Configuring user authentication using Knox SSO
In a CDP Private Cloud Base deployment, to enable DAS to work with the CDP cluster SSO, configure the Knox settings as described in this topic.
You need to export the Knox certificate from the Knox gateway host. To find the Knox gateway host, go to.
SSH in to the Knox gateway host with a
Export the Knox certificate by running the following command:
/usr/hdp/current/knox-server/bin/knoxcli.sh export-cert --type PEM
/usr/hdp/current/knox-server/data/security/keystores/gateway-identity.pemIf the export is successfully, the following message is displayed:
Certificate gateway-identity has been successfully exported to: /usr/hdp/current/knox-server/data/security/keystores/gateway-identity.pemNote the location where you save the
- If not done already, specify KNOX_SSO in the user_authentication field under .
Enable the Knox SSO topology settings. From the Ambari UI, go to
and make the following configuration changes:
- Specify KNOX_SSO in the user_authentication field.
Specify the Knox SSO URL in the knox_sso_url
field in the following format:
- Copy the contents of the PEM file that you exported earlier in the knox_publickey field without the header and the footer.
Add the list of users in the admin_users field
who need admin access to DAS.
You can specify
*(asterisk) in the admin_users field to make all users the admin users.You can also specify an admin group in the admin_groups field.
- Click Save and click through the confirmation pop-ups.
- Restart DAS and any services that require restart by clicking .