I setup knox to use LDAP
[r00t@clu-s6 ~]$ sudo /usr/hdp/current/knox-server/bin/knoxcli.sh user-auth-test --cluster default --u [user] --p [password] --d
LDAP authentication successful!
But it's still letting anonymous users in:
18/09/15 19:49:22 |||audit|172.17.159.226|ZEPPELINUI|anonymous|||access|uri|/gateway/default/zeppelin/extensions/MathZoom.js?V=2.7.0|success|Response status: 200
How do I get knox to only allow authenticated users? I must have missed something simple
Advanced topology:
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=People,dc=cloud,dc=res,dc=bngf,dc=local</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.systemUsername</name>
<value>cn=ldapadm,dc=cloud,dc=res,dc=bngf,dc=local</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.systemPassword</name>
<value>********</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://fqdn.host.com:389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>authorization</role>
<name>XASecurePDPKnox</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>NAMENODE</role>
<url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url>
</service>
<service>
<role>ATLAS</role>
<url>http://{{ambari_server_hostname}}:8080</url>
</service>
<service>
<role>RANGER</role>
<url>http://this.host.com:6080</url>
</service>
<service>
<role>RANGERUI</role>
<url>http://clu-hgm3:6080</url>
</service>
<service>
<role>AMBARI</role>
<url>http://{{ambari_server_hostname}}:8080</url>
</service>
<service>
<role>AMBARIUI</role>
<url>http://{{ambari_server_hostname}}:8080</url>
</service>
<service>
<role>JOBTRACKER</role>
<url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
</service>
<service>
<role>WEBHDFS</role>
{{webhdfs_service_urls}}
</service>
<service>
<role>WEBHCAT</role>
<url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
</service>
<service>
<role>OOZIE</role>
<url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
</service>
<service>
<role>WEBHBASE</role>
<url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
</service>
<service>
<role>HIVE</role>
<url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
</service>
<service>
<role>RESOURCEMANAGER</role>
<url>http://{{rm_host}}:{{rm_port}}/ws</url>
</service>
<service>
<role>DRUID-COORDINATOR-UI</role>
{{druid_coordinator_urls}}
</service>
<service>
<role>DRUID-COORDINATOR</role>
{{druid_coordinator_urls}}
</service>
<service>
<role>DRUID-OVERLORD-UI</role>
{{druid_overlord_urls}}
</service>
<service>
<role>DRUID-OVERLORD</role>
{{druid_overlord_urls}}
</service>
<service>
<role>DRUID-ROUTER</role>
{{druid_router_urls}}
</service>
<service>
<role>DRUID-BROKER</role>
{{druid_broker_urls}}
</service>
<service>
<role>ZEPPELINUI</role>
{{zeppelin_ui_urls}}
</service>
<service>
<role>ZEPPELINWS</role>
{{zeppelin_ws_urls}}
</service>
</topology>
