Configuring Apache Knox SSO
Also available as:
PDF

Configure Knox SSO for HDFS, Oozie, MapReduce2, Zeppelin, or YARN

As of HDP-3.0.0, SSO is enabled using the ambari-server setup-sso wizard. SSO for Ambari, Atlas, and Ranger is automatically enabled by the wizard. To enable SSO for HDFS, Oozie, MapReduce2, Zeppelin, or YARN, you must manually change their configuration files. Users who try to access these components will be redirected to the Knox SSO login page for authentication.

You must be running Ambari 2.7.0.0 with HDP-3.0.0 or higher.

You must have already enabled SSO using ambari-server setup-sso.

  1. In Ambari, set the following properties for your components:
    • HDFS: core-site.xml
      "hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
      "hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
      "hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
    • Oozie: oozie-site.xml
      oozie.authentication.type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler
      oozie.authentication.authentication.provider.url=https://$KNOX_HOST:8443/gateway/knoxsso/api/v1/websso
      oozie.authentication.public.key.pem=$KNOX_PUBLIC_KEY
      optional: oozie.authentication.expected.jwt.audiences=$AUDIENCES (default: EMPTY; which means ALL)
      optional: oozie.authentication.jwt.cookie=$COOKIE-NAME (default: hadoop-jwt)
    • MapReduce2: core-site.xml
      "hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
      "hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
      "hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
    • Zeppelin: Advanced zeppelin-shiro-ini > shiro_ini_content
      knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
      knoxJwtRealm.providerUrl = $PROVIDERURL
      knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
      knoxJwtRealm.publicKeyPath = $PATH_OF_KNOX-SSO.PEM
      knoxJwtRealm.logoutAPI = false
      knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
      knoxJwtRealm.cookieName = hadoop-jwt
      knoxJwtRealm.redirectParam = originalUrl
      knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
      knoxJwtRealm.principalMapping = principal.mapping
      authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
    • Zeppelin: Advanced spark2-env, for SPARK_HISTORY_OPTS
      export SPARK_HISTORY_OPTS=’
      -Dspark.ui.filters=org.apache.hadoop.security.authentication.server.AuthenticationFilter
      -Dspark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.params ="type=org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler,
      kerberos.principal=$SPARK_HISTORY_KERBEROS_PRINCIPAL,
      kerberos.keytab=$SPNEGO_KEYTAB,
      authentication.provider.url=$PROVIDER_URL ,
      public.key.pem=$PUBLIC_KEY”’
    • YARN: core-site.xml
      "hadoop.http.authentication.type": "org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler”
      "hadoop.http.authentication.public.key.pem": “$SSOPUBLICKEY"
      "hadoop.http.authentication.authentication.provider.url": "$SSOPROVIDERURL"
  2. Click Save and confirm subsequent prompts.
  3. Click Ambari > Actions > Restart All Required to restart all other services that require a restart.