Configuring PAM authentication using Apache Knox

You can configure Cloudera Manager to authenticate through Apache Knox, with authorization provided by LDAP through PAM.

  1. In Cloudera Manager, click Administration > Settings > External Authentication.
  2. Search for the property Enable SPNEGO/Kerberos Authentication for the Admin Console and API, and select the checkbox to enable it.
  3. Search for "Knox Proxy" to view the Knox properties that you need to configure.
  4. Set the Allowed Groups for Knox Proxy property to the appropriate LDAP group values.
  5. Set the Allowed Users for Knox Proxy property to the appropriate users.
  6. Set the Allowed Hosts for Knox Proxy property to the appropriate host values (IP address or FQDN).
  7. Cloudera Manager checks whether PUT/POST requests come from the same referers. To relax that restriction, set the Cloudera Manager Frontend URL property (Administration > Settings) to the Knox host and port (for example, "https://bsmith-knox2-1.bsmith-knox2.root.hwx.site:8443").
  8. Verify that the Authorization Backend Order property is not set to "Database Only." If set to Database Only, the external group mapping will not work.
  9. Restart the Cloudera Manager Server:
    sudo systemctl restart cloudera-scm-server
  10. In Cloudera Manager, map roles to the groups that your user belongs to. Click Administration > Users & Roles > LDAP/PAM Groups, then Add LDAP/PAM Group Mapping.