Security
Also available as:
PDF
loading table of contents...

Knox SSO

Identity Providers

Knox has two identity providers: form-based and SAML 2.0.

Setting up Knox SSO for Ambari

This section describes how to configure Ambari to use Knox SSO (Single Sign-on) to authenticate users. With this configuration, unauthenticated users who try to access Ambari are redirected to the Knox SSO login page for authentication.

Use the following steps to configure Knox SSO for Ranger:

  1. Log in as the root user

  2. Run the following command:

    ambari-server setup-sso
  3. When prompted, enter y.

  4. For the provider URL, enter: https://<hostname>:8443/gateway/knoxsso/api/v1/websso.

  5. Run the following CLI command to export the Knox certificate:

    JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file <cert.pem> -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
    • When prompted, enter the Knox master password.

    • Note the location where you save the cert.pem file.

  6. When prompted to configure advanced properties, enter n.

  7. Leave JWT Cookie name (hadoop-jwt) and JWT audiences list empty.

    The prompt returns Ambari Server 'setup-sso' completed successfully.

  8. Restart the Ambari Server: ambari-server restart.

Example 2.2. Example Knox SSO for Ambari

ambari-server setup-sso
Setting up SSO authentication properties...
Do you want to configure SSO authentication [y/n] (y)?y
Provider URL [URL] (http://example.com):https://c6402.ambari.apache.org:8443/gateway/knoxsso/api/v1/websso
Public Certificate pem (empty) (empty line to finish input):
MIICYTCCAcqgAwIBAgIIHd3j94bX9IMwDQYJKoZIhvcNAQEFBQAwczELMAkGA1UEBhMCVVMxDTAL
BgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVz
dDEmMCQGA1UEAxMda25veHNzby1za29uZXJ1LTItMi5ub3ZhbG9jYWwwHhcNMTYwMzAxMTEzMTQ0
WhcNMTcwMzAxMTEzMTQ0WjBzMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxME
VGVzdDEPMA0GA1UEChMGSGFkb29wMQ0wCwYDVQQLEwRUZXN0MSYwJAYDVQQDEx1rbm94c3NvLXNr
b25lcnUtMi0yLm5vdmFsb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlV0Jtd8zmzVZ
UZRbqxXvK9MV5OYIOWTX9/FMthwr99eClHp3JdZ1x3utYr9nwdZ6fjZaUIihzu8a8SGoipbW2ZVU
TShGZ/5VKtu96YcSAoB3VTyc3WWRDGERRs7aKAlEqnURDkQz7KRs2tvItJpBBjrTXZpHKFTOecL4
hCkaalUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAqvPfl4fivozd+4QI4ZBohFHHvf1z4Y7+DxlY7
iNAnjnau4W3wgwTt6CQ1B9fSx3zVTlhu2PfDJwvumBbuKuth/M+KXpG28AbKIojrL2Odlv+cftrJ
YeJC6Qjee+5Pf2P9G2wd9fahWF+aQpr50YlMZSU+VMiTO2a2FSAXvOdjvA==

Do you want to configure advanced properties [y/n] (n) ?y
JWT Cookie name (hadoop-jwt):
JWT audiences list (comma-separated), empty for any ():
Ambari Server 'setup-sso' completed successfully.

ambari-server restart


Setting up Knox SSO for Ranger

This section describes how to configure Ranger to use Knox SSO (Single Sign-on) to authenticate users on an Ambari cluster. With this configuration, unauthenticated users who try to access Ranger are redirected to the Knox SSO login page for authentication.

[Note]Note
  • Knox SSO is only applied to web UI users.

  • Internal Ranger users have the option to bypass Knox SSO and log in to the Ranger UI directly by using the "locallogin" URL: http://<ranger_host>:6080/locallogin.

Use the following steps to configure Knox SSO for Ranger:

  1. Install Ambari with HDP-2.5 or higher. Install Knox along with the other services.

  2. Install Ranger using Ambari.

  3. The Knox SSO topology settings are preconfigured in Knox > Configs > Advanced knoxsso-topology.

  4. Run the following CLI command to export the Knox certificate:

    JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file <cert.pem> -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
    • When prompted, enter the Knox master password.

    • Note the location where you save the cert.pem file.

  5. Select Ranger > Configs > Advanced > Knox SSO Settings and set the following properties:

    • Enable Ranger SSO – Select this check box to enable Ranger SSO.

    • SSO provider urlhttps://<knox_host>:8443/gateway/knoxsso/api/v1/websso

    • SSO public key – Paste in the contents of the cert.pem certificate file exported from Knox.

      When you paste the contents, exclude the header and footer.

    • SSO browser useragent – Preconfigured with Mozilla,chrome.

  6. Click Save to save the new configuration, then click through the confirmation pop-ups.

  7. Restart Ranger. Select Actions > Restart All Required to restart all other services that require a restart.

  8. Knox SSO should now be enabled. Users who try to access Ranger are redirected to the Knox SSO login page for authentication.