Configuring Kerberos authentication in Apache Knox shared providers
An example of how to add the kerberos-auth configuration provider from Cloudera Manager.
-
From Cloudera Manager > Knox > Configuration, add the following entry in the
Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml
:- Name =
providerConfigs:kerberos-providers
- Value =
role=authentication# authentication.name=HadoopAuth# authentication.param.sessionTimeout=30# authentication.param.config.prefix=hadoop.auth.config# authentication.param.hadoop.auth.config.type=kerberos# authentication.param.hadoop.auth.config.signature.secret=${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET} authentication.param.hadoop.auth.config.token.validity=1800# authentication.param.hadoop.auth.config.cookie.path=/# authentication.param.hadoop.auth.config.simple.anonymous.allowed=false# authentication.param.hadoop.auth.config.kerberos.principal=AUTH_CONFIG_KERBEROS_PRINCIPAL# authentication.param.hadoop.auth.config.kerberos.keytab=AUTH_CONFIG_KERBEROS_KEYTAB# authentication.param.hadoop.auth.config.kerberos.name.rules=DEFAULT
- Name =
-
Add a safety valve name/value pair in Cloudera Manager > Knox > Configuration,in
Knox Gateway Environment Advanced Configuration Snippet (Safety Valve)
:Name = IDBROKER_KERBEROS_DT_PROXYUSER_BLOCK Value = "proxyuser_block": "none"
- Save your changes.
- Refresh the cluster.
-
Validate with a curl command:
curl -k https://host-10-00-100-100:8443/gateway/admin/api/v1/providerconfig/kerberos-providers
.# curl -k https://host-10-00-100-100:8443/gateway/admin/api/v1/providerconfig/kerberos-providers { "providers" : [ { "role" : "authentication", "name" : "HadoopAuth", "enabled" : true, "params" : { "config.prefix" : "hadoop.auth.config", "hadoop.auth.config.cookie.path" : "/", "hadoop.auth.config.kerberos.keytab" : "/var/run/cloudera-scm-agent/process/81-knox-KNOX_GATEWAY/knox.keytab", "hadoop.auth.config.kerberos.name.rules" : "DEFAULT", "hadoop.auth.config.kerberos.principal" : "HTTP/host-10-00-100-100.coe.cloudera.com@CLOUDERA.COM", "hadoop.auth.config.signature.secret" : "${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET}", "hadoop.auth.config.simple.anonymous.allowed" : "false", "hadoop.auth.config.token.validity" : "1800", "hadoop.auth.config.type" : "kerberos", "proxyuser_block" : "none" } }, { "role" : "identity-assertion", "name" : "HadoopGroupProvider", "enabled" : true, "params" : { "CENTRAL_GROUP_CONFIG_PREFIX" : "gateway.group.config." } }, { "role" : "authorization", "name" : "XASecurePDPKnox", "enabled" : true, "params" : { } }, { "role" : "ha", "name" : "HaProvider", "enabled" : true, "params" : { "HBASE" : "maxFailoverAttempts=3;failoverSleep=1000;enabled=true", "HIVE" : "maxFailoverAttempts=3;failoverSleep=1000;enabled=true;zookeeperEnsemble=maxFailoverAttempts=3;failoverSleep=1000;enabled=true;zookeeperEnsemble=gbl20175161.systems.uk.company:2181,gbl20175162.systems.uk.company:2181,gbl20175163.systems.uk.company:2181;zookeeperNamespace=hiveserver2", "OOZIE" : "maxFailoverAttempts=3;failoverSleep=1000;enabled=true", "WEBHCAT" : "maxFailoverAttempts=3;failoverSleep=1000;enabled=true", "WEBHDFS" : "maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true" } } ], "readOnly" : true }