Enabling Knox authentication for Flink Dashboard

You can use Knox authentication for Flink Dashboard to provide integration with customer Single Sign-On (SSO) solutions. Knox uses Kerberos (SPNEGO) to strongly authenticate itself towards the services.

The Auto Discovery for Knox service is not yet available for the Flink Dashboard. This means you must manually configure Knox with the following steps:
  • Add the Flink Dashboard as a custom service to the cdp-proxy and cdp-proxi-api configurations
  • Create the Flink Dashboard service definitions in Knox
Before you begin

Adding Flink Dashboard to Knox Topology Management

  1. Go to your cluster in Cloudera Manager.
  2. Select Knox from the list of services.
  3. Select Knox Gateway Home.
  4. Open the General Proxy Information.
  5. Click Admin UI URL.

    You are redirected to the Knox Manager page.

  6. Click Service Definitions under Resource Types.
  7. Click on the plus icon to add the SSB service definitions.
    The Create a New Service Definition window appears.
  8. Delete the default text from the window.
  9. Create the service definitions for SSB.
    1. Copy the following XML entry for the FLINK service definition:
      <?xml version="1.0" encoding="UTF-8"?>
      <serviceDefinitions>
         <serviceDefinition>
            <service name="flink" role="FLINK" version="1.12.1">
               <dispatch classname="org.apache.knox.gateway.dispatch.ConfigurableDispatch" use-two-way-ssl="false">
                  <param>
                     <name>responseExcludeHeaders</name>
                     <value>CONTENT-LENGTH,Www-Authenticate</value>
                  </param>
               </dispatch>
               <metadata>
                  <context>/flink</context>
                  <description>The Flink Dashboard acts as a single UI for all the Flink jobs running on the YARN cluster.</description>
                  <shortDesc>Flink Dashboard</shortDesc>
                  <type>UI</type>
               </metadata>
               <routes>
                  <route path="/flink/"/>
                  <route path="/flink/**"/>
                  <route path="/flink/**?**"/>
                  <route path="/flink/jobs/overview">
                     <rewrite apply="FLINK/flink/outbound/json" to="response.body"/>
                  </route>
               </routes>
            </service>
            <rules>
               <rule name="FLINK/flink/inbound/root" pattern="*://*:*/**/flink/">
                  <rewrite template="{$serviceUrl[FLINK]}/"/>
               </rule>
               <rule name="FLINK/flink/inbound/path" pattern="*://*:*/**/flink/{**}">
                  <rewrite template="{$serviceUrl[FLINK]}/{**}"/>
               </rule>
               <rule name="FLINK/flink/inbound/query" pattern="*://*:*/**/flink/{path=**}?{**}">
                  <rewrite template="{$serviceUrl[FLINK]}/{path=**}?{**}"/>
               </rule>
               <rule dir="OUT" name="FLINK/flink/outbound/links">
                  <match pattern="*://*:*/proxy/{**}"/>
                  <rewrite template="{$frontend[url]}/yarnuiv2/proxy/{**}/"/>
               </rule>
               <filter name="FLINK/flink/outbound/json">
                  <content type="*/json">
                     <apply path="$.jobs[*].cluster.url" rule="FLINK/flink/outbound/links"/>
                  </content>
               </filter>
            </rules>
         </serviceDefinition>
      </serviceDefinitions>
      
    2. Paste it to the New Service Definition window.
    3. Click Ok.

      In the list of Service definitions, you should be able to see the Flink service definition.

Adding Flink Dashboard to Knox Topology Management

  1. Go to your cluster in Cloudera Manager.
  2. Click on Knox from the list of Services.
  3. Select Configuration.
  4. Search for Knox Simplified Topology Management.
  5. Add the following entry to the Knox Simplified Topology Management - cdp-proxy:
    FLINK:url=https://<your_hostname>:18211
  6. Click on Save changes.

    The Refresh needed indicator appears beside the Knox service name.

  7. Refresh Knox.

Reaching the Flink Dashboard through Knox

  1. Go to your cluster in Cloudera Manager.
  2. Click on Knox from the list of Services.
  3. Select Knox Gateway Home.
    You will be prompted to provide your username and password.
  4. Click cdp-proxy under Topologies.

    Flink Dashboard should be listed under the cdp-proxy.

  5. Click on Flink Dashboard.

    You are redirected to the Flink Dashboard page.