SAM Knox SSO HDP 3.1.0 and HDF 3.4.0 Doesn't Work

sweeks · ‎03-29-2019

Can someone point me to the documentation for Single Sign on Support in SAM. Can't find it mentioned anywhere and I can't get it working. I see in the streamline.log where it saw the hadoop-jwt cookie and extracted my username but every call in the ui just returns this error.

{"responseMessage":"Not authorized"}

Adding some debug logs I can see everything seems to have authenticated.

INFO   [2019-03-29 09:38:39.621] [dw-67] c.h.r.a.s.JWTAuthenticationHandler -  authentication request received...
INFO   [2019-03-29 09:38:39.621] [dw-67] c.h.r.a.s.JWTAuthenticationHandler -  hadoop-jwt cookie has been found and is being processed
DEBUG  [2019-03-29 09:38:39.621] [dw-67] c.h.r.a.s.JWTAuthenticationHandler -  JWT token is in a SIGNED state
DEBUG  [2019-03-29 09:38:39.621] [dw-67] c.h.r.a.s.JWTAuthenticationHandler -  JWT token signature is not null
DEBUG  [2019-03-29 09:38:39.626] [dw-67] c.h.r.a.s.JWTAuthenticationHandler -  JWT token has been successfully verified
DEBUG  [2019-03-29 09:38:39.626] [dw-67] c.h.r.a.s.JWTAuthenticationHandler -  JWT token expiration date has been successfully validated
INFO   [2019-03-29 09:38:39.626] [dw-67] c.h.r.a.s.JWTAuthenticationHandler -  USERNAME: sweeks
DEBUG  [2019-03-29 09:38:39.626] [dw-67] c.h.r.a.s.JWTAuthenticationHandler -  Issuing AuthenticationToken for user.
DEBUG  [2019-03-29 09:38:39.626] [dw-67] c.h.r.a.s.AuthenticationFilter -  Request [http://hdp31-df1.dev.example.com:7777/api/v1/config/streamline] user [sweeks] authenticated
DEBUG  [2019-03-29 09:38:39.630] [dw-67 - GET /api/v1/config/streamline] c.h.s.s.s.a.StreamlineKerberosRequestFilter -  Method: GET, AuthType: jwt, RemoteUser: sweeks, UserPrincipal: u=sweeks&p=sweeks&t=jwt&e=1553870349626, Scheme: http

sweeks · ‎03-29-2019

So it turns out the patch for this hasn't been merged into HDF 3.4.0 yet and despite Ambari enabling SSO for SAM it's broken. See https://github.com/hortonworks/streamline/issues/1330