Configure Knox SSO between DataPlane and HDP

This topic provides an overview of how to configure Knox SSO in your HDP cluster to work with DataPlane. Refer to the HDP documentation for details that might be applicable to your specific HDP configuration and setup.

You will be configuring Knox SSO in your HDP cluster to work with your DP instance.

You must have installed and configured DataPlane.
You must have configured Knox SSO on your clusters.
See Knox SSO with DataPlane for details.
Knox SSO, LDAP, and Ranger must have been configured for HDP and Ambari.
You must have an SSL certificate (such as a .pem file) available and have access to the public key in the file.
Knox host FQDN must be DNS addressable and available from your DataPlane environment.
If it is not, the Knox IP address must be in the /etc/hosts file on the DP environment. Refer to the DataPlane Administration Guidefor details on how to add Knox to the DataPlane environment hosts.

In a terminal, SSH to the DataPlane host.
Navigate to $DP_INSTALL_HOME/certs/.
```
cd /usr/dp/current/core/bin/certs/
```
Display the content of the ssl-cert.pem file.
```
cat ssl-cert.pem
```

Copy and retain the DataPlane public key displayed in the certificate between “Begin Certificate” and “End Certificate”, because you need it in a succeeding step.

The public key looks similar to the following:

-----BEGIN CERTIFICATE-----

NIICzTCCAaKjAwIBAgIIVJzHWfmsfP8wDQYJK0ZIhvcNAQEFCQAwXzELMAkGA1UE
BhMCVVMxDTALBgMVBAgTBFRlc4QxDTALBgNVBAcTBFRlc3QxFzANBgNVBAoTBkhH
ZG9vcDETMAsGA1WECxMEVGvzdDESMBAGA4UEAxMJbG9jYWxob3N0MB2XDTE3MDcx
MjEzMTUxMVoXDTE0MDcxMjEzMTUxMVoWxzELMAkGA1UCBhMCVVMxDTALBgNVBAgT
BFRlc9QxDTALBgNVBCcTBFRlc3QxFzANBgNVBAoTBkhhZG9vcDENNAsGA5UECxMF
VGvzdDESMBBGA1UEAxMJbG8jYWxob3N2MIGfMA0GCSqGSIb3DQLBAQUAA4GNAKCB
iQKBgQcYLhQDwCcQa12BZ2+v1gWICsFxOplW+EA6tBCJtMJDs5sNSV/XiomPxY2D
8OU3oY68DiLs/U+la4K2mHp+gvh5+91EuMvXHtkui++7zDtD+cfBmsY5peAFwZ6g
2NBwIjyMsKSiJWtT4syKMnAB5yv2p8xp3Z6c+0GCmZ+EeguWVQyDAQABMA0GCSqG
zIb3DQEBbQUAA9GBAJAeMEFZY1Q4mK+RFq6wbshUOSQR+wB8zDkxAtgPfQINR9tK
5MA8Iy6J90/eBUqGvAoN8PbEnTHU5VsL6m3J0vPmJ4EzFqCwI5VjeWdIMdoPPB/b
QfmRZb0bpriGv6TrNdr9SKDTlchxW2tBbB1PaiR5yi3oEsuAaNKsi7GeT2wa

-----END CERTIFICATE-----

On your HDP cluster Knox host, create a token.xml topology file.
```
vi /etc/knox/conf/topologies/token.xml
```

Add the required content to the token.xml file:

Add the basic topology content.

You can copy and paste the following content into the file and modify the content as needed.


<?xml version="1.0" encoding="UTF-8"?>
<topology>
   <uri>https://$KNOX_HOSTNAME_FQDN:8443/gateway/token</uri>
   <name>token</name>
   <gateway>
      <provider>
         <role>federation</role>
         <name>SSOCookieProvider</name>
         <enabled>true</enabled>
         <param>
            <name>sso.authentication.provider.url</name>
            <value>https://$KNOX_HOSTNAME_FQDN:8443/gateway/knoxsso/api/v1/websso</value>
         </param>
         <param>
            <name>sso.token.verification.pem</name>
            <value>
                $ADD_THE_PUBLIC_KEY_HERE
            </value>
         </param>
      </provider>
      <provider>
         <role>identity-assertion</role>
         <name>HadoopGroupProvider</name>
         <enabled>true</enabled>
      </provider>
      <provider>
         <role>authorization</role>
         <name>XASecurePDPKnox</name>
         <enabled>true</enabled>
      </provider>
   </gateway>

   <service>
      <role>KNOXTOKEN</role>
      <param>
         <name>knox.token.ttl</name>
         <value>500000</value>
      </param>
      <param>
         <name>knox.token.client.data</name>
         <value>cookie.name=hadoop-jwt</value>
      </param>
      <param>
         <name>main.ldapRealm.authorizationEnabled</name>
         <value>true</value>
      </param>
   </service>
</topology>

HadoopGroupProvider enables the Hadoop user-group mapping, which identifies the groups to which users belong.

The authorization=XASecurePDPKnox parameter and main.ldapRealm.authorizationEnabled=true parameter enable Ranger authorization with the token topologies in Knox.

Replace $KNOX_HOSTNAME_FQDN with the fully qualified domain name of the host.
In the sso.token.verification.pem parameter, paste in the public key value that you copied in a previous step, replacing $ADD_THE_PUBLIC_KEY_HERE.

Perform a secure copy of the token.xml topology file to a Knox-enabled node on the HDP cluster.
Verify that Knox has picked up the files:
1. Log in to the Knox-enabled node.
2. Ensure that a directory called token.topo.<number> is present in the path /var/lib/knox/data-<version>/deployments/.
  If the file is not present, verify that the content in the token.xml file is correct. You can check the Knox gateway logs for error information.
Log in to each additional cluster used with DataPlane and repeat Step 5 (create a token.xml file) through Step 8 (verify copy of the file).
Configure the Knox SSO topology to point to an LDAP instance for DataPlane to use.
1. Open the file <knox_gateway_home>/topologies/knoxsso.xml.
2. Modify the following properties with appropriate values for your environment:
  - main.ldapRealm.userDnTemplate
  - main.ldapRealm.contextFactory.url
  - knoxsso.redirect.whitelist.regex
  Sample configuration for using packaged LDAP:
```
 <param>
	   <name>main.ldapRealm.userDnTemplate</name>
	   <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
   </param>
   <param>
	   <name>main.ldapRealm.contextFactory.url</name>
	   <value>ldap://localhost:33389</value>
   </param>
 <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>.*;^/.*$;https?://localhost*$;^http.*$</value>
    </param>
```