Knox Admin UI Quicklink Requirements for Unsecured Clusters

If you are in an unsecured cluster and navigate to the Knox Admin UI via quicklink, and the UI loads but no topologies are visible, some configurations must be adjusted for your deployment.

Context

The Knox Admin UI is hosted in a topology called manager.xml; this topology is not manageable by Ambari. It is manageable by Knox Admin UI, but there is an access issue before changing your configurations. Rather than adding another topology to the fixed set managed by Ambari, a number of enhancements have been made to have reasonable defaults and centralized configuration for admin capabilities within gateway-site.xml.

Defaults/Central Config

Knox Admin UI no longer uses HTTP Basic Auth, but instead uses KnoxSSO.

KnoxSSO is set up out-of-the-box to still use the DEMO LDAP server for Knox. It needs to be configured for enterprise AD/LDAP or another SSO mechanism as appropriate for the deployment.

Authorization checks within the manager.xml and admin.xml topologies now default to gateway-site.xml properties called gateway.knox.admin.users and gateway.knox.admin.groups. These are comma-separated lists of users and groups that should have access to the admin capabilities in manager.xml and admin.xml topologies.

In order for the groups capability to work out of the box, it is assumed that local OS accounts with groups are available on the Knox machine. This is very often the case for secure clusters but not necessarily for unsecured clusters. In unsecured clusters, it is possible that LDAP configuration will need to be added to gateway-site.xml. This is done via the Hadoop Group Provider values with a specific prefix for this use: gateway.group.config. All of the config that begins with that prefix will be found and used to configure the group lookup mechanism for the deployment. See the following for more details on Hadoop Group Provider: “Hadoop Group Lookup Identity Assertion Provider”. Since the admin topologies have already been seeded with the prefix to look for, the configuration only needs to be added to the gateway-site.xml and the server restarted.

The manager.xml and admin.xml topologies have been defaulted to be considered auto-deploy topologies since they now depend on gateway-site.xml config and need to be redeployed to uptake that config. They should automatically do so on gateway restart but if for some reason they don't they can be redeployed manually by touching the files or using the Knox CLI to redeploy them from the Knox machine/s.