Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Advanced Search
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Knox SSO integrated with Ranger

Highlighted

Knox SSO integrated with Ranger

hill_liu
New Contributor

Created ‎01-21-2019 10:51 AM

I set up Knox(1.2) SSO with Ranger(1.1) follow by this step:

https://community.hortonworks.com/questions/80100/hdp-25-ranger-via-knox-sso-login-redirect-issue.ht...

Ranger admin login page to redirect to Knox and I can login to Ranger using user/password using Knox internal LDAP. But when I try to logout from Ranger, web page stay in user profile page can can't no longer redirect to Knox log in web page. There is a lira for this issue:

https://jira.apache.org/jira/browse/RANGER-1821

I need to clear all browser cache data to visit Knox login page again.

Anyone has this issue, any idea to workaround this?

Reply
629 Views
0 Kudos
2 REPLIES 2
Highlighted

Re: Knox SSO integrated with Ranger

hill_liu
New Contributor

Created ‎01-23-2019 08:44 AM

When I do the Ranger logout, I found these log in Ranger log:

2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.

Googled it, seems like you should setup knoxsso.token.ttl value to smaller value. I checked my setting is 30000, which is 30 seconds. Should be small enough. So I think this might not be the root cause.

I also found Ranger logout doesn't issue any request to Knox. I suppose Ranger should notify Knox to delete the token.

MyKnox setting is just using local LDAP for simple username/password authentication.

Reply
441 Views
0 Kudos
Highlighted

Re: Knox SSO integrated with Ranger

hill_liu
New Contributor

Created ‎01-23-2019 08:44 AM

When I do the Ranger logout, I found these log in Ranger log:

2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:14,180 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,208 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:480) - SSO expiration date validation failed.
2019-01-23 06:08:16,305 [http-bio-6080-exec-3] WARN  apache.ranger.security.web.filter.RangerSSOAuthenticationFilter (RangerSSOAuthenticationFilter.java:400) - Expiration time validation of JWT token failed.

Googled it, seems like you should setup knoxsso.token.ttl value to smaller value. I checked my setting is 30000, which is 30 seconds. Should be small enough. So I think this might not be the root cause.

I also found Ranger logout doesn't issue any request to Knox. I suppose Ranger should notify Knox to delete the token.

MyKnox setting is just using local LDAP for simple username/password authentication.

Reply
441 Views
0 Kudos
Don't have an account?
Register
Coming from Hortonworks? Activate your account here