Configuring user authentication using Knox SSO
To enable DAS to work with the HDP cluster SSO, configure the Knox settings as described here.
Note | |
---|---|
Follow these instructions only if you choose to configure secure clusters. |
You need to export the Knox certificate from the Knox gateway host. To find the Knox gateway host, go to Ambari > Services > Knox > CONFIGS > Knox Gateway hosts.
-
SSH in to the Knox gateway host with a
root
or aknoxuser
user. -
Export the Knox certificate by running the following command:
/usr/hdp/current/knox-server/bin/knoxcli.sh export-cert --type PEM
NoteIf you have already integrated Knox SSO earlier, then the gateway-identity.pem file would exist. Check whether the gateway-identity.pem file exists or not before running this command./usr/hdp/current/knox-server/data/security/keystores/gateway-identity.pem
If the export is successfully, the following message is displayed:Certificate gateway-identity has been successfully exported to: /usr/hdp/current/knox-server/data/security/keystores/gateway-identity.pem
Note the location where you save thegateway-identity.pem
file. - If not done already, specify KNOX_SSO in the user_authentication field under Ambari > Data Analytics Studio > Config.
-
Enable the Knox SSO topology settings. From the Ambari UI, go to Data Analytics Studio > Config > Advanced data_analytics_studio-security-site and make the following configuration changes:
- Specify KNOX_SSO in the user_authentication field.
-
Specify the Knox SSO URL in the knox_sso_url
field in the following format:
https:knox-host>:8443/gateway/knoxsso/api/v1/websso
- Copy the contents of the PEM file that you exported earlier in the knox_publickey field without the header and the footer.
-
Add the list of users in the admin_users field
who need admin access to DAS.
You can specify
*
(asterisk) in the admin_users field to make all users the admin users.You can also specify an admin group in the admin_groups field.NoteOnly admin users have access to all the queries. Non-admin users can access only their queries. - Click Save and click through the confirmation pop-ups.
- Restart DAS and any services that require restart by clicking Actions > Restart All Required.