Configuring Apache Knox Gateway UI

Knox Proxy can be configured using the Knox Gateway UI. To set up proxy, you will first define the provider configurations and descriptors, and the topologies will be automatically generated based on those settings.

When logging into the Gateway UI, Knox is expecting a user that can log into the operating system.

Cloudera Manager creates the majority of the topologies you need. You can use the Knox Gateway UI to create additional topologies or modify existing ones.

The following steps show the basic workflow for how to set up Knox Proxy. It involves defining provider configurations and descriptors, which are used to generate your topologies, which can define proxy (among other things). You can also manually set up Knox Proxy by manually configuring individual topology files.

  • Cloudera Manager must be installed.
  1. Navigate from Cloudera Manager to the Knox Gateway UI: Cloudera Manager > Clusters > Knox > Knox Gateway Home > General Proxy Information > Admin UI URL.
    The Knox Gateway UI opens, e.g.
  2. Login to the Gateway UI.
  3. Create a Provider Configuration:
    1. From the Gateway UI homepage, click Provider Configurations > +.
      The Create a New Provider Configuration wizard opens.
    2. Name the provider configuration: for example, CDP_ui_provider.
    3. Add an Authentication provider:
      1. Click Add Provider.
      2. Select Authentication and click Next.
      3. Choose your Authentication Provider Type: LDAP, PAM, Kerberos, SSO (HeaderPreAuth), SSO Cookie (SSOCookieProvider), JSON Web Tokens (JWT), CAS, OAuth, SAML, OpenID Connect, Anonymous.

        Note: OAuth and CAS are community supported, they are not officially supported by Cloudera.

      4. Complete the required fields and click OK.
    4. Add an Authorization provider:
      1. Click Add Provider.
      2. Select Authorization and click Next.
      3. Click Access Control Lists.
      4. Fill out the required fields and click OK.
    5. Add an Identity Assertion provider:
      1. Click Add Provider.
      2. Select Identity Assertion and click Next.
      3. Choose a Identity Assertion Provider Type: Default, Concatenation, SwitchCase, Regular Expression, Hadoop Group Lookup (LDAP).

        Recommended: Default.

      4. Fill out the required fields and click OK.
    6. Add an HA provider:
      1. Click Add Provider.
      2. Select HA and click Next.
      3. Select Add Service and click Next.
      4. Fill out the required fields and click OK.
  4. Define Descriptors for the topology to auto-discover services.
    1. Create a new descriptor. From the Gateway UI homepage, click Descriptors > +.
    2. Name the descriptor.
    3. Beside the Provider Configuration field, click the edit button and select the Provider Configuration you created before.
    4. Add Services (e.g., JOBTRACKER, HIVE, HDFSUI, STORM) by clicking the checkbox beside the service.
      If the service you are looking for is not listed, you can add it later by editing the configuration (the plus icon next to services will present a text box.)
    5. Add Discovery details:
      Field Example value
      Cluster dwweekly
      Username admin
      Password alias discovery-password
    6. Click OK.
Verify the topology was generated correctly. You can review the XML topology file for accuracy from Gateway UI homepage > Topologies > <topology name, e.g. devcluster>.