Cloudera Docs

Enabling Knox authentication

You can use Knox authentication for SQL Stream Builder (SSB) to provide integration with customer Single Sign-On (SSO) solutions. Knox uses Kerberos (SPNEGO) to strongly authenticate itself towards the services.

Apache Knox Gateway is used to help ensure perimeter security for SSB. With Knox, enterprises can confidently extend the SSB UI and API endpoints to new users without Kerberos complexities. Knox provides a central gateway and has varying degrees of authorization, authentication, SSL, and SSO capabilities to enable a single access point for SSB.

Before you beginWhen using SSB on CDP Private Cloud Base, the Auto Discovery feature of Knox is not supported. This means you must manually configure Knox by adding SSB as a custom service to the cdp-proxy configuration.

Enabling Knox Auto Discovery for MVE without Load Balancer

When using SQL Stream Builder (SSB), the Auto Discovery feature of Knox is supported for the Materialized View Engine (MVE). This means that you need to enable the Knox Auto Discovery feature for the MVE if you plan to use SSB without Load Balancer, and Cloudera Manager provides and manages all the required service definition files. In case the Load Balancer is enabled, you need to manually add the service definition to Knox.

  1. Go to your cluster in Cloudera Manager.
  2. Select Knox from the list of services.
  3. Select Configuration.
  4. Search for mve in the Search field.
  5. Check the Enable Auto Discovery (cdp-proxy-api) - SQL Streaming Builder - Materialized View Engine API property.
  6. Click Save Changes.
    The Refresh needed indicator appears beside the Knox service name.
  7. Refresh Knox.
Continue setting up Knox with SSB by configuring the default topologies of Knox in Cloudera Manager.

Adding SSB services to the default topologies

You must add the SSB services to the Knox default topologies in Cloudera Manager.

  1. Go to your cluster in Cloudera Manager.
  2. Click on Knox from the list of Services.
  3. Select Configuration.
  4. Search for Knox Simplified Topology Management.
  5. Add the following entries to the Knox Simplified Topology Management - cdp-proxy: 
    SSB-SSE-UI:url=https://[***STREAMING SQL ENGINE HOST***]:18121
SSB-SSE-UI:httpclient.connectionTimeout=5m
SSB-SSE-UI:httpclient.socketTimeout=5m
SSB-SSE-WS:url=wss://[***STREAMING SQL ENGINE HOST***]:18121

    SSB-SSE-UI-LB:url=https://[***STREAMING SQL ENGINE HOST***]:8080
SSB-SSE-UI-LB:httpclient.connectionTimeout=5m
SSB-SSE-UI-LB:httpclient.socketTimeout=5m
SSB-SSE-WS-LB:url=wss://[***STREAMING SQL ENGINE HOST***]:8080
    SSB-SSE-UI-LB:url=https://[***STREAMING SQL ENGINE HOST***]:8445
SSB-SSE-UI-LB:httpclient.connectionTimeout=5m
SSB-SSE-UI-LB:httpclient.socketTimeout=5m
SSB-SSE-WS-LB:url=wss://[***STREAMING SQL ENGINE HOST***]:8445
    You need to add the hostname to the entries as shown in the following example:
  6. Add the following entries to the Knox Simplified Topology Management - cdp-proxy-api: 
    SSB-SSE-API:url=https://[***STREAMING SQL ENGINE HOST***]:18121

    The port for the SSB-SSE-API remains the same regardless of TLS configuration.

  7. Add the following entries to the Knox Simplified Topology Management - cdp-proxy-api if you are using a Load Balanced SSB: 
    SSB-MVE-API-LB:url=https://[***SSB MV HOST***]:8081
    SSB-MVE-API-LB:url=https://[***SSB MV HOST***]:8444
  8. Click Save changes.
    The Refresh needed indicator appears beside the Knox service name.
  9. Refresh Knox.
When the default topologies are configured, you need to define the proxy paths for SSB in Cloudera Manager.

Defining Knox proxy paths for SSB

You must provide the Knox proxy paths for YARN and the Materialized View API in Cloudera Manager to authenticate the user when accessing the Materialized Views and the Resource Manager through the Streaming SQL Console.

  1. Go to your cluster in Cloudera Manager.
  2. Click on SQL Stream Builder from the list of Services.
  3. Select Configuration.
  4. Search for Knox proxy path for YARN.
  5. Add the following URL path: 
    https://[***KNOX GATEWAY HOST***]/gateway/cdp-proxy/yarnuiv2/proxy
  6. Search for Knox proxy path for Materialized View Engine.
  7. Add the following URL path: 
    https://[***KNOX GATEWAY HOST***]/gateway/cdp-proxy-api/ssb-mve-api
  8. Restart the Knox service.
After configuring the Knox service for SQL Stream Builder, you can reach the Streaming SQL Console by completing the steps in Accessing the Streaming SQL Builder through Knox section.

Accessing the Streaming SQL Console through Knox

After manually configuring Knox and SSB, you should check if the SSO authentication works for the Streaming SQL Console.

  1. Go to your cluster in Cloudera Manager.
  2. Click on Knox from the list of Services.
  3. Select Knox Gateway Home.
    You will be prompted to provide your username and password.
  4. Click cdp-proxy under Topologies.
    SSB Console should be listed under the cdp-proxy.
  5. Click SSB Console.
    You are redirected to the Streaming SQL Console page.