Cloudera Docs

Declaring Knox topologies

Learn how to create the Knox topologies to define for Knox how to proxy requests from external users.

Ensure that you have the following information before performing the steps:

  • HMS Host and Ranger Host: To get the HMS Host and Ranger Admin Host, go to Data Lake > Nodes, and copy the FQDN of the Master node.
  • Username of the user who will run the script to generate the CLIENT_ID and CLIENT_SECRET.
  1. Go to Cloudera Manager > Knox > Configuration.
  2. Select the Knox Gateway scope.
  3. Search for and edit the Knox Gateway Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml property, and add the following: 
    NAME:
providerConfigs:cdp-share-access-providers
VALUE:
role=federation#federation.name=JWTProvider#federation.enabled=true#federation.param.knox.token.exp.server-managed=true#role=identity-assertion#identity-assertion.name=Default#identity-assertion.enabled=true#identity-assertion.param.group.mapping.$PRIMARY_GROUP=(not (member username))

NAME:
cdp-share-access
VALUE:
providerConfigRef=cdp-share-access-providers#KNOXTOKEN:knox.token.ttl=36000000#KNOXTOKEN:knox.token.exp.server-managed=true#KNOXTOKEN:gateway.knox.token.limit.per.user=-1#HMS-API:url=http://[***HMS-HOST***]:8090

NAME: 
providerConfigs:cdp-share-management-providers
VALUE:
role=authentication#authentication.name=ShiroProvider#authentication.param.main.invalidRequest=org.apache.shiro.web.filter.InvalidRequestFilter#authentication.param.main.invalidRequest.blockBackslash=false#authentication.param.main.invalidRequest.blockNonAscii=false#authentication.param.main.invalidRequest.blockSemicolon=false#authentication.param.main.pamRealm=org.apache.knox.gateway.shirorealm.KnoxPamRealm#authentication.param.main.knoxAnonFilter=org.apache.knox.gateway.filter.AnonymousAuthFilter#authentication.param.urls./knoxtoken/api/v1/jwks.json=knoxAnonFilter#authentication.param.main.pamRealm.service=login#authentication.param.sessionTimeout=30#authentication.param.urls./**=authcBasic#role=identity-assertion#identity-assertion.name=HadoopGroupProvider#identity-assertion.param.hadoop.proxyuser.impersonation.enabled=true#identity-assertion.param.hadoop.proxyuser.[***USER-WHO-RUNS-THE-SCRIPT]***.users=*#identity-assertion.param.hadoop.proxyuser.[***USER-WHO-RUNS-THE-SCRIPT]***.groups=*#identity-assertion.param.hadoop.proxyuser.[***USER-WHO-RUNS-THE-SCRIPT]***.hosts=*#identity-assertion.param.CENTRAL_GROUP_CONFIG_PREFIX=gateway.group.config.#role=authorization#authorization.name=XASecurePDPKnox#authorization.enabled=false#role=ha#ha.name=HaProvider#ha.enabled=true#ha.param.RANGER=enableStickySession=false;noFallback=false;enableLoadBalancing=true
    #identity-assertion.param.hadoop.proxyuser.[***USER-WHO-RUNS-THE-SCRIPT]***.users=*#identity-assertion.param.hadoop.proxyuser.[***USER-WHO-RUNS-THE-SCRIPT]***.groups=*#identity-assertion.param.hadoop.proxyuser.[***USER-WHO-RUNS-THE-SCRIPT]***.hosts=*
    NAME:
cdp-share-management
VALUE:
providerConfigRef=cdp-share-management-providers#RANGER:url=https://[***RANGER-HOST***]:6182#KNOXTOKEN:knox.token.ttl=-1#KNOXTOKEN:knox.token.type=JWT#KNOXTOKEN:knox.token.target.url=cdp-proxy-token#KNOXTOKEN:knox.token.audiences=cdp-proxy-token#KNOXTOKEN:knox.token.client.data=homepage_url=homepage/home?profile=token&topologies=cdp-proxy-token#KNOXTOKEN:knox.token.exp.tokengen.allowed.tss.backends=JDBCTokenStateService,AliasBasedTokenStateService#KNOXTOKEN:knox.token.lifespan.input.enabled=true#KNOXTOKEN:knox.token.user.limit.exceeded.action=RETURN_ERROR#KNOXTOKEN:knox.token.exp.server-managed=true

    The relevant Knox topologies are created.

  4. Click Save Changes.
Continue with configuring Knox.