Data Analytics Studio Installation
Also available as:
PDF

Configuring Knox SSO for HA clusters

In a High Availability set up, the load balancer distributes the incoming requests to multiple Knox instances.

Note
Note
Follow these instructions only if you choose to configure secure clusters.

The format of the Knox SSO URL is as follows: https://<address>/gateway/knoxsso/api/v1/websso

where, the address is the host:port of the load balancer pointing to the Knox instance. You can obtain the value of the load balancer’s host and port from the following parameter: hadoop.http.authentication.authentication.provider.url.

However, if you are unable to locate the URL, then contact the one who set up Knox in HA mode for you.

You need to obtain the Knox certificate (also known as the knox_publickey) from the Knox gateway host.

  1. SSH in to the Knox gateway host with a root or a knoxuser user.
  2. Obtain the Knox certificate by running the following commands, depending on whether you have set the gateway.signing.keystore.name parameter under the Knox configurations:
    1. If you have set the gateway.signing.keystore.name parameter, go to the Knox data folder and run the following command:
      keytool -exportcert -alias <gateway.signing.key.alias> -keypass <knox-secret> -keystore security/keystores/<gateway.signing.keystore.name> -storepass <knox-secret> -rfc
      where,
      • gateway.signing.keystore.name is typically a filename with .jks extension. For example, knoxidentity.jks.

      • The keypass and storepass are the Knox secret passwords that you specified while creating the .jks file. For example, knoxsecret.

      • The value of gateway.signing.key.alias can be obtained from Knox Config in Ambari or in the /etc/knox/conf/gateway-site.xml file. For example, knoxidentity.

    2. If you have not set the gateway.signing.keystore.name parameter, extract the certificate from the gateway.jks file by running the following command:
      /usr/hdp/current/knox-server/bin/knoxcli.sh export-cert --type PEM
      Note
      Note

      The gateway.jks file is automatically created when Knox is started for the first time. If you have already integrated Knox SSO earlier, then the gateway-identity.pem file would exist. Check whether the gateway-identity.pem file exists or not before running this command.

      The certificate is extracted from the gateway.jks file and is stored in a file called gateway-identity.pem located under the /var/lib/knox/data-<version>-<build-no>/security/keystores/ directory.

  3. Enable the Knox SSO topology settings. From the Ambari UI, go to Data Analytics Studio > Config > Advanced data_analytics_studio-security-site and make the following configuration changes:
    1. Specify KNOX_SSO in the user_authentication field.
    2. Add the list of users in the admin_users field who need admin access to DAS.
      You can specify * (asterisk) in the admin_users field to make all users the admin users.
      Note
      Note
      Only admin users have access to all the queries. Non-admin users can access only their queries.
    3. Specify the Knox SSO URL in the knox_sso_url field in the following format:
      https://<host:port_of_load_balancer>/gateway/knoxsso/api/v1/websso
    4. Copy the contents of the Knox certificate file that you extracted earlier in the knox_publickey field without the header and the footer.
    5. Click Save and click through the confirmation pop-ups.
    6. Restart DAS and any services that require restart by clicking Actions > Restart All Required.