Proxy Cloudera Manager through Apache Knox

In order to have Cloudera Manager proxied through Knox, there are some steps you must complete.

  1. Set the value for frontend_url: Cloudera Manager > Administration > Settings > Cloudera Manager Frontend URL:
    • Non-HA value: https://$Knox_host:$knox_port
    • HA value: https://$Knox_loadbalancer_host:$Knox_loadbalancer_port
  2. Set allowed groups, hosts, and users for Knox Proxy: Cloudera Manager > Administration > Settings > External Authentication:
    • Allowed Groups for Knox Proxy: *
    • Allowed Hosts for Knox Proxy: *
    • Allowed Users for Knox Proxy: *
  3. Enable Kerberos/SPNEGO authentication for the Admin Console and API: Cloudera Manager > Administration > Settings > External Authentication > Enable SPNEGO/Kerberos Authentication for the Admin Console and API:: true
  4. From Cloudera Manager > Administration > Settings > External Authentication, set Knox Proxy Principal: knox.
External authentication must be set up correctly. Cloudera Manager must be configured to use LDAP, following the standard procedure for setting up LDAP. This LDAP server should be the same LDAP that populates local users on Knox hosts (if using PAM authentication with Knox), or the same LDAP that Knox is configured to use (if using LDAP authentication with Knox).

However in cases where no LDAP server is available ,corresponding Cloudera Manager local users can be created and assigned roles manually in Cloudera Manager > Administrator > Users & Roles > Add Local User.