Configure Kerberos authentication in Apache Knox shared providers

An example of how to add the kerberos-auth configuration provider from Cloudera Manager.

  1. From Cloudera Manager > Knox > Configuration, add the following entry in the Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml:
    • name = providerConfigs:kerberos-auth
    • value =
      role=authentication#
      authentication.name=HadoopAuth#
      authentication.param.sessionTimeout=30#
      authentication.param.config.prefix=hadoop.auth.config#
      authentication.param.hadoop.auth.config.type=kerberos#
      authentication.param.hadoop.auth.config.signature.secret=${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET}
      authentication.param.hadoop.auth.config.token.validity=1800#
      authentication.param.hadoop.auth.config.cookie.path=/#
      authentication.param.hadoop.auth.config.simple.anonymous.allowed=false#
      authentication.param.hadoop.auth.config.kerberos.principal=AUTH_CONFIG_KERBEROS_PRINCIPAL#
      authentication.param.hadoop.auth.config.kerberos.keytab=AUTH_CONFIG_KERBEROS_KEYTAB#
      authentication.param.hadoop.auth.config.kerberos.name.rules=DEFAULT
      
    Where:
    • AUTH_CONFIG_KERBEROS_PRINCIPAL is the actual SPNEGO principal generated for the given host (see Administration -> Security -> Kerberos Principals / HTTP).
    • AUTH_CONFIG_KERBEROS_KEYTAB is the Cloudera Manager-generated keytab file of the current Knox process. It is located in Cloudera Manager’s CONF_DIR which can be found on the Processes tab of the Knox Gateway instance.
    • ALIAS=AUTH_CONFIG_SIGNATURE_SECRET must not be stored as a plain text password, so use Knox's alias service. This means that whatever topology will reference that shared provider configuration, the AUTH_CONFIG_SIGNATURE_SECRET must be created for it (see Saving aliases for details.
  2. Save your changes.
  3. Refresh the cluster.
  4. Validate:
    $ curl -ku knoxui:knoxui https://johndoe-1.abc.cloudera.com:8443/gateway/admin/api/v1/providerconfig/kerberos-auth
    {
      "providers" : [ {
        "role" : "authentication",
        "name" : "HadoopAuth",
        "enabled" : true,
        "params" : {
          "config.prefix" : "hadoop.auth.config",
          "hadoop.auth.config.cookie.path" : "/",
          "hadoop.auth.config.hadoop.proxyuser.hive.groups" : "*",
          "hadoop.auth.config.hadoop.proxyuser.hive.hosts" : "*",
          "hadoop.auth.config.hadoop.proxyuser.httpfs.groups" : "*",
          "hadoop.auth.config.hadoop.proxyuser.httpfs.hosts" : "*",
          "hadoop.auth.config.hadoop.proxyuser.hue.groups" : "*",
          "hadoop.auth.config.hadoop.proxyuser.hue.hosts" : "*",
          "hadoop.auth.config.hadoop.proxyuser.impala.groups" : "*",
          "hadoop.auth.config.hadoop.proxyuser.impala.hosts" : "*",
          "hadoop.auth.config.hadoop.proxyuser.livy.groups" : "*",
          "hadoop.auth.config.hadoop.proxyuser.livy.hosts" : "*",
          "hadoop.auth.config.hadoop.proxyuser.oozie.groups" : "*",
          "hadoop.auth.config.hadoop.proxyuser.oozie.hosts" : "*",
          "hadoop.auth.config.kerberos.keytab" : "/var/run/cloudera-scm-agent/process/163-knox-IDBROKER/knox.keytab",
          "hadoop.auth.config.kerberos.name.rules" : "DEFAULT",
          "hadoop.auth.config.kerberos.principal" : "HTTP/sampleHost@ABC.CLOUDERA.COM",
          "hadoop.auth.config.signature.secret" : "${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET}",
          "hadoop.auth.config.simple.anonymous.allowed" : "false",
          "hadoop.auth.config.token.validity" : "1800",
          "hadoop.auth.config.type" : "kerberos",
          "sessionTimeout" : "30"
        }
      } ],
      "readOnly" : true
    }