Configuring Kerberos authentication in Apache Knox shared providers

An example of how to add the kerberos-auth configuration provider from Cloudera Manager.

  1. From Cloudera Manager > Knox > Configuration, add the following entry in the Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml:
    • Name = providerConfigs:kerberos-providers
    • Value =
      role=authentication#
      authentication.name=HadoopAuth#
      authentication.param.sessionTimeout=30#
      authentication.param.config.prefix=hadoop.auth.config#
      authentication.param.hadoop.auth.config.type=kerberos#
      authentication.param.hadoop.auth.config.signature.secret=${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET}
      authentication.param.hadoop.auth.config.token.validity=1800#
      authentication.param.hadoop.auth.config.cookie.path=/#
      authentication.param.hadoop.auth.config.simple.anonymous.allowed=false#
      authentication.param.hadoop.auth.config.kerberos.principal=AUTH_CONFIG_KERBEROS_PRINCIPAL#
      authentication.param.hadoop.auth.config.kerberos.keytab=AUTH_CONFIG_KERBEROS_KEYTAB#
      authentication.param.hadoop.auth.config.kerberos.name.rules=DEFAULT
  2. Add a safety valve name/value pair in Cloudera Manager > Knox > Configuration,in Knox Gateway Environment Advanced Configuration Snippet (Safety Valve):
    Name = IDBROKER_KERBEROS_DT_PROXYUSER_BLOCK
    Value = "proxyuser_block": "none"
  3. Save your changes.
  4. Refresh the cluster.
  5. Validate with a curl command: curl -k https://host-10-00-100-100:8443/gateway/admin/api/v1/providerconfig/kerberos-providers.
    # curl -k https://host-10-00-100-100:8443/gateway/admin/api/v1/providerconfig/kerberos-providers
    {
      "providers" : [ {
        "role" : "authentication",
        "name" : "HadoopAuth",
        "enabled" : true,
        "params" : {
          "config.prefix" : "hadoop.auth.config",
          "hadoop.auth.config.cookie.path" : "/",
          "hadoop.auth.config.kerberos.keytab" : "/var/run/cloudera-scm-agent/process/81-knox-KNOX_GATEWAY/knox.keytab",
          "hadoop.auth.config.kerberos.name.rules" : "DEFAULT",
          "hadoop.auth.config.kerberos.principal" : "HTTP/host-10-00-100-100.coe.cloudera.com@CLOUDERA.COM",
          "hadoop.auth.config.signature.secret" : "${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET}",
          "hadoop.auth.config.simple.anonymous.allowed" : "false",
          "hadoop.auth.config.token.validity" : "1800",
          "hadoop.auth.config.type" : "kerberos",
          "proxyuser_block" : "none"
        }
      }, {
        "role" : "identity-assertion",
        "name" : "HadoopGroupProvider",
        "enabled" : true,
        "params" : {
          "CENTRAL_GROUP_CONFIG_PREFIX" : "gateway.group.config."
        }
      }, {
        "role" : "authorization",
        "name" : "XASecurePDPKnox",
        "enabled" : true,
        "params" : { }
      }, {
        "role" : "ha",
        "name" : "HaProvider",
        "enabled" : true,
        "params" : {
          "HBASE" : "maxFailoverAttempts=3;failoverSleep=1000;enabled=true",
          "HIVE" : "maxFailoverAttempts=3;failoverSleep=1000;enabled=true;zookeeperEnsemble=maxFailoverAttempts=3;failoverSleep=1000;enabled=true;zookeeperEnsemble=gbl20175161.systems.uk.company:2181,gbl20175162.systems.uk.company:2181,gbl20175163.systems.uk.company:2181;zookeeperNamespace=hiveserver2",
          "OOZIE" : "maxFailoverAttempts=3;failoverSleep=1000;enabled=true",
          "WEBHCAT" : "maxFailoverAttempts=3;failoverSleep=1000;enabled=true",
          "WEBHDFS" : "maxFailoverAttempts=3;failoverSleep=1000;maxRetryAttempts=300;retrySleep=1000;enabled=true"
        }
      } ],
      "readOnly" : true
    }