Security Reference
Also available as:
PDF
loading table of contents...

Set up the Knox Token Service for Ranger APIs

How to configure the Knox Token Service for Ranger APIs.

Once logged into Knox SSO, the UI service uses a cookie named hadoop-jwt. The Knox Token Service enables clients to acquire this same JWT token to use for accessing REST APIs. By acquiring the token and setting it as a bearer token on a request, a client is able to access REST APIs that are protected with the JWT Federation Provider.
The Knox Token Service configuration can be configured in any topology. For example, from Ambari>Knox>Configs>Advanced knoxsso-topology, add:
<service>
   <role>KNOXTOKEN</role>
   <param>
      <name>knox.token.ttl</name>
      <value>numeric_value_in_miliseconds</value>
   </param>
   <param>
      <name>knox.token.audiences</name>
      <value>tokenbased</value>
   </param>
   <param>
      <name>knox.token.target.url</name>
      <value>https://host:port/gateway/tokenbased</value>
   </param>
</service>
where the values of the parameters are specific to your environment:
Parameter Description Optional/Required Default
knox.token.ttl The lifespan of the token in miliseconds. Once it expires, a new token must be acquired from KnoxToken service. Required

30000

(30 seconds)

knox.token.audiences Comma separated list of audiences to add to the JWT token. Used to ensure that a token received by a participating application knows that the token was intended for use with that application. In the event that an endpoint has expected audiences, and they are not present, the token must be rejected. In the event where the token has audiences, and the endpoint has none expected, then the token is accepted. Optional
knox.token.target.url Indicates the intended endpoint for which the token may be used. The KnoxShell token credential collector can pull this URL from a knoxtokencache file to be used in scripts. Eliminates the need to prompt for or hard-code endpoints in your scripts. Optional
From Ambari>Knox>Configs>Advanced knoxsso-topology, add:
<service>
   <role>KNOXTOKEN</role>
   <param>
      <name>knox.token.ttl</name>
      <value>36000000</value>
   </param>
   <param>
      <name>knox.token.audiences</name>
      <value>tokenbased</value>
   </param>
   <param>
      <name>knox.token.target.url</name>
      <value>https://localhost:8443/gateway/tokenbased</value>
   </param>
</service>

Acquire a token from the Knox Token service as configured in the sandbox topology

curl -ivku guest:guest-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
Resulting in a JSON response that contains the token, the expiration and the optional target endpoint:
`{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU","target_url":"https://localhost:8443/gateway/tokenbased","token_type":"Bearer ","expires_in":1489942188233}`
The following curl example shows how to add a bearer token to an Authorization header:
curl -ivk -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU" https://localhost:8443/gateway/tokenbased/webhdfs/v1/tmp?op=LISTSTATUS