Configure Kerberos authentication in Apache Knox shared providers
An example of how to add the kerberos-auth configuration provider from Cloudera Manager.
-
From Cloudera Manager > Knox > Configuration, add the following entry in the
Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml
:- name =
providerConfigs:kerberos-auth
- value =
role=authentication# authentication.name=HadoopAuth# authentication.param.sessionTimeout=30# authentication.param.config.prefix=hadoop.auth.config# authentication.param.hadoop.auth.config.type=kerberos# authentication.param.hadoop.auth.config.signature.secret=${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET} authentication.param.hadoop.auth.config.token.validity=1800# authentication.param.hadoop.auth.config.cookie.path=/# authentication.param.hadoop.auth.config.simple.anonymous.allowed=false# authentication.param.hadoop.auth.config.kerberos.principal=AUTH_CONFIG_KERBEROS_PRINCIPAL# authentication.param.hadoop.auth.config.kerberos.keytab=AUTH_CONFIG_KERBEROS_KEYTAB# authentication.param.hadoop.auth.config.kerberos.name.rules=DEFAULT
AUTH_CONFIG_KERBEROS_PRINCIPAL
is the actual SPNEGO principal generated for the given host (see Administration -> Security -> Kerberos Principals / HTTP).AUTH_CONFIG_KERBEROS_KEYTAB
is the Cloudera Manager-generated keytab file of the current Knox process. It is located in Cloudera Manager’s CONF_DIR which can be found on the Processes tab of the Knox Gateway instance.ALIAS=AUTH_CONFIG_SIGNATURE_SECRET
must not be stored as a plain text password, so use Knox's alias service. This means that whatever topology will reference that shared provider configuration, theAUTH_CONFIG_SIGNATURE_SECRET
must be created for it (seeSaving aliases
for details.
- name =
- Save your changes.
- Refresh the cluster.
-
Validate:
$ curl -ku knoxui:knoxui https://johndoe-1.abc.cloudera.com:8443/gateway/admin/api/v1/providerconfig/kerberos-auth { "providers" : [ { "role" : "authentication", "name" : "HadoopAuth", "enabled" : true, "params" : { "config.prefix" : "hadoop.auth.config", "hadoop.auth.config.cookie.path" : "/", "hadoop.auth.config.hadoop.proxyuser.hive.groups" : "*", "hadoop.auth.config.hadoop.proxyuser.hive.hosts" : "*", "hadoop.auth.config.hadoop.proxyuser.httpfs.groups" : "*", "hadoop.auth.config.hadoop.proxyuser.httpfs.hosts" : "*", "hadoop.auth.config.hadoop.proxyuser.hue.groups" : "*", "hadoop.auth.config.hadoop.proxyuser.hue.hosts" : "*", "hadoop.auth.config.hadoop.proxyuser.impala.groups" : "*", "hadoop.auth.config.hadoop.proxyuser.impala.hosts" : "*", "hadoop.auth.config.hadoop.proxyuser.livy.groups" : "*", "hadoop.auth.config.hadoop.proxyuser.livy.hosts" : "*", "hadoop.auth.config.hadoop.proxyuser.oozie.groups" : "*", "hadoop.auth.config.hadoop.proxyuser.oozie.hosts" : "*", "hadoop.auth.config.kerberos.keytab" : "/var/run/cloudera-scm-agent/process/163-knox-IDBROKER/knox.keytab", "hadoop.auth.config.kerberos.name.rules" : "DEFAULT", "hadoop.auth.config.kerberos.principal" : "HTTP/sampleHost@ABC.CLOUDERA.COM", "hadoop.auth.config.signature.secret" : "${ALIAS=AUTH_CONFIG_SIGNATURE_SECRET}", "hadoop.auth.config.simple.anonymous.allowed" : "false", "hadoop.auth.config.token.validity" : "1800", "hadoop.auth.config.type" : "kerberos", "sessionTimeout" : "30" } } ], "readOnly" : true }