Support Questions
Find answers, ask questions, and share your expertise

YARN through KNOX - Ldap integration

YARN through KNOX - Ldap integration

Hi guys,

I have successfully integrated Ambari UI through through KNOX. In addition LDAP is also setup with Ambari and users can login with their LDAP credentials when accessing Ambari through the knox gateway.

However, every time a user navigates to the quicklinks of a different UI and attempts to open a new UI (for example Yarn resource manager UI) an authentication popup jumps on screen asking for login credentials. The LDAP credentials the user just used to log into Ambari are no longer valid. Why is this?

Here is the topology config:

 <topology>
            <gateway>
                <provider>
                    <role>authentication</role>
                    <name>ShiroProvider</name>
                    <enabled>true</enabled>
                    <param>
                        <name>sessionTimeout</name>
                        <value>30</value>
                    </param>
                    <param>
                        <name>main.ldapRealm</name>
                        <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                    </param>
                    <param>
                        <name>main.ldapRealm.userDnTemplate</name>
                        <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
                    </param>
                    <param>
                        <name>main.ldapRealm.contextFactory.url</name>
                        <value>ldap://{{knox_host_name}}:33389</value>
                    </param>
                    <param>
                        <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                        <value>simple</value>
                    </param>
                    <param>
                        <name>urls./**</name>
                        <value>authcBasic</value>
                    </param>
                </provider>

                <provider>
                    <role>identity-assertion</role>
                    <name>Default</name>
                    <enabled>true</enabled>
                </provider>
                <provider>
                    <role>authorization</role>
                    <name>AclsAuthz</name>
                    <enabled>true</enabled>
                </provider>
            </gateway>
            <service>
                <role>NAMENODE</role>
                <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url>
            </service>
            <service>
                <role>JOBTRACKER</role>
                <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
            </service>
            <service>
                <role>WEBHDFS</role>
                {{webhdfs_service_urls}}
            </service>
            <service>
                <role>WEBHCAT</role>
                <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
            </service>
            <service>
                <role>OOZIE</role>
                <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
            </service>
            <service>
                <role>WEBHBASE</role>
                <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
            </service>
            <service>
                <role>HIVE</role>
                <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
            </service>
            <service>
                <role>RESOURCEMANAGER</role>
                <url>http://{{rm_host}}:{{rm_port}}/ws</url>
            </service>
            <service>
                <role>DRUID-COORDINATOR-UI</role>
                {{druid_coordinator_urls}}
            </service>
            <service>
                <role>DRUID-COORDINATOR</role>
                {{druid_coordinator_urls}}
            </service>
            <service>
                <role>DRUID-OVERLORD-UI</role>
                {{druid_overlord_urls}}
            </service>
            <service>
                <role>DRUID-OVERLORD</role>
                {{druid_overlord_urls}}
            </service>
            <service>
                <role>DRUID-ROUTER</role>
                {{druid_router_urls}}
            </service>
            <service>
                <role>DRUID-BROKER</role>
                {{druid_broker_urls}}
            </service>
            <service>
                <role>ZEPPELINUI</role>
                {{zeppelin_ui_urls}}
            </service>
            <service>
                <role>ZEPPELINWS</role>
                {{zeppelin_ws_urls}}
            </service>
           <service>
                <role>AMBARI</role>
                <url>http://XXX.XXX.XXX.XXX:8080</url>
           </service>
           <service>
                  <role>AMBARIUI</role>
                  <url>http://XXX.XXX.XXX.XXX:8080</url>
            </service>
            <service>
                   <role>HBASE</role>
                   <url>http://XXX.XXX.XXX.XXX:16010</url>
            </service>
            <service>
                   <role>HBASEUI</role>
                   <url>http://XXX.XXX.XXX.XXX:16010</url>
            </service>
  	    <service>
        	<role>YARN</role>
        	<url>http://XXX.XXX.XXX.XXX:8088</url>
    	   </service>
           <service>

        	<role>YARNUI</role>
        	<url>http://XXX.XXX.XXX.XXX:8088</url>
    	   </service>
       </topology>
4 REPLIES 4

Re: YARN through KNOX - Ldap integration

Cloudera Employee

Re: YARN through KNOX - Ldap integration

Hi @adash

Thanks for that, before I try this solution I noticed it says "Use the following steps to configure Knox SSO for Ranger" despite the title saying "Setting up Knox SSO for Ambari" --- Is Ranger required for this solution? I would prefer to implement SSO without ranger if possible?

Thanks,

LV

Re: YARN through KNOX - Ldap integration

Cloudera Employee

@LV The supported UIs for Knox WebSSO are Ambari, Ranger and Atlas. so if you are using Ranger, Atlas and want to use SSO auth for those UIs then those steps required, else not required.

Re: YARN through KNOX - Ldap integration

Hi @adash I enabled SSO and it works at redirecting any connections to the Knox login page although it still doesn't accept LDAP logins. Are there any other configs I need to make?

This is the advanced knoxsso-topology config

      <topology>
          <gateway>
              <provider>
                  <role>webappsec</role>
                  <name>WebAppSec</name>
                  <enabled>true</enabled>
                  <param><name>xframe.options.enabled</name><value>true</value></param>
              </provider>


              <provider>
                  <role>authentication</role>
                  <name>ShiroProvider</name>
                  <enabled>true</enabled>
                  <param>
                      <name>sessionTimeout</name>
                      <value>30</value>
                  </param>
                  <param>
                      <name>redirectToUrl</name>
                      <value>/gateway/knoxsso/knoxauth/login.html</value>
                  </param>
                  <param>
                      <name>restrictedCookies</name>
                      <value>rememberme,WWW-Authenticate</value>
                  </param>
                  <param>
                      <name>main.ldapRealm</name>
                      <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                  </param>
                  <param>
                      <name>main.ldapContextFactory</name>
                      <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
                  </param>
                  <param>
                      <name>main.ldapRealm.contextFactory</name>
                      <value>$ldapContextFactory</value>
                  </param>
                  <param>
                      <name>main.ldapRealm.userDnTemplate</name>
                      <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
                  </param>
                  <param>
                      <name>main.ldapRealm.contextFactory.url</name>
                      <value>ldap://X.X.X.X:33389</value>
                  </param>    
                  <param>
                      <name>main.ldapRealm.authenticationCachingEnabled</name>
                      <value>false</value>
                  </param>
                  <param>
                      <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                      <value>simple</value>
                  </param>
                  <param>
                      <name>urls./**</name>
                      <value>authcBasic</value>
                  </param>
              </provider>


              <provider>
                  <role>identity-assertion</role>
                  <name>Default</name>
                  <enabled>true</enabled>
              </provider>
          </gateway>


          <application>
            <name>knoxauth</name>
          </application>


          <service>
              <role>KNOXSSO</role>
              <param>
                  <name>knoxsso.cookie.secure.only</name>
                  <value>false</value>
              </param>
              <param>
                  <name>knoxsso.token.ttl</name>
                  <value>30000</value>
              </param>
              <param>
                 <name>knoxsso.redirect.whitelist.regex</name>
                 <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
              </param>
          </service>


      </topology>
<br>