Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Knox SSO to HDFSUI failing

Labels:
avatar
author-rank Hadoop16
Contributor

Created on ‎05-09-2024 02:30 PM - edited ‎05-09-2024 06:12 PM

Configured Knoxsso without Ambari. Knoxsso is configured with Shiro provider and updated the core-site.xml with below configs

  • hadoop.http.authentication.type
  • hadoop.http.authentication.authentication.provider.url
  • hadoop.http.authentication.public.key.pem

Followed: https://knox.apache.org/books/knox-1-6-0/user-guide.html#KnoxSSO+Setup+and+Configuration

After restart, NN UI is redirecting to KnoxSSO and after entering the AD credentials it is throwing below error in the UI. The redirect to originalUrl looks valid from Knoxsso url.

ERROR Invalid Redirect: Possible Phishing Attempt

Any help is appreciated!

1,035 Views
1 ACCEPTED SOLUTION

avatar
author-rank Hadoop16
Contributor

Created ‎05-10-2024 02:13 AM

I was able to resolve the "Invalid redirect" by adding knoxsso.redirect.whitelist.regex but when I enter AD credentials in the KnoxSSO page it keeps redirecting to the same login page.

I could see below msgs in gateway.log
2024-05-10 09:04:16,722 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:16,760 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /images/loading.gif
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address: 
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:16,762 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:16,795 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /redirecting.jsp
2024-05-10 09:04:16,796 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:16,796 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address: 
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:20,773 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /images/loading.gif
2024-05-10 09:04:20,774 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address: 
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:20,916 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /api/v1/websso
2024-05-10 09:04:20,943 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /login.html
2024-05-10 09:04:20,944 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:20,944 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address: 
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true

 

View solution in original post

996 Views
0 Kudos
4 REPLIES 4

avatar
author-rank Hadoop16
Contributor

Created ‎05-10-2024 02:13 AM

I was able to resolve the "Invalid redirect" by adding knoxsso.redirect.whitelist.regex but when I enter AD credentials in the KnoxSSO page it keeps redirecting to the same login page.

I could see below msgs in gateway.log
2024-05-10 09:04:16,722 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:16,760 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /images/loading.gif
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address: 
2024-05-10 09:04:16,761 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:16,762 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:16,795 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /redirecting.jsp
2024-05-10 09:04:16,796 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:16,796 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address: 
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:16,797 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:20,773 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /images/loading.gif
2024-05-10 09:04:20,774 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address: 
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:20,775 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true
2024-05-10 09:04:20,916 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /api/v1/websso
2024-05-10 09:04:20,943 DEBUG knox.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /login.html
2024-05-10 09:04:20,944 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous
2024-05-10 09:04:20,944 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(142)) - PrimaryPrincipal has access: true
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(158)) - Remote IP Address: 
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(160)) - Remote IP Address has access: true
2024-05-10 09:04:20,945 DEBUG knox.gateway (AclsAuthorizationFilter.java:doFilter(105)) - Access Granted: true

 

997 Views
0 Kudos

avatar
author-rank Scharan author-rank
Master Collaborator

Created ‎05-10-2024 03:49 AM

Hello @Hadoop16  Can you disable debug logs and share the information logs from the gateway log file by replicating the issue

993 Views

avatar
author-rank Hadoop16
Contributor

Created ‎05-10-2024 07:36 AM

Hello @Scharan Below are the entries populated when reaching HDFSUI via knoxsso
2024-05-10 14:32:54,143 INFO knox.gateway (AclsAuthorizationFilter.java:init(72)) - Initializing AclsAuthz Provider for: knoxauth
2024-05-10 14:32:54,143 INFO knox.gateway (AclParser.java:parseAcls(50)) - ACLs found for: knoxauth
2024-05-10 14:33:04,139 INFO knox.gateway (KnoxLdapRealm.java:getUserDn(721)) - Computed userDn: CN=lastname\, firstname,OU=XXXX,OU=XXXXX,DC=XXX,DC=XXX,DC=com using ldapSearch for principal: userid
2024-05-10 14:33:04,790 INFO knox.gateway (AclsAuthorizationFilter.java:init(72)) - Initializing AclsAuthz Provider for: KNOXSSO
2024-05-10 14:33:04,790 INFO knox.gateway (AclParser.java:parseAcls(50)) - ACLs found for: KNOXSSO
2024-05-10 14:33:06,030 INFO knox.gateway (CookieUtils.java:getCookiesForName(46)) - Unable to find cookie with name: original-url
2024-05-10 14:33:06,095 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(386)) - JWT cookie successfully added.
2024-05-10 14:33:06,095 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(278)) - About to redirect to original URL: http://NN_host50070/index.html

986 Views

avatar
author-rank Hadoop16
Contributor

Created ‎05-10-2024 11:37 PM

Hello @Scharan 

From the debug log I think the issue is when Knoxsso is redirecting to NN UI, it is sending user as anonymous. 
AclsAuthorizationFilter.java:enforceAclAuthorizationPolicy(133)) - PrimaryPrincipal: anonymous

Do you know what configs at hdfs or Knox could help here?

958 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements