Hortonworks Docs » DataFlow 3.3.0 » Configuring NiFi Authentication and Proxying with Apache Knox
Configuring NiFi Authentication and Proxying with Apache Knox
Also available as:
PDF

Configuring Knox SSO

  1. If you want to use Knox SSO authentication, perform the following steps:
    1. On each cluster node with Knox installed, replace the ShiroProvider federation provider in the flow-management.xml file with the following content: 
      <provider>
   <role>federation</role>
   <name>SSOCookieProvider</name>
   <enabled>true</enabled>
   <param>
      <name>sso.authentication.provider.url</name>
      <value>https://$KNOX_HOSTNAME:$KNOX_PORT/gateway/knoxsso/api/v1/websso</value>
   </param>
</provider>

      where:

      • $KNOX_HOSTNAME is the FQDN of the Knox host.

      • $KNOX_PORT is the port Knox is using.

      Your new flow-management.xml file looks similar to the following:

      <?xml version="1.0" encoding="utf-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<topology>
  <gateway>
    <provider>
      <role>federation</role>
      <name>SSOCookieProvider</name>
      <enabled>true</enabled>
      <param>
        <name>sso.authentication.provider.url</name>
        <value>https://hdf-test.field.hortonworks.com:8443/gateway/knoxsso/api/v1/websso</value>
      </param>
    </provider>
    <provider>
      <role>identity-assertion</role>
      <name>Default</name>
      <enabled>true</enabled>
    </provider>
  </gateway>
  <service>
    <role>NIFI</role>
    <url>https://hdf-test-nifi.field.hortonworks.com:9091</url>
    <param>
      <name>useTwoWaySsl</name>
      <value>true</value>
    </param>
  </service>
</topology>
    2. If you want to access NiFi directly and still use Knox SSO:
      • Export the Knox SSO certificate: 
         $KNOX_INSTALL_DIR/bin/knoxcli.sh export-cert
      • Set the following properties in the Advanced nifi-properties section in Ambari: 
        nifi.security.user.knox.url=https://$KNOX_HOSTNAME:$KNOX_PORT/gateway/knoxsso/api/v1/websso
nifi.security.user.knox.publicKey=<path-to>/gateway-identity.pem
nifi.security.user.knox.cookieName=hadoop-jwt
nifi.security.user.knox.audiences=

        The cookieName property must align with what is configured in Knox. The audiences property is used to only accept tokens from a particular audience. The audiences value is configured as part of Knox SSO.

  2. Save the configuration and restart Knox.
© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community