Cloudera Docs

Generate tokens

How to generate Knox gateway tokens from the Knox homepage.

  1. To access Knox generation management, go to https://KNOX_GATEWAY_HOST:PORT/GATEWAY_PATH/homepage/home, e.g. https://localhost:8443/gateway/homepage/home. Click on Token Generation.
  2. The following sections are displayed on the page:
    • Status bar: Message about the configured token state backend. There are 3 different statuses:
      • ERROR: Displayed in red. Indicates a problem with the service backend which makes the feature not work. Usually, this is visible when end-users configure JDBC token state service, but they make a mistake in their DB settings.
      • WARN: Displayed in yellow. Indicates that the feature is enabled and working, but there are some limitations.
      • INFO: Displayed in green. Indicates when the token management backend is properly configured for HA and production deployments.
    • Information label: Explains the purpose of the Token Generation page.
    • Comment: Optional input field that allows end-users to add meaningful comments (mnemonics) to their generated tokens. The maximum length is 255 characters.
    • Configured maximum lifetime: Informs the clients about the knox.token.ttl property set in the homepage topology (defaults to 1 day(s)). If that property is not set (e.g. someone removes it from he homepage topology), Knox uses a hard-coded value of 30 seconds (aka. default Knox token TTL).
    • Custom maximum (token) lifetime: Can be set by adjusting the days/hours/minutes fields. The default configuration will yield one hour.
  3. Click Generate Token.
  4. Use the token to authenticate your request. Click the icon beside your choice on the page to copy the value to the clipboard:
    • JWT token: serialized JWT, fully compatible with the old-style bearer authorization method. You can use it as the ‘Token’ user:
      $ curl -ku Token:eyJqa3U[...]uT5AxQGyMMP3VLGw https:/localhost:8443/gateway/cdp-proxy-token/webhdfs/v1?op=LISTSTATUS
 
{"FileStatuses":{"FileStatus":[{"accessTime":0,"blockSize":0,"childrenNum":1,"fileId":16386,"group":"supergroup",
"length":0,"modificationTime":1621238405734,"owner":"hdfs","pathSuffix":"tmp","permission":"1777","replication":0,
"storagePolicy":0,"type":"DIRECTORY"},{"accessTime":0,"blockSize":0,"childrenNum":1,"fileId":16387,"group":"supergroup",
"length":0,"modificationTime":1621238326078,"owner":"hdfs","pathSuffix":"user","permission":"755","replication":0,
"storagePolicy":0,"type":"DIRECTORY"}]}}
    • Passcode token: Serialized passcode token, which can be used as the ‘Passcode’ user:
      $ curl -ku Passcode:WkRFMk1XTmh[...]RVNFpXRTA= https://localhost:8443/gateway/cdp-proxy-token/webhdfs/v1?op=LISTSTATUS
 
{"FileStatuses":{"FileStatus":[{"accessTime":0,"blockSize":0,"childrenNum":1,"fileId":16386,"group":"supergroup",
"length":0,"modificationTime":1621238405734,"owner":"hdfs","pathSuffix":"tmp","permission":"1777","replication":0,
"storagePolicy":0,"type":"DIRECTORY"},{"accessTime":0,"blockSize":0,"childrenNum":1,"fileId":16387,"group":"supergroup",
"length":0,"modificationTime":1621238326078,"owner":"hdfs","pathSuffix":"user","permission":"755","replication":0,
"storagePolicy":0,"type":"DIRECTORY"}]}}