Knox authentication for DataPlane clusters
Apache Knox provides a single access point for authentication and proxy of cluster services to DataPlane.
DP Platform and the DP Apps leverage Knox to provide users and services with simplified and consistent access to clusters, data, and other services. DataPlane authenticates users against a centralized identity provider in the organization (such as an LDAP or AD). Having Knox set up with your clusters ensures that those users and services are authorized to perform specific actions on the respective clusters, and propagates the identity of the user or service from DataPlane to the cluster services.
You must configure Knox on the clusters you plan to use with DataPlane. You will perform this Knox setup on your clusters after you perform the DataPlane Installation. See the DataPlane Installation for more information. There are two options for configuring Knox in your cluster in order for that cluster to work with DataPlane.
- Knox Single Sign-On (SSO)
- Knox Trusted Proxy Pattern (TPP)
Important | |
---|---|
The Knox in your cluster must be configured to use the same LDAP/AD as your DP instance for user identity to match and propagate between the systems. |
Based on the authentication option you choose to use with your cluster, there is a set of concomitant minimal cluster requirements:
Minimal cluster requirements | Knox Single Sign-On (SSO) | Knox Trusted Proxy Pattern (TPP) |
---|---|---|
Ambari | Required + LDAP AuthN |
Required + LDAP AuthN + Ambari Kerberos AuthN |
Kerberos Enabled | Optional | Required |
Knox Gateway Proxy | Optional | Required |
The use of Knox Gateway Proxy is optional for DP Platform. Depending on which DP Apps you plan to use and how your cluster is configured, the setup of Knox Gateway Proxy may be required. For example, if you are using Data Lifecycle Manager or Data Steward Studio and Wire Encryption is configured in your cluster, you must use Knox Gateway Proxy setup with additional services configured for the proxy. Knox Gateway Proxy is required for the Knox Trusted Proxy Pattern (TPP) authentication option.
Refer to the following documentation on how to configure your cluster for Knox authentication.
Resource | HDP 2.6 and Ambari 2.6 Documentation | HDP 3.0 and Ambari 2.7 Documentation | HDP 3.1 and Ambari 2.7 Documentation |
---|---|---|---|
Configure LDAP for Ambari, and sync users | Ambari Security Guide, Configuring Ambari Authentication with LDAP or Active Directory Authentication | HDP Security Guide, Configuring Ambari Authentication for LDAP/AD | Configuring Ambari Authentication with LDAP/AD |
Configure SSO topology | HDP Security Guide, Identity Providers (IdP) | HDP Security Guide, Configuring an Identity Provider | Configuring an Identity Provider (IdP) |
Configure Knox SSO for Ambari | HDP Security Guide, Setting up Knox SSO for Ambari | HDP Security Guide, Configuring Apache Knox SSO | Configuring Knox SSO |
For more information about HDF Knox configuration, see HDF Security documentation.