Security
Also available as:
PDF
loading table of contents...

Setting up the Knox Token Service for Ranger APIs

About This Task

Once logged into Knox SSO, the UI service uses a cookie named hadoop-jwt. The Knox Token Service enables clients to acquire this same JWT token to use for accessing REST APIs. By acquiring the token and setting it as a bearer token on a request, a client is able to access REST APIs that are protected with the Setting up JWT Federation Provider.

Steps

To configure the Knox Token Service for Ranger APIs:

  1. The Knox Token Service configuration can be configured in any topology. For example, from Ambari>Knox>Configs>Advanced knoxsso-topology, add:

    <service>
       <role>KNOXTOKEN</role>
       <param>
          <name>knox.token.ttl</name>
          <value>numeric_value_in_miliseconds</value>
       </param>
       <param>
          <name>knox.token.audiences</name>
          <value>tokenbased</value>
       </param>
       <param>
          <name>knox.token.target.url</name>
          <value>https://host:port/gateway/tokenbased</value>
       </param>
    </service>

    where the values of the parameters are specific to your environment:

    ParameterDescriptionOptional/RequiredDefault
    knox.token.ttlThe lifespan of the token in miliseconds. Once it expires, a new token must be acquired from KnoxToken service.Required

    30000

    (30 seconds)

    knox.token.audiencesComma separated list of audiences to add to the JWT token. Used to ensure that a token received by a participating application knows that the token was intended for use with that application. In the event that an endpoint has expected audiences, and they are not present, the token must be rejected. In the event where the token has audiences, and the endpoint has none expected, then the token is accepted.Optional 
    knox.token.target.urlIndicates the intended endpoint for which the token may be used. The KnoxShell token credential collector can pull this URL from a knoxtokencache file to be used in scripts. Eliminates the need to prompt for or hard-code endpoints in your scripts.Optional 

Example

From Ambari>Knox>Configs>Advanced knoxsso-topology, add:

<service>
   <role>KNOXTOKEN</role>
   <param>
      <name>knox.token.ttl</name>
      <value>36000000</value>
   </param>
   <param>
      <name>knox.token.audiences</name>
      <value>tokenbased</value>
   </param>
   <param>
      <name>knox.token.target.url</name>
      <value>https://localhost:8443/gateway/tokenbased</value>
   </param>
</service>

Next Steps

Acquire a token from the Knox Token service as configured in the sandbox topology

curl -ivku guest:guest-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token

Resulting in a JSON response that contains the token, the expiration and the optional target endpoint:

`{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU","target_url":"https://localhost:8443/gateway/tokenbased","token_type":"Bearer ","expires_in":1489942188233}`

The following curl example shows how to add a bearer token to an Authorization header:

curl -ivk -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU" https://localhost:8443/gateway/tokenbased/webhdfs/v1/tmp?op=LISTSTATUS