As of HDP-3.0.0, SSO is enabled using the ambari-server setup-sso
wizard. SSO for Ambari, Atlas, and Ranger is automatically enabled by the wizard. To enable
SSO for HDFS, Oozie, MapReduce2, Zeppelin, or YARN, you must manually change their
configuration files. Users who try to access these components will be redirected to the Knox
SSO login page for authentication.
You must be running Ambari 2.7.0.0 with HDP-3.0.0 or higher.
You must have already enabled SSO using ambari-server setup-sso.
-
In Ambari, set the following properties for your components:
- HDFS:
core-site.xml
"hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
"hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
"hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
- Oozie:
oozie-site.xml
oozie.authentication.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
oozie.authentication.authentication.provider.url=https://$KNOX_HOST:8443/gateway/knoxsso/api/v1/websso
oozie.authentication.public.key.pem=$KNOX_PUBLIC_KEY
optional: oozie.authentication.expected.jwt.audiences=$AUDIENCES (default: EMPTY; which means ALL)
optional: oozie.authentication.jwt.cookie=$COOKIE-NAME (default: hadoop-jwt)
- MapReduce2:
core-site.xml
"hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
"hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
"hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
- Zeppelin: Advanced zeppelin-shiro-ini >
shiro_ini_content
knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = $PROVIDERURL
knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
knoxJwtRealm.publicKeyPath = $PATH_OF_KNOX-SSO.PEM
knoxJwtRealm.logoutAPI = false
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
- Zeppelin: Advanced spark2-env, for
SPARK_HISTORY_OPTS
export SPARK_HISTORY_OPTS=’
-Dspark.ui.filters=org.apache.hadoop.security.authentication.server.AuthenticationFilter
-Dspark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.params ="type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler,
kerberos.principal=$SPARK_HISTORY_KERBEROS_PRINCIPAL,
kerberos.keytab=$SPNEGO_KEYTAB,
authentication.provider.url=$PROVIDER_URL ,
public.key.pem=$PUBLIC_KEY”’
- YARN:
core-site.xml
"hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
"hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
"hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
-
Click Save and confirm subsequent prompts.
-
Click to restart all other services that require a restart.
