Configure Apache Knox authentication for PAM

Knox authentication configurations for PAM in Cloudera Manager. PAM is the default SSO authentication provider in Cloudera on premises.

note

The knox user needs permission on /etc/shadow for PAM authentication. Allow the knox user to read the /etc/shadow file:

groupadd shadow
usermod -a -G shadow knox
chgrp shadow /etc/shadow
chmod g+r /etc/shadow

SSO authentication for PAM

In Cloudera on premises, Cloudera Manager added a new Knox configuration, called

Knox Simplified Topology Management - SSO
          Authentication Provider

, with the following initial configuration:

role=authentication
authentication.name=ShiroProvider
authentication.param.sessionTimeout=30
authentication.param.redirectToUrl=/${GATEWAY_PATH}/knoxsso/knoxauth/login.html
authentication.param.restrictedCookies=rememberme,WWW-Authenticate
authentication.param.urls./**=authcBasic
authentication.param.main.pamRealm=org.apache.knox.gateway.shirorealm.KnoxPamRealm
authentication.param.main.pamRealm.service=login

Every change here is applied to the knoxsso topology that affects manager, homepage and cdp-proxy topologies as they are using the federation provider.

API authentication for PAM

A new Knox configuration has been added for Cloudera on premises, called

Knox Simplified Topology
          Management - API Authentication Provider

, with the following initial configuration:

role=authentication
authentication.name=ShiroProvider
authentication.param.sessionTimeout=30
authentication.param.urls./**=authcBasic
authentication.param.main.pamRealm=org.apache.knox.gateway.shirorealm.KnoxPamRealm
authentication.param.main.pamRealm.service=login

Every change here is applied to the admin, metadata, and cdp-proxy-api topologies.