Installing and Starting the KNOX Service

Perform the following post migration steps.

After the other services are configured, install the Knox service for the cluster. Start the Knox service.
  • Monitor the gateway.log during the first startup to view the list of discovery entries for Cloudera Manager. After the startup you can navigate to the KNOX Gateway user interface from the Knox service window in Cloudera Manager.
  • In the Knox Gateway user interface, at least two topologies are auto-created through the discovery.
  • Open one of the topologies to discover the proxy links for each of the discovered services.
  • If the web UIs associated with these services were kerberized, then the KNOX proxy URLs allow you to access them without SPNEGO.

  • Make sure that each user interface for the services is kerberized and has users listed in each of the respective services’ user lists to secure them.

  • Configure TLS for the cluster and the services if you have not already done so.

  • By default, KNOX leverages PAM integration for authentication. This is different from most KNOX configurations that were set up with direct LDAP integration through the shimo topology configurations. PAM integration requires hosts to have a valid sssd configuration with the controlling IDM for cluster identity.

  • Ensure that the Ranger plugin is activated for KNOX and follow up on the policies in Ranger for Knox to control the access to the endpoints. Select Ranger Service.

  • Enable SSO from the discovered services using either of these methods:
    • Enabling Kerberos
    • Ensuring a user is defined in the service user list for the proxied web UIs for each service.
    • Restart each service after making the required changes , if they are not already enabled.