诺克斯重定向到 Ambari UI 问题
[英]Knox Redirecting to Ambari UI issue
问题描述
I am using Ambari V 2.7.3, I have installed Knox.
我使用的是 Ambari V 2.7.3,我已经安装了 Knox。 I have tried to implement SSO for Ambari.I have followed the Below Url to implement the same.我已经尝试为 Ambari 实现 SSO。我按照下面的 Url 来实现相同的。
https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/setting_up_knox_sso_for_ambari.html
Below are the Knox configs:以下是 Knox 配置:
Advanced admin-topology:高级管理拓扑:
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://DtIoTBDMaster01:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>authorization</role>
<name>AclsAuthz</name>
<enabled>true</enabled>
<param>
<name>knox.acl.mode</name>
<value>OR</value>
</param>
<param>
<name>knox.acl</name>
<value>KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<enabled>true</enabled>
<param>
<name>CENTRAL_GROUP_CONFIG_PREFIX</name>
<value>gateway.group.config.</value>
</param>
</provider>
</gateway>
<service>
<role>KNOX</role>
</service>
</topology>
gateway.dispatch.whitelist : https?:\/\/(HOSTNAME|0\.0\.0\.0|0:0:0:0:0:0:0:1|::1):[0-9].*$
Advanced knoxsso-topology:高级 knoxsso 拓扑:
<topology>
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param><name>xframe.options.enabled</name><value>true</value></param>
</provider>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>redirectToUrl</name>
<value>/gateway/knoxsso/knoxauth/login.html</value>
</param>
<param>
<name>restrictedCookies</name>
<value>rememberme,WWW-Authenticate</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://x.x.x.x:33389</value>
</param>
<param>
<name>main.ldapRealm.authenticationCachingEnabled</name>
<value>false</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<application>
<name>knoxauth</name>
</application>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>30000</value>
</param>
</service>
<service>
<role>AMBARI</role>
<url>http://x.x.x.x:8080</url>
</service>
<service>
<role>AMBARIUI</role>
<url>http://x.x.x.x:8080</url>
</service>
</topology>
Advanced topology:高级拓扑:
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://{{knox_host_name}}:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>authorization</role>
<name>AclsAuthz</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>NAMENODE</role>
<url>{{namenode_address}}</url>
</service>
<service>
<role>JOBTRACKER</role>
<url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
</service>
<service>
<role>WEBHDFS</role>
{{webhdfs_service_urls}}
</service>
<service>
<role>WEBHCAT</role>
<url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
</service>
<service>
<role>OOZIE</role>
<url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
</service>
<service>
<role>OOZIEUI</role>
<url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie/</url>
</service>
<service>
<role>WEBHBASE</role>
<url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
</service>
<service>
<role>HIVE</role>
<url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
</service>
<service>
<role>RESOURCEMANAGER</role>
<url>http://{{rm_host}}:{{rm_port}}/ws</url>
</service>
<service>
<role>DRUID-COORDINATOR-UI</role>
{{druid_coordinator_urls}}
</service>
<service>
<role>DRUID-COORDINATOR</role>
{{druid_coordinator_urls}}
</service>
<service>
<role>DRUID-OVERLORD-UI</role>
{{druid_overlord_urls}}
</service>
<service>
<role>DRUID-OVERLORD</role>
{{druid_overlord_urls}}
</service>
<service>
<role>DRUID-ROUTER</role>
{{druid_router_urls}}
</service>
<service>
<role>DRUID-BROKER</role>
{{druid_broker_urls}}
</service>
<service>
<role>ZEPPELINUI</role>
{{zeppelin_ui_urls}}
</service>
<service>
<role>ZEPPELINWS</role>
{{zeppelin_ws_urls}}
</service>
</topology>
The moment While login into AMBARI UI, it's redirecting into Knox UI, the moment I entered the default creds of Knox Then it's redirecting to AMBARI UI, and again it's opening Knox UI Below ie the error i got from Knox gateway登录到 AMBARI UI 的那一刻,它重定向到 Knox UI,当我输入 Knox 的默认凭据时,它重定向到 AMBARI UI,再次打开 Knox UI 下面即我从 Knox 网关得到的错误
2021-01-11 10:43:17,080 INFO knox.gateway (KnoxLdapRealm.java:getUserDn(692)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for pr
incipal: admin
2021-01-11 10:43:17,090 INFO service.knoxsso (WebSSOResource.java:getCookieValue(365)) - Unable to find cookie with name: original-url
2021-01-11 10:43:17,092 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(339)) - JWT cookie successfully added.
2021-01-11 10:43:17,093 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(240)) - About to redirect to original URL: http://dtiotbdmaster01:8080/
2 个解决方案
解决方案1
1 2021-01-12 19:00:14
You have few issues with knosso topology, Knoxsso should be used for authentication you do need to mention following config in it:-您对 knosso 拓扑几乎没有问题,应该使用 Knoxsso 进行身份验证,您确实需要在其中提及以下配置:-
<service>
<role>AMBARI</role>
<url>http://x.x.x.x:8080</url>
</service>
<service>
<role>AMBARIUI</role>
<url>http://x.x.x.x:8080</url>
</service>
</topology>
Try adding whitelist regex in knoxsso and no it admin topology.尝试在 knoxsso 中添加白名单正则表达式,而不是它的管理拓扑。
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(c64\d\d\.ambari\.apache\.org|localhost|
127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
Remove gateway.dispatch.whitelist from admin topology.从管理拓扑中删除gateway.dispatch.whitelist 。
Note:- You need to make regex value, * would not work.注意:- 您需要设置正则表达式值, *不起作用。
解决方案2
0 2021-01-22 22:10:53
I suspect that the issue you are encountering here is just a typical cookie related issue.我怀疑您在这里遇到的问题只是一个典型的 cookie 相关问题。 It seems that the cookie is likely being set - since it is attempting to redirect to the originalUrl post authentication.似乎该 cookie 可能已设置 - 因为它正在尝试重定向到 originalUrl 后身份验证。
Noting the originalUrl and related redirect is going to http://dtiotbdmaster01:8080/ this looks like something that may present a domain issue for a cookie.注意 originalUrl 和相关重定向将转到 http://dtiotbdmaster01:8080/ 这看起来可能会出现 cookie 的域问题。 Since this is a hostname and not a domain, it may not set properly on your browser and may not be presented to the originalUrl.由于这是一个主机名而不是一个域,它可能没有在您的浏览器上正确设置,并且可能不会显示给 originalUrl。
In addition, I notice that the http://dtiotbdmaster01:8080/ does not have ssl/https.另外,我注意到 http://dtiotbdmaster01:8080/ 没有 ssl/https。 Since you have the following configuration for the KnoxSSO service, the secure flag will be set on the cookie if it is indeed successfully set on the browser.由于您对 KnoxSSO 服务进行了以下配置,因此如果确实在浏览器上成功设置了安全标志,则会在 cookie 上设置安全标志。 This means that the browser will not present the cookie to the target url when not over tls/https.这意味着浏览器不会在不超过 tls/https 时将 cookie 呈现给目标 url。
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>30000</value>
</param>
</service>
Like I said, these are generic cookie type issues and likely the root cause of your issue here.就像我说的,这些是一般的 cookie 类型问题,很可能是您的问题的根本原因。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.