I figured something like haproxy or nginx would work. Preferably looking for an example config, or if anyone has extended Knox with a custom provider then even better. ... View more

I was mistakenly using the HDP 2.3.0 Sandbox, which uses Ambari 2.1.0. Your advice worked perfectly in the latest version. Thanks! ... View more

Ambari attempts to determine whether the demo LDAP server supports paged results, which it does not, so it responds with UNAVAILABLE_CRITICAL_EXTENSION. The demo LDAP server in Knox 0.6.0 (HDP 2.3.0) is based on ApacheDS 2.0.0-M15. Support for paged results was added in version 2.0.0-M13 (DIRSERVER-434), so I'm not sure why this wouldn't work. It's unlikely to be solved by configuration though. ... View more

Here's a complete guide, thanks to @Paul Codding's advice to disable pagination. Requires HDP Sandbox 2.3.2 or later (Ambari 2.1.1+) 1. In Ambari, start the demo LDAP server (Knox gateway is not required): Knox > Service Actions > Start Demo LDAP 2. Follow the Ambari Security Guide to enable LDAP (press Enter for blank values)... [root@sandbox ~]# ambari-server setup-ldap Using python /usr/bin/python2.6 Setting up LDAP properties... Primary URL* {host:port} : sandbox.hortonworks.com:33389 Secondary URL {host:port} : Use SSL* [true/false] (false): false User object class* (posixAccount): person User name attribute* (uid): uid Group object class* (posixGroup): groupofnames Group name attribute* (cn): cn Group member attribute* (memberUid): member Distinguished name attribute* (dn): dn Base DN* : dc=hadoop,dc=apache,dc=org Referral method [follow/ignore] : Bind anonymously* [true/false] (false): false Manager DN* : uid=guest,ou=people,dc=hadoop,dc=apache,dc=org Enter Manager Password* : guest-password Re-enter password: guest-password ==================== Review Settings ==================== authentication.ldap.managerDn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org authentication.ldap.managerPassword: ***** Save settings [y/n] (y)? y Saving...done Ambari Server 'setup-ldap' completed successfully. 3. Configure Ambari to disable pagination, and restart Ambari Server: [root@sandbox ~]# echo "authentication.ldap.pagination.enabled=false" >> /etc/ambari-server/conf/ambari.properties [root@sandbox ~]# ambari-server restart 4. When Ambari startup completes, the objects in /etc/knox/conf/users.ldif are available in Ambari. Here’s a quick reference: admin / admin-password guest / guest-password sam / sam-password tom / tom-password Note: LDAP accounts with the same names as local accounts will replace the local accounts. The admin password will now be 'admin-password' instead of 'admin' 5. To customize the demo LDAP directory: In Ambari: Knox > Service Actions > Stop Demo LDAP Edit /etc/knox/conf/users.ldif Start the LDAP server manually (Ambari will overwrite users.ldif) nohup su - knox -c 'java -jar /usr/hdp/current/knox-server/bin/ldap.jar /usr/hdp/current/knox-server/conf' & Synchronize LDAP Users & Groups (see console output below)... [root@sandbox ~]# ambari-server sync-ldap --all Using python /usr/bin/python2.6 Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: admin-password Syncing all... Completed LDAP Sync. Summary: memberships: removed = 0 created = 2 users: updated = 0 removed = 1 created = 3 groups: updated = 2 removed = 0 created = 0 Ambari Server 'sync-ldap' completed successfully. ... View more

Unfortunately config groups are only applicable when the HS2 instances are on different hosts. ... View more

You can manually startup the second HS2 instance and use --hiveconf to override some of the properties from the standard config. ... View more