Set up the Knox Token Service for Ranger APIs
How to configure the Knox Token Service for Ranger APIs.
hadoop-jwt
. The Knox Token Service enables clients to acquire this
same JWT token to use for accessing REST APIs. By acquiring the token and setting it as a
bearer token on a request, a client is able to access REST APIs that are protected with the
JWT Federation Provider.
The Knox Token Service configuration can be configured in any topology. For
example, from Ambari>Knox>Configs>Advanced knoxsso-topology, add:
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.token.ttl</name>
<value>numeric_value_in_miliseconds</value>
</param>
<param>
<name>knox.token.audiences</name>
<value>tokenbased</value>
</param>
<param>
<name>knox.token.target.url</name>
<value>https://host:port/gateway/tokenbased</value>
</param>
</service>
where
the values of the parameters are specific to your environment: Parameter | Description | Optional/Required | Default |
---|---|---|---|
knox.token.ttl
|
The lifespan of the token in miliseconds. Once it expires, a new token must be acquired from KnoxToken service. | Required |
(30 seconds) |
knox.token.audiences
|
Comma separated list of audiences to add to the JWT token. Used to ensure that a token received by a participating application knows that the token was intended for use with that application. In the event that an endpoint has expected audiences, and they are not present, the token must be rejected. In the event where the token has audiences, and the endpoint has none expected, then the token is accepted. | Optional | |
knox.token.target.url
|
Indicates the intended endpoint for which the token may be used. The KnoxShell token credential collector can pull this URL from a knoxtokencache file to be used in scripts. Eliminates the need to prompt for or hard-code endpoints in your scripts. | Optional |
From Ambari>Knox>Configs>Advanced knoxsso-topology, add:
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.token.ttl</name>
<value>36000000</value>
</param>
<param>
<name>knox.token.audiences</name>
<value>tokenbased</value>
</param>
<param>
<name>knox.token.target.url</name>
<value>https://localhost:8443/gateway/tokenbased</value>
</param>
</service>
Acquire a token from the Knox Token service as configured in the sandbox topology
curl -ivku guest:guest-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
Resulting in a JSON response that contains the token, the expiration and the optional
target endpoint:
`{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU","target_url":"https://localhost:8443/gateway/tokenbased","token_type":"Bearer ","expires_in":1489942188233}`
The following curl example shows how to add a bearer token to an Authorization header:
curl -ivk -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDg5OTQyMTg4fQ.bcqSK7zMnABEM_HVsm3oWNDrQ_ei7PcMI4AtZEERY9LaPo9dzugOg3PA5JH2BRF-lXM3tuEYuZPaZVf8PenzjtBbuQsCg9VVImuu2r1YNVJlcTQ7OV-eW50L6OTI0uZfyrFwX6C7jVhf7d7YR1NNxs4eVbXpS1TZ5fDIRSfU3MU" https://localhost:8443/gateway/tokenbased/webhdfs/v1/tmp?op=LISTSTATUS