Short description: This article describes how to enable Knox SSO authentication on Kerberos enabled Oozie UI The goal is to provide a single authentication handler for redirecting to an external endpoint for acquiring a JWT (JSONWebToken) token to be used as a SSO representation of an authentication event. The hadoop common JWTRedirectAuthenticationHandler can be used to add this support to component UIs. It is an extension of AltKerberosAuthenticationHandler, which require kerberos to be enabled on the HTTP endpoints in order to work. This means that UIs will use SSO for authentication, but at the same time REST APIs will still be using kerberos. For authenticating REST APIs with Knox SSO as well, there is a filter based authentication provider in Knox. SSL must be enabled on Oozie server to be able to use redirection. Enable SSL on Oozie Configuration in Ambari Set the following properties at the Oozie config page: oozie.authentication.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler oozie.authentication.authentication.provider.url=https://{KNOX_HOST}:8443/gateway/knoxsso/api/v1/websso oozie.authentication.public.key.pem={knox_public_key) optional: oozie.authentication.expected.jwt.audiences={audiences} (default: EMPTY; which means ALL) optional: oozie.authentication.jwt.cookie={cookie_name} (default: hadoop-jwt) How to export Knox public key keytool -export -alias gateway-identity -rfc -file cert.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks Copy the content of cert.pem without header/footer, and add it to the public.key.pem property value. References: https://issues.apache.org/jira/browse/HADOOP-11717 https://svn.apache.org/repos/asf/knox/site/books/knox-0-9-0/knoxsso_integration.html ... View more