Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Explorer

Team,

Below find cluster details.

HDP: 2.6.3

Ambari: 2.6

knoxSSO: Integrated with openldap

Issue:

Configured knox sso for atlas as per hortonworks doc. While opening UI for atlas is redirected to knoxsso for authentication and after enter the admin credential it does not redirecting back to atlas UI.

Same configuration working for Ranger with knoxSSO.

knox and Ranger installed on same host i.e. vijayhdp-1.novalocal

atlas installed on host vijayblue-1.novalocal.

knox gateway audit throws below messages.

18/02/13 12:12:26 ||b1f13de8-cc81-4603-b5d9-c0b09ecc6873|audit|10.20.6.215|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://10.20.14.122:21000/|unavailable|Request method: GET

18/02/13 12:12:26 ||b1f13de8-cc81-4603-b5d9-c0b09ecc6873|audit|10.20.6.215|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://10.20.14.122:21000/|success|Response status: 401

18/02/13 12:12:26 ||90debaef-174c-49be-bba9-1a53eb16969a|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http://10.20.14.122:21000/|unavailable|Request method: GET

18/02/13 12:12:26 ||90debaef-174c-49be-bba9-1a53eb16969a|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http://10.20.14.122:21000/|success|

18/02/13 12:12:26 ||90debaef-174c-49be-bba9-1a53eb16969a|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http://10.20.14.122:21000/|success|Response status: 200

18/02/13 12:12:26 ||678336e9-b059-4dac-ab3f-439aaede2960|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET

18/02/13 12:12:26 ||678336e9-b059-4dac-ab3f-439aaede2960|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|

18/02/13 12:12:26 ||ffbd7fc7-6ec5-415d-9edb-9f1da4fe4d8d|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET

18/02/13 12:12:26 ||ffbd7fc7-6ec5-415d-9edb-9f1da4fe4d8d|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success| 18/02/13 12:12:26 ||ffbd7fc7-6ec5-415d-9edb-9f1da4fe4d8d|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200

18/02/13 12:12:26 ||678336e9-b059-4dac-ab3f-439aaede2960|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200

18/02/13 12:12:31 ||6dab50ce-a19a-4a4d-bef2-4d9947a769d3|audit|10.20.6.215|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://10.20.14.122:21000/|unavailable|Request method: POST

Knox Gateway log shows below messages:

2018-02-13 12:12:31,522 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: uid=admin,ou=People,dc=novalocal using dnTemplate for principal: admin 2018-02-13 12:12:31,533 WARN service.knoxsso (WebSSOResource.java:init(102)) - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. 2018-02-13 12:12:31,535 INFO service.knoxsso (WebSSOResource.java:getCookieValue(318)) - Unable to find cookie with name: original-url 2018-02-13 12:12:31,540 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(292)) - JWT cookie successfully added. 2018-02-13 12:12:31,540 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(202)) - About to redirect to original URL: http://10.20.14.122:21000/

Kindly help me to fix the issue.

- Vijay Mishra

15 REPLIES 15

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Expert Contributor

@Vijay Mishra

You are trying to access Atlas with IP ie

(WebSSOResource.java:getAuthenticationToken(202)) - About to redirect to original URL: http://10.20.14.122:21000/


Please use FQDN URL, since the cookie drop by knoxSSO should be validated by Atlas Server, so the hadoop_JWT cookie needs to be in the same domain of Atlas and also use FQDN for the configuration where ever required.

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Explorer

@Nixon Rodrigues,

Cluster do not resolve using DNS, it only resolves using hosts file. Can not open atlas UI through FQDN.

Is there any way we can get this?

- Vijay Mishra

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Expert Contributor

@Vijay Mishra

it only resolves using hosts file,

adding entry of IP to fqdn in /etc/hosts, is one way, so that domain name can be resolved.

other way is to ask your network administrator to add entry in DNS server.

Hope you your problem is resolved, you can close the thread if it helped.

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Explorer

@Nixon Rodrigues

I have update hosts file on my laptop from where i was accessing UI;'s of atlas and now IP with hostname getting resolved. But still post authentication its not going to atlas UI. below log from knox gateway audit.

18/02/20 12:54:14 ||2d4dad1e-3a13-4156-9349-4031a7e59f0c|audit|10.20.6.215|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://vijayblue-1.novalocal:21000/|unavailable|Request method: POST 18/02/20 12:54:14 ||2d4dad1e-3a13-4156-9349-4031a7e59f0c|audit|10.20.6.215|KNOXSSO|admin|||authentication|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://vijayblue-1.novalocal:21000/|success| 18/02/20 12:54:14 ||2d4dad1e-3a13-4156-9349-4031a7e59f0c|audit|10.20.6.215|KNOXSSO|admin|||authentication|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://vijayblue-1.novalocal:21000/|success|Groups: [] 18/02/20 12:54:14 ||2d4dad1e-3a13-4156-9349-4031a7e59f0c|audit|10.20.6.215|KNOXSSO|admin|||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://vijayblue-1.novalocal:21000/|success|Response status: 303 18/02/20 12:54:14 ||c5531943-b3c2-4a5c-8fd7-4b6c7b4e9299|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/redirecting.html?originalUrl=http://vijayblue-1.novalocal:21000/|unavailable|Request method: GET 18/02/20 12:54:14 ||c5531943-b3c2-4a5c-8fd7-4b6c7b4e9299|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/redirecting.html?originalUrl=http://vijayblue-1.novalocal:21000/|success| 18/02/20 12:54:14 ||c5531943-b3c2-4a5c-8fd7-4b6c7b4e9299|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/redirecting.html?originalUrl=http://vijayblue-1.novalocal:21000/|success|Response status: 200 18/02/20 12:54:14 ||00f7734e-8118-4bb7-b760-1846c0cc75ef|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 18/02/20 12:54:14 ||00f7734e-8118-4bb7-b760-1846c0cc75ef|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success| 18/02/20 12:54:14 ||a180854c-c195-43bb-8842-286b58effd2d|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 18/02/20 12:54:14 ||a180854c-c195-43bb-8842-286b58effd2d|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success| 18/02/20 12:54:14 ||a180854c-c195-43bb-8842-286b58effd2d|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 18/02/20 12:54:14 ||00f7734e-8118-4bb7-b760-1846c0cc75ef|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200 18/02/20 12:54:14 ||9c0fe403-0195-4942-ad37-8527483b560c|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/loading.gif|unavailable|Request method: GET 18/02/20 12:54:14 ||9c0fe403-0195-4942-ad37-8527483b560c|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/images/loading.gif|success| 18/02/20 12:54:14 ||9c0fe403-0195-4942-ad37-8527483b560c|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/images/loading.gif|success|Response status: 200 18/02/20 12:54:14 ||e3f289dc-3296-4f97-8b33-a0e7037df41b|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/redirecting.jsp?originalUrl=http://vijayblue-1.novalocal:21000/|unavailable|Request method: GET 18/02/20 12:54:14 ||e3f289dc-3296-4f97-8b33-a0e7037df41b|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/redirecting.jsp?originalUrl=http://vijayblue-1.novalocal:21000/|success| 18/02/20 12:54:14 ||e3f289dc-3296-4f97-8b33-a0e7037df41b|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/redirecting.jsp?originalUrl=http://vijayblue-1.novalocal:21000/|success|Response status: 200 18/02/20 12:54:14 ||18824e09-0940-4068-953f-be82fd01385b|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/images/loading.gif|unavailable|Request method: GET 18/02/20 12:54:14 ||18824e09-0940-4068-953f-be82fd01385b|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/images/loading.gif|success| 18/02/20 12:54:14 ||18824e09-0940-4068-953f-be82fd01385b|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/images/loading.gif|success|Response status: 200 18/02/20 12:54:14 ||0ed28473-80ec-4430-b0b2-2dadaf4b3000|audit|10.20.6.215|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://vijayblue-1.novalocal:21000/|unavailable|Request method: GET 18/02/20 12:54:14 ||0ed28473-80ec-4430-b0b2-2dadaf4b3000|audit|10.20.6.215|KNOXSSO||||access|uri|/gateway/knoxsso/api/v1/websso?originalUrl=http://vijayblue-1.novalocal:21000/|success|Response status: 401 18/02/20 12:54:14 ||715f2cfe-bfad-4a89-9dc6-f82fa3928455|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http://vijayblue-1.novalocal:21000/|unavailable|Request method: GET 18/02/20 12:54:14 ||715f2cfe-bfad-4a89-9dc6-f82fa3928455|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http://vijayblue-1.novalocal:21000/|success| 18/02/20 12:54:14 ||715f2cfe-bfad-4a89-9dc6-f82fa3928455|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/login.html?originalUrl=http://vijayblue-1.novalocal:21000/|success|Response status: 200 18/02/20 12:54:14 ||d47ddca3-c780-48a1-a5c8-cd8bf06746e9|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|unavailable|Request method: GET 18/02/20 12:54:14 ||2f3236f6-b825-4272-97e9-033c3057e3ea|audit|10.20.6.215|knoxauth||||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|unavailable|Request method: GET 18/02/20 12:54:14 ||d47ddca3-c780-48a1-a5c8-cd8bf06746e9|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success| 18/02/20 12:54:14 ||2f3236f6-b825-4272-97e9-033c3057e3ea|audit|10.20.6.215|knoxauth|anonymous|||authentication|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success| 18/02/20 12:54:14 ||d47ddca3-c780-48a1-a5c8-cd8bf06746e9|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/styles/knox.css|success|Response status: 200 18/02/20 12:54:14 ||2f3236f6-b825-4272-97e9-033c3057e3ea|audit|10.20.6.215|knoxauth|anonymous|||access|uri|/gateway/knoxsso/knoxauth/styles/bootstrap.min.css|success|Response status: 200

- Vijay Mishra

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Expert Contributor

@Vijay Mishra

can you share the atlas-application.properties file from atlas conf

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Expert Contributor

@Vijay Mishra

can you share the atlas-application.properties file from atlas conf

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Explorer

@Nixon Rodrigues,

Kindly find attached file as asked.

- Vijay Mishra

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Explorer

Re: knoxsso for atlas doesnot redirecting back to Atlas UI post authentication

Explorer

@Nixon Rodrigues,

also attached knox sso xml file

- Vijay Mishraknoxsso.txt