Support Questions

Find answers, ask questions, and share your expertise

Knox allowing anonymous users

avatar
Expert Contributor

I setup knox to use LDAP

[r00t@clu-s6 ~]$ sudo /usr/hdp/current/knox-server/bin/knoxcli.sh user-auth-test --cluster default --u [user] --p [password] --d
LDAP authentication successful!

But it's still letting anonymous users in:

18/09/15 19:49:22 |||audit|172.17.159.226|ZEPPELINUI|anonymous|||access|uri|/gateway/default/zeppelin/extensions/MathZoom.js?V=2.7.0|success|Response status: 200

How do I get knox to only allow authenticated users? I must have missed something simple

Advanced topology:

<topology>


            <gateway>


                <provider>
                    <role>authentication</role>
                    <name>ShiroProvider</name>
                    <enabled>true</enabled>
                    <param>
                        <name>sessionTimeout</name>
                        <value>30</value>
                    </param>
                    <param>
                        <name>main.ldapRealm</name>
                        <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                    </param>
                <param>
                    <name>main.ldapRealm</name>
                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                </param>
                <param>
                    <name>main.ldapRealm.userDnTemplate</name>
                    <value>uid={0},ou=People,dc=cloud,dc=res,dc=bngf,dc=local</value>
                </param>
<param>
  <name>main.ldapRealm.contextFactory.systemUsername</name>
  <value>cn=ldapadm,dc=cloud,dc=res,dc=bngf,dc=local</value>
</param>
                <param>
                    <name>main.ldapRealm.contextFactory.systemPassword</name>
                    <value>********</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.url</name>
                    <value>ldap://fqdn.host.com:389</value>
                </param>
                    <param>
                        <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                        <value>simple</value>
                    </param>
                    <param>
                        <name>urls./**</name>
                        <value>authcBasic</value>
                    </param>
                </provider>


                <provider>
                    <role>identity-assertion</role>
                    <name>Default</name>
                    <enabled>true</enabled>
                </provider>


                <provider>
                    <role>authorization</role>
                    <name>XASecurePDPKnox</name>
                    <enabled>true</enabled>
                </provider>


            </gateway>


            <service>
                <role>NAMENODE</role>
                <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url>
            </service>


           <service>
                <role>ATLAS</role>
                <url>http://{{ambari_server_hostname}}:8080</url>
            </service>


<service>
    <role>RANGER</role>
    <url>http://this.host.com:6080</url>
</service>


           <service>
                <role>RANGERUI</role>
                <url>http://clu-hgm3:6080</url>
            </service>


           <service>
                <role>AMBARI</role>
                <url>http://{{ambari_server_hostname}}:8080</url>
            </service>


           <service>
                <role>AMBARIUI</role>
                <url>http://{{ambari_server_hostname}}:8080</url>
            </service>


            <service>
                <role>JOBTRACKER</role>
                <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
            </service>


            <service>
                <role>WEBHDFS</role>
                {{webhdfs_service_urls}}
            </service>


            <service>
                <role>WEBHCAT</role>
                <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
            </service>


            <service>
                <role>OOZIE</role>
                <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
            </service>


            <service>
                <role>WEBHBASE</role>
                <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
            </service>


            <service>
                <role>HIVE</role>
                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>


            <service>
                <role>RESOURCEMANAGER</role>
                <url>http://{{rm_host}}:{{rm_port}}/ws</url>
            </service>


            <service>
                <role>DRUID-COORDINATOR-UI</role>
                {{druid_coordinator_urls}}
            </service>


            <service>
                <role>DRUID-COORDINATOR</role>
                {{druid_coordinator_urls}}
            </service>


            <service>
                <role>DRUID-OVERLORD-UI</role>
                {{druid_overlord_urls}}
            </service>


            <service>
                <role>DRUID-OVERLORD</role>
                {{druid_overlord_urls}}
            </service>


            <service>
                <role>DRUID-ROUTER</role>
                {{druid_router_urls}}
            </service>


            <service>
                <role>DRUID-BROKER</role>
                {{druid_broker_urls}}
            </service>


            <service>
                <role>ZEPPELINUI</role>
                {{zeppelin_ui_urls}}
            </service>


            <service>
                <role>ZEPPELINWS</role>
                {{zeppelin_ws_urls}}
            </service>


        </topology>
1 ACCEPTED SOLUTION

avatar
Super Collaborator

@Matt Andruff Accessing Ambari, Atlas, Zeppelin would give a Annonymous access to it's UIs, and Authenticatin is managed by that component individually by default, meaning User can access the UIs using Knox and will have to provide logins configured for it.

With Zeppelin 0.8 onwards which comes with HDP 3.0, there is a support for KnoxSSO which can be used to login to ZeppelinUI.

Ref: https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#knox-sso

https://issues.apache.org/jira/browse/ZEPPELIN-3090

https://knox.apache.org/books/knox-0-13-0/dev-guide.html#KnoxSSO+Integration

Up till HDP 2.6.5 does not support Zeppelin KnoxSSO Integration.

View solution in original post

1 REPLY 1

avatar
Super Collaborator

@Matt Andruff Accessing Ambari, Atlas, Zeppelin would give a Annonymous access to it's UIs, and Authenticatin is managed by that component individually by default, meaning User can access the UIs using Knox and will have to provide logins configured for it.

With Zeppelin 0.8 onwards which comes with HDP 3.0, there is a support for KnoxSSO which can be used to login to ZeppelinUI.

Ref: https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#knox-sso

https://issues.apache.org/jira/browse/ZEPPELIN-3090

https://knox.apache.org/books/knox-0-13-0/dev-guide.html#KnoxSSO+Integration

Up till HDP 2.6.5 does not support Zeppelin KnoxSSO Integration.