Configure Knox Gateway for DataPlane and HDP

DP Platform communicates with services on the HDP cluster like DataPlane Agents, Ambari, Atlas, Ranger, etc. If you are using TLS wire encryption on your clusters, you must configure Knox Gateway to proxy requests to and from DP Platform. If DataPlane uses proxying, then all DataPlane services need to use it to communicate with DataPlane.

This topic provides an overview of how to configure Knox Gateway proxy in your HDP cluster to work with DataPlane. Refer to the HDP documentation for details that might be applicable to your specific HDP configuration and setup.

You will be configuring Knox Gateway proxy in your HDP cluster to work with your DP instance.

You must have installed and configured DataPlane.
You must have configured Knox Gateway on your clusters.
See Knox Gateway proxying with DataPlane for details.

Knox host FQDN must be DNS addressable and available from your DataPlane environment. If not, the Knox IP address must be in the /etc/hosts file on the DP environment. Refer to the DataPlane Administration guide for details on how to add Knox to the DataPlane environment hosts.

On your HDP cluster Knox host, navigate to the Knox topologies directory.
```
cd /etc/knox/conf/topologies
```
Create a DataPlane proxy topology file.
```
vi dp-proxy.xml
```

Add the host name for each of the services listed in the file, based on where that service is running in your HDP cluster.

	Tip
	At this point, you can add to the file the DataPlane service agents that you plan to install, or you can add them later.

	Important
	Do not modify the URL in the provider section of the file. Be sure to keep this file updated if you move services or add services in your cluster.

The <localhost> entry in the following example might be something like ctr-e138-1518143905142-369209-01-000005.hwx.site:20070.

Topology dp-proxy.xml

<?xml version="1.0" encoding="utf-8"?>
<topology>
  <gateway>
    <provider>
        <role>federation</role>
        <name>SSOCookieProvider</name>
        <enabled>true</enabled>
        <param>
            <name>sso.authentication.provider.url</name>
            <value>https://localhost:8443/gateway/knoxsso/api/v1/websso</value>
        </param>
    
    <provider><role>identity-assertion</role>
      <name>Default</name>
      <enabled>true</enabled>
    </provider>
   </gateway>

    <service>
      <role>WEBHDFS</role>
      <url>http://<localhost>:20070/webhdfs</url>
  </service>
  <service>
      <role>WEBHCAT</role>
      <url>http://<localhost>:20111/templeton</url>
  </service>
  <service>
    <role>AMBARI</role>
    <url>http://<localhost>:8080</url>
  </service>
  <service>
    <role>RANGER</role>
    <url>http://<localhost>:6080</url>
  </service>
  <service>
    <role>RANGERUI</role>
    <url>http://<localhost>:6080</url>
  </service>
  <service>
    <role>ATLAS</role>
    <url>http://<localhost>:21000</url>
  </service>
  <service>
    <role>ATLAS-API</role>
    <url>http://<localhost>:21000</url>
  </service>
  <service>
   <role>BEACON</role>    ##The DLM Engine
   <url>http://<localhost>:25968</url>
  </service>
  <service>
   <role>HIVE</role>
   <url>http://<localhost>:10001/cliservice</url>
  </service>
  <service>
   <role>RESOURCEMANAGER</role>
   <url>http://<localhost>:8088/ws</url>
  </service>

  <service>
   <role>PROFILER-AGENT</role>    ##The DSS Agent
   <url>http://<localhost>:21900</url>
  </service>

</topology>