Created 09-15-2018 08:10 PM
I setup knox to use LDAP
[r00t@clu-s6 ~]$ sudo /usr/hdp/current/knox-server/bin/knoxcli.sh user-auth-test --cluster default --u [user] --p [password] --d LDAP authentication successful!
But it's still letting anonymous users in:
18/09/15 19:49:22 |||audit|172.17.159.226|ZEPPELINUI|anonymous|||access|uri|/gateway/default/zeppelin/extensions/MathZoom.js?V=2.7.0|success|Response status: 200
How do I get knox to only allow authenticated users? I must have missed something simple
Advanced topology:
<topology> <gateway> <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param> <name>sessionTimeout</name> <value>30</value> </param> <param> <name>main.ldapRealm</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> </param> <param> <name>main.ldapRealm</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> </param> <param> <name>main.ldapRealm.userDnTemplate</name> <value>uid={0},ou=People,dc=cloud,dc=res,dc=bngf,dc=local</value> </param> <param> <name>main.ldapRealm.contextFactory.systemUsername</name> <value>cn=ldapadm,dc=cloud,dc=res,dc=bngf,dc=local</value> </param> <param> <name>main.ldapRealm.contextFactory.systemPassword</name> <value>********</value> </param> <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://fqdn.host.com:389</value> </param> <param> <name>main.ldapRealm.contextFactory.authenticationMechanism</name> <value>simple</value> </param> <param> <name>urls./**</name> <value>authcBasic</value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> <provider> <role>authorization</role> <name>XASecurePDPKnox</name> <enabled>true</enabled> </provider> </gateway> <service> <role>NAMENODE</role> <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url> </service> <service> <role>ATLAS</role> <url>http://{{ambari_server_hostname}}:8080</url> </service> <service> <role>RANGER</role> <url>http://this.host.com:6080</url> </service> <service> <role>RANGERUI</role> <url>http://clu-hgm3:6080</url> </service> <service> <role>AMBARI</role> <url>http://{{ambari_server_hostname}}:8080</url> </service> <service> <role>AMBARIUI</role> <url>http://{{ambari_server_hostname}}:8080</url> </service> <service> <role>JOBTRACKER</role> <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url> </service> <service> <role>WEBHDFS</role> {{webhdfs_service_urls}} </service> <service> <role>WEBHCAT</role> <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url> </service> <service> <role>OOZIE</role> <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url> </service> <service> <role>WEBHBASE</role> <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url> </service> <service> <role>HIVE</role> <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url> </service> <service> <role>RESOURCEMANAGER</role> <url>http://{{rm_host}}:{{rm_port}}/ws</url> </service> <service> <role>DRUID-COORDINATOR-UI</role> {{druid_coordinator_urls}} </service> <service> <role>DRUID-COORDINATOR</role> {{druid_coordinator_urls}} </service> <service> <role>DRUID-OVERLORD-UI</role> {{druid_overlord_urls}} </service> <service> <role>DRUID-OVERLORD</role> {{druid_overlord_urls}} </service> <service> <role>DRUID-ROUTER</role> {{druid_router_urls}} </service> <service> <role>DRUID-BROKER</role> {{druid_broker_urls}} </service> <service> <role>ZEPPELINUI</role> {{zeppelin_ui_urls}} </service> <service> <role>ZEPPELINWS</role> {{zeppelin_ws_urls}} </service> </topology>
Created 09-17-2018 06:52 PM
@Matt Andruff Accessing Ambari, Atlas, Zeppelin would give a Annonymous access to it's UIs, and Authenticatin is managed by that component individually by default, meaning User can access the UIs using Knox and will have to provide logins configured for it.
With Zeppelin 0.8 onwards which comes with HDP 3.0, there is a support for KnoxSSO which can be used to login to ZeppelinUI.
Ref: https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#knox-sso
https://issues.apache.org/jira/browse/ZEPPELIN-3090
https://knox.apache.org/books/knox-0-13-0/dev-guide.html#KnoxSSO+Integration
Up till HDP 2.6.5 does not support Zeppelin KnoxSSO Integration.
Created 09-17-2018 06:52 PM
@Matt Andruff Accessing Ambari, Atlas, Zeppelin would give a Annonymous access to it's UIs, and Authenticatin is managed by that component individually by default, meaning User can access the UIs using Knox and will have to provide logins configured for it.
With Zeppelin 0.8 onwards which comes with HDP 3.0, there is a support for KnoxSSO which can be used to login to ZeppelinUI.
Ref: https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#knox-sso
https://issues.apache.org/jira/browse/ZEPPELIN-3090
https://knox.apache.org/books/knox-0-13-0/dev-guide.html#KnoxSSO+Integration
Up till HDP 2.6.5 does not support Zeppelin KnoxSSO Integration.