Knox SSO integrated with Ranger

hill_liu · ‎01-21-2019

I set up Knox(1.2) SSO with Ranger(1.1) follow by this step:

https://community.hortonworks.com/questions/80100/hdp-25-ranger-via-knox-sso-login-redirect-issue.ht...

Ranger admin login page to redirect to Knox and I can login to Ranger using user/password using Knox internal LDAP. But when I try to logout from Ranger, web page stay in user profile page can can't no longer redirect to Knox log in web page. There is a lira for this issue:

https://jira.apache.org/jira/browse/RANGER-1821

I need to clear all browser cache data to visit Knox login page again.

Anyone has this issue, any idea to workaround this?

hill_liu · ‎01-23-2019

When I do the Ranger logout, I found these log in Ranger log:

2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.

Googled it, seems like you should setup knoxsso.token.ttl value to smaller value. I checked my setting is 30000, which is 30 seconds. Should be small enough. So I think this might not be the root cause.

I also found Ranger logout doesn't issue any request to Knox. I suppose Ranger should notify Knox to delete the token.

MyKnox setting is just using local LDAP for simple username/password authentication.

hill_liu · ‎01-23-2019

When I do the Ranger logout, I found these log in Ranger log:

2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.

Googled it, seems like you should setup knoxsso.token.ttl value to smaller value. I checked my setting is 30000, which is 30 seconds. Should be small enough. So I think this might not be the root cause.

I also found Ranger logout doesn't issue any request to Knox. I suppose Ranger should notify Knox to delete the token.

MyKnox setting is just using local LDAP for simple username/password authentication.