger

New Contributor

When I do the Ranger logout, I found these log in Ranger log:

2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.

Googled it, seems like you should setup knoxsso.token.ttl value to smaller value. I checked my setting is 30000, which is 30 seconds. Should be small enough. So I think this might not be the root cause.

I also found Ranger logout doesn't issue any request to Knox. I suppose Ranger should notify Knox to delete the token.

MyKnox setting is just using local LDAP for simple username/password authentication.

Re: Knox SSO integrated with Ranger

New Contributor

When I do the Ranger logout, I found these log in Ranger log:

2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.

Googled it, seems like you should setup knoxsso.token.ttl value to smaller value. I checked my setting is 30000, which is 30 seconds. Should be small enough. So I think this might not be the root cause.

I also found Ranger logout doesn't issue any request to Knox. I suppose Ranger should notify Knox to delete the token.

MyKnox setting is just using local LDAP for simple username/password authentication.