In a High Availability set up, the load balancer distributes the incoming requests to
multiple Knox instances.
| Note |
---|
Follow these instructions only if you choose to configure secure clusters. |
The format of the Knox SSO URL is as follows:
https://<address>/gateway/knoxsso/api/v1/websso
where, the address
is the
host:port
of the load balancer pointing to the Knox instance.
You can obtain the value of the load balancer’s host and port from the following
parameter:
hadoop.http.authentication.authentication.provider.url
.
However, if you are unable to locate the URL, then contact the one who set
up Knox in HA mode for you.
You need to obtain the Knox certificate (also known as the knox_publickey) from the
Knox gateway host.
-
SSH in to the Knox gateway host with a
root
or a
knoxuser
user.
-
Obtain the Knox certificate by running the following commands, depending on
whether you have set the
gateway.signing.keystore.name
parameter under the Knox configurations:
-
If you have set the
gateway.signing.keystore.name
parameter, go to the Knox data folder and run the following
command:
keytool -exportcert -alias <gateway.signing.key.alias> -keypass <knox-secret> -keystore security/keystores/<gateway.signing.keystore.name> -storepass <knox-secret> -rfc
where,
-
gateway.signing.keystore.name
is
typically a filename with .jks
extension.
For example, knoxidentity.jks
.
-
The keypass
and
storepass
are the Knox secret passwords
that you specified while creating the .jks file. For
example, knoxsecret
.
-
The value of
gateway.signing.key.alias
can be
obtained from Knox Config in Ambari or in the
/etc/knox/conf/gateway-site.xml
file.
For example, knoxidentity
.
-
If you have not set the
gateway.signing.keystore.name
parameter, extract the certificate from the gateway.jks
file by running the following command:
/usr/hdp/current/knox-server/bin/knoxcli.sh export-cert --type PEM
| Note |
---|
The gateway.jks file is automatically
created when Knox is started for the first time. If you have
already integrated Knox SSO earlier, then the
gateway-identity.pem file would exist.
Check whether the gateway-identity.pem file
exists or not before running this command.
The certificate is extracted from the
gateway.jks file and is stored in a file
called gateway-identity.pem located under the
/var/lib/knox/data-<version>-<build-no>/security/keystores/
directory.
|
-
Enable the Knox SSO topology settings. From the Ambari UI, go to and make the following configuration changes:
-
Specify KNOX_SSO in the
user_authentication field.
-
Add the list of users in the admin_users field
who need admin access to DAS.
You can specify *
(asterisk) in the
admin_users field to make all users the admin
users.
You can also specify an admin group in the
admin_groups field.
| Note |
---|
Only admin users have access to all the queries. Non-admin users
can access only their queries. |
-
Specify the Knox SSO URL in the knox_sso_url
field in the following format:
https://<host:port_of_load_balancer>/gateway/knoxsso/api/v1/websso
-
Copy the contents of the Knox certificate file that you extracted
earlier in the knox_publickey field without the
header and the footer.
-
Click Save and click through the confirmation
pop-ups.
-
Restart DAS and any services that require restart by clicking .