Configure Kerberos authentication in Apache Knox shared providers

An example of how to add the kerberos-auth configuration provider from Cloudera Manager.

From Cloudera Manager > Knox > Configuration, add the following entry in the Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml:
- name = providerConfigs:kerberos-auth
- value =
```
role=authentication#
authentication.name=HadoopAuth#
authentication.param.sessionTimeout=30#
authentication.param.config.prefix=hadoop.auth.config#
authentication.param.hadoop.auth.config.type=kerberos#
authentication.param.hadoop.auth.config.signature.secret=${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET}
authentication.param.hadoop.auth.config.token.validity=1800#
authentication.param.hadoop.auth.config.cookie.path=/#
authentication.param.hadoop.auth.config.simple.anonymous.allowed=false#
authentication.param.hadoop.auth.config.kerberos.principal=AUTH_CONFIG_KERBEROS_PRINCIPAL#
authentication.param.hadoop.auth.config.kerberos.keytab=AUTH_CONFIG_KERBEROS_KEYTAB#
authentication.param.hadoop.auth.config.kerberos.name.rules=DEFAULT
```
  note
  Note: Paste the value = code as a single line, for e.g. role=authentication#authentication.name=HadoopAuth#authentication.param.sessionTimeout=30[...]#authentication.param.hadoop.auth.config.hadoop.proxyuser.impala.groups=*
Where:
- AUTH_CONFIG_KERBEROS_PRINCIPAL is the actual SPNEGO principal generated for the given host (see Administration -> Security -> Kerberos Principals / HTTP).
- AUTH_CONFIG_KERBEROS_KEYTAB is the Cloudera Manager-generated keytab file of the current Knox process. It is located in Cloudera Manager’s CONF_DIR which can be found on the Processes tab of the Knox Gateway instance.
- ALIAS=AUTH_CONFIG_SIGNATURE_SECRET must not be stored as a plain text password, so use Knox's alias service. This means that whatever topology will reference that shared provider configuration, the AUTH_CONFIG_SIGNATURE_SECRET must be created for it (see Saving aliases for details.
Save your changes.
Refresh the cluster.

Validate:

$ curl -ku knoxui:knoxui https://johndoe-1.abc.cloudera.com:8443/gateway/admin/api/v1/providerconfig/kerberos-auth
{
  "providers" : [ {
    "role" : "authentication",
    "name" : "HadoopAuth",
    "enabled" : true,
    "params" : {
      "config.prefix" : "hadoop.auth.config",
      "hadoop.auth.config.cookie.path" : "/",
      "hadoop.auth.config.hadoop.proxyuser.hive.groups" : "*",
      "hadoop.auth.config.hadoop.proxyuser.hive.hosts" : "*",
      "hadoop.auth.config.hadoop.proxyuser.httpfs.groups" : "*",
      "hadoop.auth.config.hadoop.proxyuser.httpfs.hosts" : "*",
      "hadoop.auth.config.hadoop.proxyuser.hue.groups" : "*",
      "hadoop.auth.config.hadoop.proxyuser.hue.hosts" : "*",
      "hadoop.auth.config.hadoop.proxyuser.impala.groups" : "*",
      "hadoop.auth.config.hadoop.proxyuser.impala.hosts" : "*",
      "hadoop.auth.config.hadoop.proxyuser.livy.groups" : "*",
      "hadoop.auth.config.hadoop.proxyuser.livy.hosts" : "*",
      "hadoop.auth.config.hadoop.proxyuser.oozie.groups" : "*",
      "hadoop.auth.config.hadoop.proxyuser.oozie.hosts" : "*",
      "hadoop.auth.config.kerberos.keytab" : "/var/run/cloudera-scm-agent/process/163-knox-IDBROKER/knox.keytab",
      "hadoop.auth.config.kerberos.name.rules" : "DEFAULT",
      "hadoop.auth.config.kerberos.principal" : "HTTP/sampleHost@ABC.CLOUDERA.COM",
      "hadoop.auth.config.signature.secret" : "${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET}",
      "hadoop.auth.config.simple.anonymous.allowed" : "false",
      "hadoop.auth.config.token.validity" : "1800",
      "hadoop.auth.config.type" : "kerberos",
      "sessionTimeout" : "30"
    }
  } ],
  "readOnly" : true
}