Cloudera Docs

Manage Knox Gateway tokens

You can enable, disable, or revoke tokens via the Knox homepage.

  1. To access Knox token management, go to https://KNOX_GATEWAY_HOST:PORT/GATEWAY_PATH/homepage/home, e.g. https://localhost:8443/gateway/homepage/home. Click on Token Management.
    A compact view of all tokens generated within the system is shown in a single table with the following information.
    1. Each row starts with a selection checkbox for batch operations (except for disabled KnoxSSO cookies, as there is no point in doing anything with them).
    2. A unique token identifier. Disabled token’s Token ID value is shown in orange.
    3. Information on when the token was created and when it will expire.
      1. If the token is already expired, the expiration time is shown in red.
      2. If the token is still valid, the expiration time is shown in green.
    4. Username indicates the user for whom the token is created for.
    5. Impersonated is a boolean flag indicating if this is an impersonated token:
      • Green check: Yes, this is impersonated. You’ll see the user who created the token under the icon.
      • Red cross: No, this is not an impersonated token.
    6. KnoxSSO is another boolean flag that indicates if this token is created by the KNOXSSO service if the feature was enabled. The line is shown in bold if the token in this line represents the SSO cookie currently used as the authentication token to login to the Token Management page.
      • green check: yes, this is KnoxSSO cookie (token)
      • red cross: no, this is not a KnoxSSO cookie (it was created by a regular token API call or on the Token Generation page or the feature is disabled)
    7. Comment: users may add a short comment to the tokens they create to make it easier for them to distinguish certain tokens later (e.g. "1-hour token for user XY")
    8. Additional Metadata : In some cases, it's beneficial to add different metadata to the generated token as a key-value pair (e.g. shouldBeRemovedBy=09_Nov_2023). One token can have more than one associated metadata. In this column, we display that information.
    9. In the Actions column, you will see
      • The enable/disable/revoke actions are visible for impersonated tokens too
      • KnoxSSO cookies cannot be revoked nor re-enabled.
    In order to refresh the table, you can use the Refresh icon above the table (if you generated tokens on another tab for instance).
  2. You can perform batch operations on the tokens. When at least one token is selected, the following buttons are shown under the table:
    • Disable - when executed, all the selected tokens become disabled (if they were disabled originally, they will remain disabled). Please note this option is shown only, if there is no expired token selected (i.e. batch disablement only works with live tokens).
    • Enable - when executed, all the selected tokens become enabled (if they were enabled originally, they will remain enabled). Please note this option is shown only, if there is no expired token selected (i.e. batch enablement only works with live tokens).
    • Revoke - when executed, all the selected tokens will be revoked. Please note this option is shown only, if there is no KnoxSSO cookie (token) selected (i.e. batch revocation only works with regular tokens).
  3. You can use the Search by field to narrow down tokens by :
    • Token ID
    • User Name (either own user name or impersonated)
    • Comment
    • Additional Metadata
  4. You can view the disabled Knox cookies or only your tokens by using the following toggle buttons.
    • Show Disabled KnoxSSO Cookies - This is true by default. Since disabled KnoxSSO cookies remain in the underlying token state service until they expire, it may bother users to see them in the tokens table. Flipping this toggle button helps to hide them.
    • Show My Tokens Only - this toggle button is only visible to users, who can see all tokens. By default, this is false. Enabling it will filter the tokens table in a way such that it will contain tokens only that were generated for the logged-in user (impersonated or not).
  5. Click the Refresh icon above the table.