Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.
mtdeguzis
Explorer

Using Knox SSO with Shiro PAM realm, Ranger not wo...

by Explorer in Support Questions
‎03-22-2019 08:16 PM
‎03-22-2019 08:16 PM
We use the following topologies right now in HDP 3, shown below. I understand there is authentication and authorization. Prior to using PAM, we used LDAP configurations. Then we ran into... KnoxLdapContextFactory.java (HW had us try identity assertion, null pointer issue hit) KnoxLdapRealm.java (ldap - too many entries, fails, we only get the 'cdisadmin' group as it's in the first page or results, and the code for this does NOT properly page) KnoxPamRealm.java (works, but requires reworking PAM/sssd,). PAM works it seems, but even if I put my own username in the top level Knox policy to deny access, nothing is denied when I access Knox SSO webui's. I don't understand what part of the authorization process is not communicating. In our view, when you pass the PAM authentication stage, you just get access, when what we REALLY want to happen, is Ranger then says yes or no to you getting authorized. PAM module: #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so #auth       substack     system-auth ############################################### # Imported from: /etc/pam.d/password-auth ############################################### auth        required      pam_env.so auth        sufficient    pam_unix.so nullok try_first_pass auth        sufficient    pam_ldap.so minimum_uid=1000 use_first_pass auth        requisite     pam_succeed_if.so uid >= 1000 quiet #auth        sufficient    pam_sss.so use_first_pass auth        required      pam_deny.so account     required      pam_unix.so broken_shadow account     sufficient    pam_ldap.so minimum_uid=1000 account     sufficient    pam_localuser.so account     sufficient    pam_succeed_if.so uid < 1000 quiet account     [default=bad success=ok user_unknown=ignore] pam_sss.so account     required      pam_permit.so password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok password    sufficient    pam_ldap.so minimum_uid=1000 try_first_pass #password    sufficient    pam_sss.so use_authtok password    required      pam_deny.so session     optional      pam_keyinit.so revoke session     required      pam_limits.so session     optional      pam_mkhomedir.so umask=0077 -session    optional      pam_systemd.so session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session     required      pam_unix.so session     optional      pam_ldap.so minimum_uid=1000 #session     optional      pam_sss.so knoxsso topology <topology>   <gateway>     <provider>       <role>identity-assertion</role>       <name>Default</name>       <enabled>true</enabled>     </provider>     <provider>       <role>webappsec</role>       <name>WebAppSec</name>       <enabled>true</enabled>       <param>         <name>xframe.options.enabled</name>         <value>true</value>       </param>     </provider>      <provider>       <role>authentication</role>       <name>ShiroProvider</name>       <enabled>true</enabled>       <param>         <name>sessionTimeout</name>         <value>30</value>       </param>       <param>         <name>redirectToUrl</name>         <value>/gateway/knoxsso/knoxauth/login.html</value>       </param>       <param>               <name>restrictedCookies</name>         <value>rememberme,WWW-Authenticate</value>       </param>       <param>         <name>main.pamRealm</name>         <value>org.apache.knox.gateway.shirorealm.KnoxPamRealm</value>       </param>       <param>         <name>main.pamRealm.service</name>         <value>knoxsso</value>        </param>       <param>         <name>urls./**</name>         <value>authcBasic</value>       </param>     </provider>     <provider>        <role>authorization</role>        <name>AclsAuthz</name>        <enabled>true</enabled>      </provider>    </gateway>   <application>     <name>knoxauth</name>   </application>   <service>     <role>KNOXSSO</role>     <param>       <name>knoxsso.cookie.secure.only</name>       <value>true</value>     </param>     <param>       <name>knoxsso.token.ttl</name>       <value>900000</value>     </param>     <param>       <name>knoxsso.redirect.whitelist.regex</name>       <value>^https?:\/\/(.*\.DOMAIN\.COM|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>     </param>   </service> </topology> default topology: <topology>   <gateway>     <provider>       <role>identity-assertion</role>       <name>Default</name>       <enabled>true</enabled>     </provider>     <provider>       <role>authentication</role>       <name>ShiroProvider</name>       <enabled>true</enabled>       <param>         <name>sessionTimeout</name>         <value>30</value>       </param>       <param>         <name>main.pamRealm</name>         <value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>       </param>       <param>         <name>main.pamRealm.service</name>         <value>knoxsso</value> </param>       <param>         <name>urls./**</name>         <value>authcBasic</value>       </param>      </provider>      <provider>        <role>authorization</role>        <name>XASecurePDPKnox</name>        <enabled>true</enabled>      </provider>    </gateway>    <service>      <role>AVATICA</role>      <url>http://HOST.DOMAIN.COM:8765</url>    </service>    <service>      <role>DRUID-COORDINATOR-UI</role>      {{druid_coordinator_urls}}    </service>    <service>      <role>DRUID-COORDINATOR</role>      {{druid_coordinator_urls}}    </service>    <service>      <role>DRUID-OVERLORD-UI</role>      {{druid_overlord_urls}}    </service>    <service>      <role>DRUID-OVERLORD</role>      {{druid_overlord_urls}}    </service>    <service>      <role>DRUID-ROUTER</role>      {{druid_router_urls}}    </service>    <service>      <role>DRUID-BROKER</role>      {{druid_broker_urls}}    </service>    <service>      <role>HBASEUI</role>      <url>http://HOST.DOMAIN.COM:16010</url>    </service>    <service>      <role>HDFSUI</role>      <version>2.7.0</version>      <url>http://HOST.DOMAIN.COM:50070/</url>    </service>    <service>      <role>HIVE</role>      <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>    </service>    <service>      <role>JOBTRACKER</role>      <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>    </service>    <service>      <role>JOBHISTORYUI</role>      <url>http://HOST.DOMAIN.COM:19888</url>    </service>    <service>      <role>NAMENODE</role>      <url>{{namenode_address}}</url>    </service>    <service>      <role>OOZIE</role>      <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>    </service>    <service>      <role>OOZIEUI</role>      <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie/</url>    </service>    <service>      <role>RANGERUI</role>      <url>http://HOST.DOMAIN.COM:6080</url>    </service>    <service>      <role>RESOURCEMANAGER</role>      <url>http://{{rm_host}}:{{rm_port}}/ws</url>    </service>    <service>      <role>SPARKHISTORYUI</role>      <url>http://HOST.DOMAIN.COM:18081</url>    </service>    <service>      <role>WEBHDFS</role>      {{webhdfs_service_urls}}    </service>    <service>      <role>WEBHCAT</role>      <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>    </service>    <service>      <role>WEBHBASE</role>      <url>http://{{hbase_master_host}}:60080</url>    </service>    <service>      <role>YARNUI</role>      <url>http://HOST.DOMAIN.COM:8088</url>    </service>    <service>      <role>YARNUIV2</role>      <url>http://HOST.DOMAIN.COM:8088</url>    </service>    <service>      <role>ZEPPELINUI</role>      {{zeppelin_ui_urls}}    </service>    <service>      <role>ZEPPELINWS</role>      {{zeppelin_ws_urls}}    </service> </topology> This is all I noticed in gateway.log when testing these scenarios: [mtdeguzis@HOST: knox]$ tailf gateway.log | grep -iE 'mtdeguzis|yarn' 2019-03-22 15:49:07,094 INFO knox.gateway (KnoxPamRealm.java:doGetAuthorizationInfo(126)) - Computed roles/groups: [udaoptst3, udaops, HOST-login, mtdeguzis, cdisadmin] for principal: mtdeguzis 2019-03-22 15:49:07,405 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(240)) - About to redirect to original URL: https://HOST.domain.com:8443/gateway/knoxsso-webuis/yarnuiv2 2019-03-22 15:49:07,972 ERROR knox.gateway (UrlRewriteProcessor.java:rewrite(166)) - Failed to rewrite URL: HTTP_ONLY, direction: OUT via rule: YARNUIV2/yarnuiv2/outbound/timeline, status: FAILURE 2019-03-22 15:49:07,973 ERROR knox.gateway (JsonFilterReader.java:filterStreamValue(547)) - Failed to filter value HTTP_ONLY, rule YARNUIV2/yarnuiv2/outbound/timeline: java.lang.NullPointerException 2019-03-22 15:49:08,013 ERROR knox.gateway (UrlRewriteProcessor.java:rewrite(166)) - Failed to rewrite URL: kerberos, direction: OUT via rule: YARNUIV2/yarnuiv2/outbound/timeline, status: FAILURE 2019-03-22 15:49:08,013 ERROR knox.gateway (JsonFilterReader.java:filterStreamValue(547)) - Failed to filter value kerberos, rule YARNUIV2/yarnuiv2/outbound/timeline: java.lang.NullPointerException ... View more
Labels:

Re: Question on HDFS Rebalance

by Explorer in Support Questions
‎01-28-2019 08:41 PM
‎01-28-2019 08:41 PM
I also noticed you can monitor the "need to move" message for the remaining space to be balanced. This can go up or down depending on how busy the cluster is: cat /tmp/hdfs_rebalancer.log | grep "Need to move" | tail -n 10 19/01/28 12:23:02 INFO balancer.Balancer: Need to move 11.11 TB to make the cluster balanced. 19/01/28 12:43:48 INFO balancer.Balancer: Need to move 11.10 TB to make the cluster balanced. 19/01/28 13:04:38 INFO balancer.Balancer: Need to move 10.89 TB to make the cluster balanced. 19/01/28 13:25:23 INFO balancer.Balancer: Need to move 10.83 TB to make the cluster balanced. 19/01/28 13:45:59 INFO balancer.Balancer: Need to move 10.83 TB to make the cluster balanced. 19/01/28 14:06:30 INFO balancer.Balancer: Need to move 10.78 TB to make the cluster balanced. 19/01/28 14:27:14 INFO balancer.Balancer: Need to move 10.73 TB to make the cluster balanced. 19/01/28 14:47:53 INFO balancer.Balancer: Need to move 10.70 TB to make the cluster balanced. 19/01/28 15:08:42 INFO balancer.Balancer: Need to move 10.66 TB to make the cluster balanced. 19/01/28 15:29:23 INFO balancer.Balancer: Need to move 10.75 TB to make the cluster balanced. ... View more

Re: Connecting to HiveServer2 Interactive / LLAP u...

by Explorer in Support Questions
‎09-10-2018 12:12 PM
‎09-10-2018 12:12 PM
We do not yet use this in production due to other items, but I'd suspect your krb.conf should be validated before going further. That is a pretty simple kerberos message. ... View more

Re: How to export all HDP configuration files (xml...

by Explorer in Support Questions
‎05-07-2018 01:55 PM
‎05-07-2018 01:55 PM
Another good one for those looking for properties. You can then write known files here via JSON dictionary > XML if needed. Making API connection to: https://host.port/api/v1/clusters/cluster_name/configurations/service_config_versions?is_current=true ... View more

Re: rest api to fetch server configs

by Explorer in Support Questions
‎04-26-2018 09:14 PM
‎04-26-2018 09:14 PM
Related: https://community.hortonworks.com/questions/33234/how-to-export-all-hdp-configuration-files-xmlprope.html?childToView=189139#answer-189139 Trying to get HIVE_SERVER as well 😕 ... View more

Re: How to export all HDP configuration files (xml...

by Explorer in Support Questions
‎04-26-2018 08:50 PM
‎04-26-2018 08:50 PM
I was able to get the client config via tarball with python requests: TARBALL_URL = AMBARI_URI + ":" + AMBARI_PORT + "/api/v1/clusters/" + CLUSTER_NAME + '/components?format=client_config_tar' However as others have stated, this is a limited set. I also need the ranger configs like ranger-hive-security.xml. I have been looking at the Ranger API and webpages that describe developing Ranger plugins, as obviously, when something in Hive etc. needs to talk to Ranger, it has to be aware of this config, and this is available under the hive conf.server folder on a give hiveserver2 host: $ sudo ls /usr/hdp/current/hive-client/conf/conf.server/ hadoop-metrics2-hiveserver2.properties hive-env.sh.template hiveserver2-site.xml ranger-hive-audit.xml ranger-security.xml hive-default.xml.template hive-exec-log4j.properties hive-site.xml ranger-hive-security.xml zkmigrator_jaas.conf hive-env.sh hive-log4j.properties mapred-site.xml ranger-policymgr-ssl.xml I need essentially this set from conf.server (Working on a Hive sidecar instance). I do not* want to pull these from a server via rsync or use cp, as it needs to be portable for my purposes. Related: https://community.hortonworks.com/questions/135415/rest-api-to-fetch-server-configs.html ... View more

Re: Download Client Configs

by Explorer in Community Articles
‎04-25-2018 09:58 PM
‎04-25-2018 09:58 PM
How can one download other configs, such as ranger-security.xml ? Do you need to use other APIs to get these files? ... View more

WebHDFS Download / Copy to local from HDFS to loca...

by Explorer in Support Questions
‎11-13-2017 12:11 PM
‎11-13-2017 12:11 PM
Hi, I've implemented a Python wrapper around the webhdfs api (via Knox) for end users to script operations outside the cluster. The one core operation missing I'd like to add is "hadoop fs -copyToLocal'. It seems that only open is supported and possible operations to direct the buffter to a file is possible. Is there any way to copy an HDFS file to a local path using webhdfs? ... View more
Labels:

Re: distcp update difference between two snapshot ...

by Explorer in Support Questions
‎09-11-2017 05:08 PM
‎09-11-2017 05:08 PM
Hmm... so it does* appear you need to provide just* the filename for S1 and S2. interesting ... View more

Re: distcp update difference between two snapshot ...

by Explorer in Support Questions
‎09-11-2017 04:56 PM
‎09-11-2017 04:56 PM
I have the same issue when trying to compute the diff. hadoop distcp -diff s1 s2 -update /data/a /data/a_target /data/a_target is on another cluster. s1 (yesterdays snap) and s2 (todays snap) on the first cluster location are side by side of course. I wonder if the diff needs to the snapshot filename only, and not the absolute path. ... View more
Contact Me
Online
Offline
Last Visited
‎12-03-2019 08:00 AM
Public Statistics
Date Registered ‎01-12-2017 08:41 PM
Last Visited ‎12-03-2019 08:00 AM
Total Messages Posted 59
Total Kudos Received 1