Example: Configure Knox Gateway for LDAP
This example shows you how to set up the Knox Gateway with ShiroProvider, which involves configuring a provider for LDAP.
Context
LDAP authentication is configured by adding a "ShiroProvider" authentication provider to the cluster's topology file. When enabled, the Knox Gateway uses Apache Shiro (org.apache.shiro.realm.ldap.JndiLdapRealm) to authenticate users against the configured LDAP store.
Setting up Topology File
- Login to Ambari and access Knox service page.
Knox Admin UI link could be found on the right pane of the Ambari’s Knox page.
Once this link is clicked, user will be asked to provide a username and password. This will be based on the ldap configured for the manager.
- Accessing Knox admin UI page for topology creationOnce admin lands in to the Knox admin UI, there are fundamentally three steps more to create a topology of desired use case.
- Create a custom provider configuration
- Define Descriptors for the topology to auto-discover services from Ambari
- Save and verify the topology which is created
- Creating a custom Provider Configuration
Admin can click on the “Provider Configurations” in left panel to list all available providers. Click on the “+” button on the right side to create a new provider.
Admin can select all the providers which are needed for defining “hdp_ui_provider”- Authentication (LDAP)
- Authorization (AclsAuthz/Access Control Lists)
- HAProvider (Default)
- Identity-assertion (Default)
- Add Authentication>LDAP.
- Add Authorization>Access Control Lists.
- Add HAProvider>Default.
- Add Identity-Assertion>Default.
- Save the provider by clicking on save button at right bottom.
- Defining Descriptors for topology: Click on “+” button near to Descriptor to
define a new custom descriptor.
- Add all details for a descriptor:
- Define a name for the descriptor
- Select $Services from the below list
- Configure Ambari address in “Discovery - Address”
- Configure Ambari cluster name in “Discovery - Cluster”
- Provide Ambari user name in “Discovery - Username”
- “Discovery Password Alias” could be left as it is as below manual step to be ran on knox machine to avoid configuring password.
- Creating password alias, e.g.,
[root@ctr-e138-1518143905142-240189-01-046340 services]# /usr/$REPO/$VERSION/knox/bin/knoxcli.sh create-alias ambari.discovery.password Enter password: Enter password again: ambari.discovery.password has been successfully created.
- Select provider configuration as “hdp_ui_provider”.
- Press “Ok” to save the details.
- Select “hdp_ui” descriptor to add “$SERVICES”.
Admin can add custom services which are see on the right pane under “Descriptor Detail”.
Not all services listed are officially supported. See “Knox- Supported Services” for details on which services are supported.
- Add all details for a descriptor:
- Verify topology:
Topologies>Select one topology: This is read-only pane where all configuration which are done for “hdp_ui” could be verified.
Changing QuickLinks for $SERVICE UIs
- Quick Link
template
{ "name": "default", "description": "default quick links configuration", "configuration": { "protocol": { "type": "HTTPS_ONLY" }, "links": [ { "name": "resourcemanager_ui", "label": "ResourceManager UI", "requires_user_name": "false", "component_name": "KNOX_GATEWAY", "url": "%@://%@:%@/gateway/hdp_ui/$SERVICE/", "port": { "https_property": "gateway.port", "https_default_port": "8443", "regex": "^(\\d+)$", "site": "gateway-site" } }, { "name": "resourcemanager_logs", "label": "ResourceManager logs", "requires_user_name": "false", "component_name": "KNOX_GATEWAY", "url": "%@://%@:%@/gateway/hdp_ui/$service/logs", "port": { "https_property": "gateway.port", "https_default_port": "8443", "regex": "^(\\d+)$", "site": "gateway-site" } }, { "name": "resourcemanager_jmx", "label":"ResourceManager JMX", "requires_user_name": "false", "component_name": "KNOX_GATEWAY", "url":"%@://%@:%@/gateway/hdp_ui/$service/jmx", "port": { "https_property": "gateway.port", "https_default_port": "8443", "regex": "^(\\d+)$", "site": "gateway-site" } }, { "name": "thread_stacks", "label":"Thread Stacks", "requires_user_name": "false", "component_name": "KNOX_GATEWAY", "url":"%@://%@:%@/gateway/hdp_ui/$service/stacks", "port": { "https_property": "gateway.port", "https_default_port": "8443", "regex": "^(\\d+)$", "site": "gateway-site" } } ] } }
- Place quicklinks.json in Ambari: In ambari-server host, at following path,
place the quicklink file:
Please ensure that existing quicklinks.json in replaced with the attached json file from this document./var/lib/ambari-server/resources/stacks/$REPO/$VERSION/services/$SERVICE/quicklinks/quicklinks.json
- Restart Ambari:
ambari-server restart
- Verify QuickLinks.
Post these steps, $SERVICE Quick links will be accessible only via knox proxy.