Created 01-21-2019 10:51 AM
I set up Knox(1.2) SSO with Ranger(1.1) follow by this step:
Ranger admin login page to redirect to Knox and I can login to Ranger using user/password using Knox internal LDAP. But when I try to logout from Ranger, web page stay in user profile page can can't no longer redirect to Knox log in web page. There is a lira for this issue:
https://jira.apache.org/jira/browse/RANGER-1821
I need to clear all browser cache data to visit Knox login page again.
Anyone has this issue, any idea to workaround this?
Created 01-23-2019 08:44 AM
When I do the Ranger logout, I found these log in Ranger log:
2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed. 2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed. 2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed. 2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed. 2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed. 2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
Googled it, seems like you should setup knoxsso.token.ttl value to smaller value. I checked my setting is 30000, which is 30 seconds. Should be small enough. So I think this might not be the root cause.
I also found Ranger logout doesn't issue any request to Knox. I suppose Ranger should notify Knox to delete the token.
MyKnox setting is just using local LDAP for simple username/password authentication.
Created 01-23-2019 08:44 AM
When I do the Ranger logout, I found these log in Ranger log:
2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed. 2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed. 2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed. 2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed. 2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed. 2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
Googled it, seems like you should setup knoxsso.token.ttl value to smaller value. I checked my setting is 30000, which is 30 seconds. Should be small enough. So I think this might not be the root cause.
I also found Ranger logout doesn't issue any request to Knox. I suppose Ranger should notify Knox to delete the token.
MyKnox setting is just using local LDAP for simple username/password authentication.