Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Knox perimeter

Highlighted

Knox perimeter

New Contributor

Is there a way to position a server behind the Knox perimeter such that authentication via Knox is not required for requests to YARN, Name Node and HDFS from that server?

3 REPLIES 3

Re: Knox perimeter

@Ben Weiss Is your intention to expose those services and/or UIs (RM, NN, WebHDFS) outside the cluster without requiring authentication? But you still want Knox to require authentication for other REST interfaces (WebHCat, WebHBase, etc)?

Re: Knox perimeter

New Contributor

@Alex Miller - Intent is to keep all those services behind Knox so that they require authentication for anyone requesting. Except for one application on the server that would bypass Knox. People using this application would authenticate via that application using LDAP/secure impersonation, and maintain Hadoop cluster security integrity. Maybe a better way to phrase what I am asking is "Can one configure Knox to allow a particular server to bypass Knox authentication?" This server would be doing its own authentication equivalent to that of Knox.

Re: Knox perimeter

Depending on the special-case application, using the Knox federation provider might be an option. You could use two (or more) Knox topologies: one for LDAP authentication; another for federation.

If the special-case application doesn't need to go through Knox, then you could run it in parallel on the gateway node (or an edge node) and allow it direct access to the cluster.

Don't have an account?
Coming from Hortonworks? Activate your account here