Setting up the Knox Token Service for Ranger APIs
About This Task
Once logged into Knox SSO, the UI service uses a cookie named
hadoop-jwt. The Knox Token Service enables clients to acquire this
same JWT token to use for accessing REST APIs. By acquiring the token and setting it
as a bearer token on a request, a client is able to access REST APIs that are
protected with the Setting up JWT Federation Provider.
Steps
To configure the Knox Token Service for Ranger APIs:
The Knox Token Service configuration can be configured in any topology. For example, from Ambari>Knox>Configs>Advanced knoxsso-topology, add:
<service> <role>KNOXTOKEN</role> <param> <name>knox.token.ttl</name> <value>numeric_value_in_miliseconds</value> </param> <param> <name>knox.token.audiences</name> <value>tokenbased</value> </param> <param> <name>knox.token.target.url</name> <value>https://host:port/gateway/tokenbased</value> </param> </service>where the values of the parameters are specific to your environment:
Parameter Description Optional/Required Default knox.token.ttlThe lifespan of the token in miliseconds. Once it expires, a new token must be acquired from KnoxToken service. Required 30000(30 seconds)
knox.token.audiencesComma separated list of audiences to add to the JWT token. Used to ensure that a token received by a participating application knows that the token was intended for use with that application. In the event that an endpoint has expected audiences, and they are not present, the token must be rejected. In the event where the token has audiences, and the endpoint has none expected, then the token is accepted. Optional knox.token.target.urlIndicates the intended endpoint for which the token may be used. The KnoxShell token credential collector can pull this URL from a knoxtokencache file to be used in scripts. Eliminates the need to prompt for or hard-code endpoints in your scripts. Optional
Example
From Ambari>Knox>Configs>Advanced knoxsso-topology, add:
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.token.ttl</name>
<value>36000000</value>
</param>
<param>
<name>knox.token.audiences</name>
<value>tokenbased</value>
</param>
<param>
<name>knox.token.target.url</name>
<value>https://localhost:8443/gateway/tokenbased</value>
</param>
</service>Next Steps
Acquire a token from the Knox Token service as configured in the sandbox topology
curl -ivku guest:guest-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
Resulting in a JSON response that contains the token, the expiration and the optional target endpoint:
`{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU","target_url":"https://localhost:8443/gateway/tokenbased","token_type":"Bearer ","expires_in":1489942188233}`
The following curl example shows how to add a bearer token to an Authorization header:
curl -ivk -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU" https://localhost:8443/gateway/tokenbased/webhdfs/v1/tmp?op=LISTSTATUS