It is technically possible to have more than one authentication provider in a given topology but the result is unlikely to be what is expected. The first reason might be that all but one of them is enabled=false so that there is in effect only one. The other possibility is that a given custom service in a topology requires a specific authentication provider implementation. In this case the first enabled authentication provider in the topology would be the default and the custom service would identify a specific authentication provide by role and name in its service.xml file. ... View more

and /var/log/knox/gateway.out if it isn't empty while you are collecting things. ... View more

@Sushil Kumar < If the answers below don't address your questions can you be more specific? For the "This command bin/gateway.sh must not be run as root." issue you should either not be logged in as root or you should execute the command as a different user via sudo (e.g. su -l knox -c "bin/gateway.sh start") For the "integration with open Apache Hadoop" you just need to modify the topology files (e.g. conf/topologies/sandbox.xml) to match the network locations for your installation. ... View more

Sorry it took me a while to response here but I was putting together a working sample. The first important point is that I think people tend to overestimate the complexity of dealing with the REST APIs, especially WebHDFS. The point of having REST APIs after all is supposed to be very thin clients. I played with a few different Java HTTP client libraries and to my surprise the venerable Java HttpsUrlConnection resulted in the cleanest examples. The Apache HttpClient is certainly an option and might be warranted in more complex situations. IMPORTANT: Before you continue however please note that these examples are setup to circumvent both SSL hostname and certificate validation. This is not acceptable in production but often helps in samples to make sure they don't become a barrier to success. I'll show the heart of the solution below but the full answer can be found here: https://github.com/kminder/knox-webhdfs-client-examples. Specifically here: https://github.com/kminder/knox-webhdfs-client-examples/blob/master/src/test/java/net/minder/KnoxWebHdfsJavaClientExamplesTest.java Now for the code. The first is an example of the simplest of operations: GETHOMEDIRECTORY. @Test public void getHomeDirExample() throws Exception { HttpsURLConnection connection; InputStream input; JsonNode json; connection = createHttpUrlConnection( WEBHDFS_URL + "?op=GETHOMEDIRECTORY" ); input = connection.getInputStream(); json = MAPPER.readTree( input ); input.close(); connection.disconnect(); assertThat( json.get( "Path" ).asText(), is( "/user/"+TEST_USERNAME ) ); } Next a more complicated sample that writes and reads a file to HDFS via the CREATE and OPEN operations. @Test public void putGetFileExample() throws Exception { HttpsURLConnection connection; String redirect; InputStream input; OutputStream output; String data = UUID.randomUUID().toString(); connection = createHttpUrlConnection( WEBHDFS_URL + "/tmp/" + data + "/?op=CREATE" ); connection.setRequestMethod( "PUT" ); assertThat( connection.getResponseCode(), is(307) ); redirect = connection.getHeaderField( "Location" ); connection.disconnect(); connection = createHttpUrlConnection( redirect ); connection.setRequestMethod( "PUT" ); connection.setDoOutput( true ); output = connection.getOutputStream(); IOUtils.write( data.getBytes(), output ); output.close(); connection.disconnect(); assertThat( connection.getResponseCode(), is(201) ); connection = createHttpUrlConnection( WEBHDFS_URL + "/tmp/" + data + "/?op=OPEN" ); assertThat( connection.getResponseCode(), is(307) ); redirect = connection.getHeaderField( "Location" ); connection.disconnect(); connection = createHttpUrlConnection( redirect ); input = connection.getInputStream(); assertThat( IOUtils.toString( input ), is( data ) ); input.close(); connection.disconnect(); } Now of course you have probably noticed that all of the "magic" is hidden in that createHttpUrlConnection method. Not really magic at all but this is where the "un-securing" of SSL happens. This also takes care of setting up HTTP BasicAuth for authentication and disables redirects which should be done when using the WebHDFS REST APIs. private HttpsURLConnection createHttpUrlConnection( URL url ) throws Exception { HttpsURLConnection conn = (HttpsURLConnection)url.openConnection(); conn.setHostnameVerifier( new TrustAllHosts() ); conn.setSSLSocketFactory( TrustAllCerts.createInsecureSslContext().getSocketFactory() ); conn.setInstanceFollowRedirects( false ); String credentials = TEST_USERNAME + ":" + TEST_PASSWORD; conn.setRequestProperty( "Authorization", "Basic " + DatatypeConverter.printBase64Binary(credentials.getBytes() ) ); return conn; } private HttpsURLConnection createHttpUrlConnection( String url ) throws Exception { return createHttpUrlConnection( new URL( url ) ); } ... View more

I didn't understand that beeline was working via Knox already. A few questions then: What application is making the HS2 call via Knox? Is the application using JDBC or ODBC drivers and what version? What does your JDBC connect string look like (without real hostname or passwords of course)? ... View more

Looks like you are missing hadoop.proxyuser.knox.groups=users hadoop.proxyuser.knox.hosts=* Also note that you should probably not have hadoop.proxyuser.guest.groups=users hadoop.proxyuser.guest.hosts=* as this is essentially saying that the 'guest' user is allowed to impersonate anyone in the 'users' group. Beyond that you need to ensure that your user 'adpqa' is in group 'users'. ... View more

The potentially confusing process of adding a partition to Apache Directory Studio is the reason we decided to include the pre-populated Demo LDAP server with Knox instead of just instructions for using ADS. To do this in ADS you need to switch to the "Servers" tab in the lower right and click on Local. Then in the Partitions view on the left press "Add..." and provide the Suffix: value for example dc=custom,dc=sample,dc=com. Set ID: to something unique. Then you should be able to add subentries to that partition and you would no longer use the Knox Demo LDAP server. Keep in mind that the port is typically 10389 instead of the 33389 used by the Knox Demo LDAP. See the "General" view tab when the Local server is selected for details. You can import a LDIF using the File>Import menu item. Select LDAP Browser>DIF into LDAP. Browse for your LDIF file and Import into Local. Make sure you check "Overwrite existing log..." if you have to repeat the process. One confusing part here is that there needs to be an entry in your LDIF file for the Suffix: entered above. For example if you are trying to import the users.ldif that comes with Knox the Suffix: you would use is dc=hadoop,dc=apache,dc=org because this is the root object in that users.ldif. ... View more

Have you read the "Configuring SSL Verification" section (pg 19) of the Hortonworks Hive ODBC Driver with SQL Connector User Guide. At a minimum you will need to "Enable SSL" and "Allow Self-signed Server Certificate". You may possibly require "Allow Common Name Host Name Mismatch" if you have DNS setup issues at your site. I'm not totally sure if you need a PEM file if you are using Self-signed certs. Try the above first. http://hortonworks.com/wp-content/uploads/2015/10/Hortonworks-Hive-ODBC-Driver-User-Guide.pdf ... View more

I was able to set this up using Authentication Method: Simple Authentication Bind DN or user: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org This of course assumes you haven't changed the users.ldif file. I'm guessing you are trying to use your real domain but haven't updated the user.ldif file to reflect that. For reference here is the entry for the admin user in the default demo users.ldif file. dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: Admin sn: Admin uid: admin userPassword:xxxxxxxxxxxxxx ... View more

Any chance you can capture/provide the gateway.log file content from the period of time during which this occurred? ... View more

A primary benefit of using Knox is that it insulates the clients from needing to be aware of Kerberos. However, if the HDP cluster is configured with Kerberos then Knox will need to be configured to interact with the cluster securely via Kerberos with the cluster. The clients however will be unaffected. ... View more

Unfortunately HDP 2.2 was not certified with jdk1.8 and Knox 0.5.0.2.2 in particular has an issue with a keystore API change in jdk 1.8 that prevents it from starting. The only solution is to either upgrade HDP or downgrade the jdk. ... View more

By default Knox has special behavior for Hadoop services that use the Hadoop Auth module. https://hadoop.apache.org/docs/stable/hadoop-auth/... So yes it adds the user.name query parameter by default. I'm curios as to why {$username} isn't working for you though. What version of Knox are you using? ... View more

@Christopher Lewis < This looks like progress. I'm guessing the Demo LDAP server isn't running on your VM. ... View more

If you've installed Knox via Ambari the topology name used is default instead of sandbox so try this command. curl -iku guest:guest-password -X GET 'https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS' ... View more

Can you share what you have either via github or pasted here? ... View more

I also recently created a blog related to this. http://kminder.github.io/knox/2015/11/16/adding-a-service-to-knox.html ... View more

We would certainly recommend the use of Knox's extensibility models to cover any components without coverage before we get there ourselves. There have been several developed in the community already such as Falcon that we don't yet officially support. The same goes for UI coverage where the community has added coverage for things like the HDFS and YARN UIs among others. The Knox Developer's Guide is a great resource that the community has used to help them jump start these efforts. Of course looking at the implementation of the existing integrations is a great place to start as well. ... View more

Just to add context to this correct answer, the password required here to access the gateway.jks keystore is the password provided as the Knox master secret in Ambari when Knox was installed. The Ambari install scripts for Knox use the described knoxcli.sh create-master command "under the covers". ... View more