Member since
12-04-2017
1
Post
4
Kudos Received
0
Solutions
01-10-2018
11:47 AM
4 Kudos
Short description: This article describes how to enable Knox SSO authentication on Kerberos enabled Oozie UI
The goal is to provide a single authentication handler for redirecting to an external endpoint for acquiring a JWT (JSONWebToken) token to be used as a SSO representation of an authentication event.
The hadoop common JWTRedirectAuthenticationHandler can be used to add this support to component UIs. It is an extension of AltKerberosAuthenticationHandler, which require kerberos to be enabled on the HTTP endpoints in order to work. This means that UIs will use SSO for authentication, but at the same time REST APIs will still be using kerberos.
For authenticating REST APIs with Knox SSO as well, there is a filter based authentication provider in Knox.
SSL must be enabled on Oozie server to be able to use redirection.
Enable SSL on Oozie
Configuration in Ambari
Set the following properties at the Oozie config page:
oozie.authentication.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
oozie.authentication.authentication.provider.url=https://{KNOX_HOST}:8443/gateway/knoxsso/api/v1/websso
oozie.authentication.public.key.pem={knox_public_key)
optional: oozie.authentication.expected.jwt.audiences={audiences} (default: EMPTY; which means ALL)
optional: oozie.authentication.jwt.cookie={cookie_name} (default: hadoop-jwt)
How to export Knox public key
keytool -export -alias gateway-identity -rfc -file cert.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
Copy the content of cert.pem without header/footer, and add it to the public.key.pem property value.
References:
https://issues.apache.org/jira/browse/HADOOP-11717
https://svn.apache.org/repos/asf/knox/site/books/knox-0-9-0/knoxsso_integration.html
... View more
Labels: