Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Knox allowing anonymous users

Solved Go to solution

Knox allowing anonymous users

Expert Contributor

I setup knox to use LDAP

[r00t@clu-s6 ~]$ sudo /usr/hdp/current/knox-server/bin/knoxcli.sh user-auth-test --cluster default --u [user] --p [password] --d
LDAP authentication successful!

But it's still letting anonymous users in:

18/09/15 19:49:22 |||audit|172.17.159.226|ZEPPELINUI|anonymous|||access|uri|/gateway/default/zeppelin/extensions/MathZoom.js?V=2.7.0|success|Response status: 200

How do I get knox to only allow authenticated users? I must have missed something simple

Advanced topology:

<topology>


            <gateway>


                <provider>
                    <role>authentication</role>
                    <name>ShiroProvider</name>
                    <enabled>true</enabled>
                    <param>
                        <name>sessionTimeout</name>
                        <value>30</value>
                    </param>
                    <param>
                        <name>main.ldapRealm</name>
                        <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                    </param>
                <param>
                    <name>main.ldapRealm</name>
                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                </param>
                <param>
                    <name>main.ldapRealm.userDnTemplate</name>
                    <value>uid={0},ou=People,dc=cloud,dc=res,dc=bngf,dc=local</value>
                </param>
<param>
  <name>main.ldapRealm.contextFactory.systemUsername</name>
  <value>cn=ldapadm,dc=cloud,dc=res,dc=bngf,dc=local</value>
</param>
                <param>
                    <name>main.ldapRealm.contextFactory.systemPassword</name>
                    <value>********</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.url</name>
                    <value>ldap://fqdn.host.com:389</value>
                </param>
                    <param>
                        <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                        <value>simple</value>
                    </param>
                    <param>
                        <name>urls./**</name>
                        <value>authcBasic</value>
                    </param>
                </provider>


                <provider>
                    <role>identity-assertion</role>
                    <name>Default</name>
                    <enabled>true</enabled>
                </provider>


                <provider>
                    <role>authorization</role>
                    <name>XASecurePDPKnox</name>
                    <enabled>true</enabled>
                </provider>


            </gateway>


            <service>
                <role>NAMENODE</role>
                <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url>
            </service>


           <service>
                <role>ATLAS</role>
                <url>http://{{ambari_server_hostname}}:8080</url>
            </service>


<service>
    <role>RANGER</role>
    <url>http://this.host.com:6080</url>
</service>


           <service>
                <role>RANGERUI</role>
                <url>http://clu-hgm3:6080</url>
            </service>


           <service>
                <role>AMBARI</role>
                <url>http://{{ambari_server_hostname}}:8080</url>
            </service>


           <service>
                <role>AMBARIUI</role>
                <url>http://{{ambari_server_hostname}}:8080</url>
            </service>


            <service>
                <role>JOBTRACKER</role>
                <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
            </service>


            <service>
                <role>WEBHDFS</role>
                {{webhdfs_service_urls}}
            </service>


            <service>
                <role>WEBHCAT</role>
                <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
            </service>


            <service>
                <role>OOZIE</role>
                <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
            </service>


            <service>
                <role>WEBHBASE</role>
                <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
            </service>


            <service>
                <role>HIVE</role>
                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>


            <service>
                <role>RESOURCEMANAGER</role>
                <url>http://{{rm_host}}:{{rm_port}}/ws</url>
            </service>


            <service>
                <role>DRUID-COORDINATOR-UI</role>
                {{druid_coordinator_urls}}
            </service>


            <service>
                <role>DRUID-COORDINATOR</role>
                {{druid_coordinator_urls}}
            </service>


            <service>
                <role>DRUID-OVERLORD-UI</role>
                {{druid_overlord_urls}}
            </service>


            <service>
                <role>DRUID-OVERLORD</role>
                {{druid_overlord_urls}}
            </service>


            <service>
                <role>DRUID-ROUTER</role>
                {{druid_router_urls}}
            </service>


            <service>
                <role>DRUID-BROKER</role>
                {{druid_broker_urls}}
            </service>


            <service>
                <role>ZEPPELINUI</role>
                {{zeppelin_ui_urls}}
            </service>


            <service>
                <role>ZEPPELINWS</role>
                {{zeppelin_ws_urls}}
            </service>


        </topology>
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Knox allowing anonymous users

Contributor

@Matt Andruff Accessing Ambari, Atlas, Zeppelin would give a Annonymous access to it's UIs, and Authenticatin is managed by that component individually by default, meaning User can access the UIs using Knox and will have to provide logins configured for it.

With Zeppelin 0.8 onwards which comes with HDP 3.0, there is a support for KnoxSSO which can be used to login to ZeppelinUI.

Ref: https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#knox-sso

https://issues.apache.org/jira/browse/ZEPPELIN-3090

https://knox.apache.org/books/knox-0-13-0/dev-guide.html#KnoxSSO+Integration

Up till HDP 2.6.5 does not support Zeppelin KnoxSSO Integration.

1 REPLY 1

Re: Knox allowing anonymous users

Contributor

@Matt Andruff Accessing Ambari, Atlas, Zeppelin would give a Annonymous access to it's UIs, and Authenticatin is managed by that component individually by default, meaning User can access the UIs using Knox and will have to provide logins configured for it.

With Zeppelin 0.8 onwards which comes with HDP 3.0, there is a support for KnoxSSO which can be used to login to ZeppelinUI.

Ref: https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html#knox-sso

https://issues.apache.org/jira/browse/ZEPPELIN-3090

https://knox.apache.org/books/knox-0-13-0/dev-guide.html#KnoxSSO+Integration

Up till HDP 2.6.5 does not support Zeppelin KnoxSSO Integration.

Don't have an account?
Coming from Hortonworks? Activate your account here