About WhiteHa

WhiteHa · ‎08-02-2017

We need another service entry with role "YARN" as well with same url. Also in URL scheme, "hdc" is not cluster-name but topology name.

WhiteHa · ‎07-24-2017

@Prasad T Please use the xml code below and create a topology file in /etc/knox/conf/topologies directory and replace the YARN_HOSTNAME and YARN_PORT with relevant values. If your newly created topology is named ui.xml, you can access the YARN UI using Web URL: https://KNOX_HOST:KNOX_PORT/gateway/ui/yarn/ <topology> <gateway> <provider> <role>authentication</role> <name>Anonymous</name> <enabled>true</enabled> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>false</enabled> </provider> </gateway> <service> <role>YARN</role> <url>http://<YARN_HOSTNAME>:<YARN_PORT></url> </service> <service> <role>YARNUI</role> <url>http://<YARN_HOSTNAME>:<YARN_PORT></url> </service> </topology>

WhiteHa · ‎02-25-2017

This is really nice feature to have given the rising security concerns recently. Nicely illustrated.

WhiteHa · ‎02-22-2017

I think the problem is your hostname which does not have FQDN. e.g. somehost.abc.com , Try putting /etc/hosts entries with FQDN for your "bigdata[0-9]" hosts. KnoxSSO requires host TLD to set cookies for that domain.

WhiteHa · ‎02-22-2017

Can you provide KnoxSSO topology from Knox configuration? Also try to authenticate using an User in Knox, as you are getting 401.

WhiteHa · ‎02-01-2017

This may be happening coz the SSL certificate generated has your VM Hostname as CN. I will suggest making an hostname, IP address mapping entry in your remote machine's /etc/hosts file and access it using the hostname only. Also you can export the Knox certificate using below command: $<JAVA_HOME>/bin/keytool -export -alias gateway-identity -rfc -file <cert.pem> -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks and import the same in your remote host using below command: $<JAVA_HOME>/bin/keytool -import -alias knoxsso -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -file <cert.pem>

WhiteHa · ‎01-30-2017

@J. D. Bacolod You can use Unix users by configuring topology to use PAM based authentication. Refer http://knox.apache.org/books/knox-0-11-0/user-guide.html#PAM+based+Authentication About Hive, the JDBC connection string is wrong. You don't have to specify database name i.e. microservice with Knox URL. Replace <PATH_TO_KNOX_KEYSTORE> with location of gateway.jks on your Knox Host and Try something like below: beeline --silent=true -u "jdbc:hive2://localhost:8443/;ssl=true;sslTrustStore=<PATH_TO_KNOX_KEYSTORE>/gateway.jks;trustStorePassword=knoxsecret;transportMode=http;httpPath=gateway/default/hive" -d org.apache.hive.jdbc.HiveDriver -n guest -p guest-password -e "show databases;"

WhiteHa · ‎01-30-2017

@J. D. Bacolod Congratulations!! The last command output means your Knox instance is working fine and is able to authenticate using Knox Demo LDAP for authentication. You should be able to execute even below command now and get output. curl -iku guest:guest-password -X GET 'https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS' If you are getting 200 OK status code for above as well, make a copy of "default.xml" and name it "knox_sample.xml" and carry on with what you were doing. Just make sure the topology/xml file is pointing to correct Service Endpoints.

WhiteHa · ‎01-30-2017

@J. D. Bacolod I have already given you default credentials for Knox Admin user in previous curl command. Can you please provide "default.xml" i.e. default topology which contains configuration details of services and even Knox's Demo LDAP. Ideally it should be pointing to "ldap://<ldap_server_host>:33389".

WhiteHa · ‎01-30-2017

This means either Demo LDAP is not properly configured or running. Can you post default.xml from /etc/knox/conf/topologies directory? Also knox_sample.xml shouldn't be empty, it should have all service information. Also do run below command and provide the output: ps aux | grep ldap

Online	Offline
Last Visited	‎06-08-2020 10:58 AM

Member Since	‎05-22-2019 12:24 AM
Last Visited	‎06-08-2020 10:58 AM
Posts	58
Kudos received	31

Cloudera Community

Re: How to Set Up Knox Gateway for Unix Users?

Re: knox/Ldap integration

Re: How to access the YARN UI through knox default...

Re: Knox sso for ambari and ranger does not work

Re: Difference between apache knox and kerberos

Re: How to access the YARN UI through knox default...

Re: How to access the YARN UI through knox default...

Re: Hadoop Auth (SPNEGO and delegation token based...

Re: Knox sso for ambari and ranger does not work

Re: Knox sso for ambari and ranger does not work

Re: Failure in accessing HDFS and Hive via Knox

Re: Failure in accessing HDFS and Hive via Knox

Re: Failure in accessing HDFS and Hive via Knox

Re: Failure in accessing HDFS and Hive via Knox

Re: Failure in accessing HDFS and Hive via Knox