Enabling Knox authentication

You can use Knox authentication for Cloudera SQL Stream Builder to provide integration with customer Single Sign-On (SSO) solutions. Knox uses Kerberos (SPNEGO) to strongly authenticate itself towards the services.

Apache Knox Gateway is used to help ensure perimeter security for Cloudera SQL Stream Builder. With Knox, enterprises can confidently extend the Cloudera SQL Stream Builder UI and API endpoints to new users without Kerberos complexities. Knox provides a central gateway and has varying degrees of authorization, authentication, SSL, and SSO capabilities to enable a single access point for Cloudera SQL Stream Builder.

Before you begin

Install and configure Knox on your cluster. For more information, see the Installing Apache Knox documentation.
Enable Kerberos authentication for Cloudera SQL Stream Builder. For more information, see Enabling Kerberos authentication section.

When using Cloudera SQL Stream Builder on Cloudera Private Cloud Base, the Auto Discovery feature of Knox is not supported. This means you must manually configure Knox by adding Cloudera SQL Stream Builder as a custom service to the cdp-proxy configuration.

Enabling Knox Auto Discovery for MVE without Load Balancer🔗

When using Cloudera SQL Stream Builder, the Auto Discovery feature of Knox is supported for the Materialized View Engine (MVE). This means that you need to enable the Knox Auto Discovery feature for the MVE if you plan to use Cloudera SQL Stream Builder without Load Balancer, and Cloudera Manager provides and manages all the required service definition files. In case the Load Balancer is enabled, you need to manually add the service definition to Knox.

Go to your cluster in Cloudera Manager.
Select Knox from the list of services.
Select Configuration.
Search for mve in the Search field.
Check the Enable Auto Discovery (cdp-proxy-api) - Cloudera SQL Streaming Builder - Materialized View Engine API property.
Click Save Changes.
The Refresh needed indicator appears beside the Knox service name.
Refresh Knox.

Continue setting up Knox with Cloudera SQL Stream Builder by configuring the default topologies of Knox in Cloudera Manager.

Adding Cloudera SQL Stream Builder services to the default topologies🔗

You must add the Cloudera SQL Stream Builder services to the Knox default topologies in Cloudera Manager.

Go to your cluster in Cloudera Manager.
Click on Knox from the list of Services.
Select Configuration.
Search for Knox Simplified Topology Management.

Add the following entries to the Knox Simplified Topology Management - cdp-proxy:

Without Load Balancer
With Load Balancer and without TLS
With Load Balancer and with TLS

SSB-SSE-UI:url=https://[***STREAMING SQL ENGINE HOST***]:18121
SSB-SSE-UI:httpclient.connectionTimeout=5m
SSB-SSE-UI:httpclient.socketTimeout=5m
SSB-SSE-WS:url=wss://[***STREAMING SQL ENGINE HOST***]:18121

SSB-SSE-UI-LB:url=https://[***STREAMING SQL ENGINE HOST***]:8080
SSB-SSE-UI-LB:httpclient.connectionTimeout=5m
SSB-SSE-UI-LB:httpclient.socketTimeout=5m
SSB-SSE-WS-LB:url=wss://[***STREAMING SQL ENGINE HOST***]:8080

SSB-SSE-UI-LB:url=https://[***STREAMING SQL ENGINE HOST***]:8445
SSB-SSE-UI-LB:httpclient.connectionTimeout=5m
SSB-SSE-UI-LB:httpclient.socketTimeout=5m
SSB-SSE-WS-LB:url=wss://[***STREAMING SQL ENGINE HOST***]:8445

You need to add the hostname to the entries as shown in the following example:

Add the following entries to the Knox Simplified Topology Management - cdp-proxy-api:
```
SSB-SSE-API:url=https://[***STREAMING SQL ENGINE HOST***]:18121
```
The port for the SSB-SSE-API remains the same regardless of TLS configuration.
Add the following entries to the Knox Simplified Topology Management - cdp-proxy-api if you are using a Load Balanced SSB:
- Without TLS
- With TLS
SSB-MVE-API-LB:url=https://[***SSB MV HOST***]:8081
SSB-MVE-API-LB:url=https://[***SSB MV HOST***]:8444
Click Save changes.
The Refresh needed indicator appears beside the Knox service name.
Refresh Knox.

When the default topologies are configured, you need to define the proxy paths for Cloudera SQL Stream Builder in Cloudera Manager.

Defining Knox proxy paths for Cloudera SQL Stream Builder🔗

You must provide the Knox proxy paths for YARN and the Materialized View API in Cloudera Manager to authenticate the user when accessing the Materialized Views and the Resource Manager through the Streaming SQL Console.

Go to your cluster in Cloudera Manager.
Click on Cloudera SQL Stream Builder from the list of Services.
Select Configuration.
Search for Knox proxy path for YARN.

Add the following URL path:

https://[***KNOX GATEWAY HOST***]/gateway/cdp-proxy/yarnuiv2/proxy

Search for Knox proxy path for Materialized View Engine.

Add the following URL path:

https://[***KNOX GATEWAY HOST***]/gateway/cdp-proxy-api/ssb-mve-api

Restart the Knox service.

After configuring the Knox service for Cloudera SQL Stream Builder, you can reach the Streaming SQL Console by completing the steps in Accessing the Cloudera SQL Stream Builder through Knox section.

Accessing the Streaming SQL Console through Knox🔗

After manually configuring Knox and Cloudera SQL Stream Builder, you should check if the SSO authentication works for the Streaming SQL Console.

Go to your cluster in Cloudera Manager.
Click on Knox from the list of Services.
Select Knox Gateway Home.
You will be prompted to provide your username and password.
Click cdp-proxy under Topologies.
Cloudera SQL Stream Builder Console should be listed under the cdp-proxy.
Click Cloudera SQL Stream Builder Console.
You are redirected to the Streaming SQL Console page.
note
In case Cloudera SQL Stream Builder Console does not appear under the cdp-proxy topologies, try to clean up the deployments folder of Knox with the following command:
```
rm -rf /var/lib/knox/gateway/data/deployments/*
```
After running the command, restart the Knox service.