Support Questions

leezy · ‎02-22-2017

hi all:

i config the knox sso for ambari use this doc,https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/setting_up_knox_sso_for..., but when i submit the login page, then the page redirect to the ambari login page,and the redirect back again.

here is the amabri-server.log:

User(null), RemoteIp(192.168.XX.XX), Operation(User login), Roles( ), Status(Failed), Reason(Authentication required).

and knox gateway.log:

ed310ab8-e377-4781-adfb-27f94d472e90|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fbigdata%3A8080%2F%23%2Flogin?redirected=true|success|Response status: 401

WhiteHa · ‎02-22-2017

I think the problem is your hostname which does not have FQDN. e.g. somehost.abc.com , Try putting /etc/hosts entries with FQDN for your "bigdata[0-9]" hosts. KnoxSSO requires host TLD to set cookies for that domain.

View solution in original post

WhiteHa · ‎02-22-2017

Can you provide KnoxSSO topology from Knox configuration? Also try to authenticate using an User in Knox, as you are getting 401.

leezy · ‎02-22-2017

<topology> <gateway> <provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param><name>xframe.options.enabled</name><value>true</value></param> </provider> <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param> <name>sessionTimeout</name> <value>30</value> </param> <param> <name>redirectToUrl</name> <value>/gateway/knoxsso/knoxauth/login.html</value> </param> <param> <name>restrictedCookies</name> <value>rememberme,WWW-Authenticate</value> </param> <param> <name>main.ldapRealm</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> </param> <param> <name>main.ldapContextFactory</name> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> </param><param> <name>main.ldapRealm.contextFactory</name> <value>$ldapContextFactory</value> </param> <param> <name>main.ldapRealm.userDnTemplate</name> <value>uid={0},ou=people,dc=VENUS,dc=COM</value> </param> <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://bigdata7:389</value> </param> <param> <name>main.ldapRealm.authenticationCachingEnabled</name> <value>false</value> </param> <param> <name>main.ldapRealm.contextFactory.authenticationMechanism</name> <value>simple</value> </param> <param> <name>urls./**</name> <value>authcBasic</value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> </gateway> <application> <name>knoxauth</name> </application> <service> <role>KNOXSSO</role> <param> <name>knoxsso.cookie.secure.only</name> <value>false</value> </param> <param> <name>knoxsso.token.ttl</name> <value>30000</value> </param> <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(bigdata[0-9]|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*{replace15}lt;/value> </param></service> </topology>

this is my knox sso topology， and my knox and ambari-server is not in the same machine.

leezy · ‎02-22-2017

the ambari and knox sso use the same user, and knox use ldap

minskychen · ‎03-20-2017

I have meet the same problem,but I don`t know how to setup my own domain.

May you have solved this problem,If you have some suggest will be will kind for me.

Thanks!

Anishkumarv · ‎02-22-2017

Can you provide the complete logs to debug further.

leezy · ‎02-22-2017

17/02/22 17:46:07 ||f67516cd-e553-43c8-9666-4dfd95b63a3c|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://bigdata6:8080/|unavailable|Request method: POST 17/02/22 17:46:07 ||f67516cd-e553-43c8-9666-4dfd95b63a3c|audit|KNOXSSO|venus|||authentication|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://bigdata6:8080/|success| 17/02/22 17:46:07 ||f67516cd-e553-43c8-9666-4dfd95b63a3c|audit|KNOXSSO|venus|||authentication|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://bigdata6:8080/|success|Groups: [] 17/02/22 17:46:07 ||f67516cd-e553-43c8-9666-4dfd95b63a3c|audit|KNOXSSO|venus|||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://bigdata6:8080/|success|Response status: 303 17/02/22 17:46:07 ||cc006ac5-1b98-4d20-bbdd-03a30f26fda4|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/redirecting.html?originalUrl=http://bigdata6:8080/|unavailable|Request method: GET 17/02/22 17:46:07 ||cc006ac5-1b98-4d20-bbdd-03a30f26fda4|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/redirecting.html?originalUrl=http://bigdata6:8080/|success|Response status: 200 17/02/22 17:46:07 ||2f023049-55b3-4bd9-879d-2430bde60f1f|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/02/22 17:46:07 ||2f023049-55b3-4bd9-879d-2430bde60f1f|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200 17/02/22 17:46:07 ||a0848c4b-637b-4699-8cec-efc85f425f6f|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/02/22 17:46:07 ||a0848c4b-637b-4699-8cec-efc85f425f6f|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/02/22 17:46:07 ||cd5a3a24-5332-45c2-80b6-edbb8298cd07|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/loading.gif|unavailable|Request method: GET 17/02/22 17:46:07 ||cd5a3a24-5332-45c2-80b6-edbb8298cd07|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/loading.gif|success|Response status: 200 17/02/22 17:46:08 ||ded2eb86-5184-4c17-bfe2-ca557ae16fac|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fbigdata6%3A8080%2F%23%2Flogin?redirected=true|unavailable|Request method: GET 17/02/22 17:46:08 ||ded2eb86-5184-4c17-bfe2-ca557ae16fac|audit|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fbigdata6%3A8080%2F%23%2Flogin?redirected=true|success|Response status: 401 17/02/22 17:46:08 ||6eb6e25a-4321-4c69-a7f5-aa7ea15ceb57|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http%3A%2F%2Fbigdata6%3A8080%2F%23%2Flogin?redirected=true|unavailable|Request method: GET 17/02/22 17:46:08 ||6eb6e25a-4321-4c69-a7f5-aa7ea15ceb57|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http%3A%2F%2Fbigdata6%3A8080%2F%23%2Flogin?redirected=true|success|Response status: 200 17/02/22 17:46:08 ||6e3bca36-1991-40bc-9587-fe35c3ecc61d|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 17/02/22 17:46:08 ||f355e30a-2159-42b9-8659-043dc3ef9496|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 17/02/22 17:46:08 ||f355e30a-2159-42b9-8659-043dc3ef9496|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 17/02/22 17:46:08 ||6e3bca36-1991-40bc-9587-fe35c3ecc61d|audit|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200

this is log that visit one time

WhiteHa · ‎02-22-2017

I think the problem is your hostname which does not have FQDN. e.g. somehost.abc.com , Try putting /etc/hosts entries with FQDN for your "bigdata[0-9]" hosts. KnoxSSO requires host TLD to set cookies for that domain.

leezy · ‎02-23-2017

yes,thank you,the knox host and ambari host should be the same domain suffix. i've solve this.

Cloudera Community

Support Questions

Knox sso for ambari and ranger does not work