Configuring PAM authentication using Apache Knox
You can configure Cloudera Manager to authenticate through Apache Knox, with authorization provided by LDAP through PAM.
- In Cloudera Manager, click Administration > Settings > External Authentication.
- Search for the property Enable SPNEGO/Kerberos Authentication for the Admin Console and API, and select the checkbox to enable it.
- Search for "Knox Proxy" to view the Knox properties that you need to configure.
- Set the Allowed Groups for Knox Proxy property to the appropriate LDAP group values.
- Set the Allowed Users for Knox Proxy property to the appropriate users.
- Set the Allowed Hosts for Knox Proxy property to the appropriate host values (IP address or FQDN).
- Cloudera Manager checks whether PUT/POST requests come from the same referers. To relax that restriction, set the Cloudera Manager Frontend URL property (Administration > Settings) to the Knox host and port (for example, "https://bsmith-knox2-1.bsmith-knox2.root.hwx.site:8443").
- Verify that the Authorization Backend Order property is not set to "Database Only." If set to Database Only, the external group mapping will not work.
- Restart the Cloudera Manager Server:
sudo systemctl restart cloudera-scm-server
- In Cloudera Manager, map roles to the groups that your user belongs to. Click Administration > Users & Roles > LDAP/PAM Groups, then Add LDAP/PAM Group Mapping.