Knox Redirecting to Ambari UI issue
Question
I am using Ambari V 2.7.3, I have installed Knox. I have tried to implement SSO for Ambari.I have followed the Below Url to implement the same.
https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/setting_up_knox_sso_for_ambari.html
Below are the Knox configs:
Advanced admin-topology:
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://DtIoTBDMaster01:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>authorization</role>
<name>AclsAuthz</name>
<enabled>true</enabled>
<param>
<name>knox.acl.mode</name>
<value>OR</value>
</param>
<param>
<name>knox.acl</name>
<value>KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<enabled>true</enabled>
<param>
<name>CENTRAL_GROUP_CONFIG_PREFIX</name>
<value>gateway.group.config.</value>
</param>
</provider>
</gateway>
<service>
<role>KNOX</role>
</service>
</topology>
gateway.dispatch.whitelist : https?:\/\/(HOSTNAME|0\.0\.0\.0|0:0:0:0:0:0:0:1|::1):[0-9].*$
Advanced knoxsso-topology:
<topology>
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param><name>xframe.options.enabled</name><value>true</value></param>
</provider>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>redirectToUrl</name>
<value>/gateway/knoxsso/knoxauth/login.html</value>
</param>
<param>
<name>restrictedCookies</name>
<value>rememberme,WWW-Authenticate</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://x.x.x.x:33389</value>
</param>
<param>
<name>main.ldapRealm.authenticationCachingEnabled</name>
<value>false</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<application>
<name>knoxauth</name>
</application>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>30000</value>
</param>
</service>
<service>
<role>AMBARI</role>
<url>http://x.x.x.x:8080</url>
</service>
<service>
<role>AMBARIUI</role>
<url>http://x.x.x.x:8080</url>
</service>
</topology>
Advanced topology:
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://{{knox_host_name}}:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>authorization</role>
<name>AclsAuthz</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>NAMENODE</role>
<url>{{namenode_address}}</url>
</service>
<service>
<role>JOBTRACKER</role>
<url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
</service>
<service>
<role>WEBHDFS</role>
{{webhdfs_service_urls}}
</service>
<service>
<role>WEBHCAT</role>
<url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
</service>
<service>
<role>OOZIE</role>
<url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
</service>
<service>
<role>OOZIEUI</role>
<url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie/</url>
</service>
<service>
<role>WEBHBASE</role>
<url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
</service>
<service>
<role>HIVE</role>
<url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
</service>
<service>
<role>RESOURCEMANAGER</role>
<url>http://{{rm_host}}:{{rm_port}}/ws</url>
</service>
<service>
<role>DRUID-COORDINATOR-UI</role>
{{druid_coordinator_urls}}
</service>
<service>
<role>DRUID-COORDINATOR</role>
{{druid_coordinator_urls}}
</service>
<service>
<role>DRUID-OVERLORD-UI</role>
{{druid_overlord_urls}}
</service>
<service>
<role>DRUID-OVERLORD</role>
{{druid_overlord_urls}}
</service>
<service>
<role>DRUID-ROUTER</role>
{{druid_router_urls}}
</service>
<service>
<role>DRUID-BROKER</role>
{{druid_broker_urls}}
</service>
<service>
<role>ZEPPELINUI</role>
{{zeppelin_ui_urls}}
</service>
<service>
<role>ZEPPELINWS</role>
{{zeppelin_ws_urls}}
</service>
</topology>
The moment While login into AMBARI UI, it's redirecting into Knox UI, the moment I entered the default creds of Knox Then it's redirecting to AMBARI UI, and again it's opening Knox UI Below ie the error i got from Knox gateway
2021-01-11 10:43:17,080 INFO knox.gateway (KnoxLdapRealm.java:getUserDn(692)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for pr
incipal: admin
2021-01-11 10:43:17,090 INFO service.knoxsso (WebSSOResource.java:getCookieValue(365)) - Unable to find cookie with name: original-url
2021-01-11 10:43:17,092 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(339)) - JWT cookie successfully added.
2021-01-11 10:43:17,093 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(240)) - About to redirect to original URL: http://dtiotbdmaster01:8080/
2 answers
solution1
1 2021-01-12 19:00:14
You have few issues with knosso topology, Knoxsso should be used for authentication you do need to mention following config in it:-
<service>
<role>AMBARI</role>
<url>http://x.x.x.x:8080</url>
</service>
<service>
<role>AMBARIUI</role>
<url>http://x.x.x.x:8080</url>
</service>
</topology>
Try adding whitelist regex in knoxsso and no it admin topology.
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(c64\d\d\.ambari\.apache\.org|localhost|
127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
Remove gateway.dispatch.whitelist from admin topology.
Note:- You need to make regex value, * would not work.
solution2
0 2021-01-22 22:10:53
I suspect that the issue you are encountering here is just a typical cookie related issue. It seems that the cookie is likely being set - since it is attempting to redirect to the originalUrl post authentication.
Noting the originalUrl and related redirect is going to http://dtiotbdmaster01:8080/ this looks like something that may present a domain issue for a cookie. Since this is a hostname and not a domain, it may not set properly on your browser and may not be presented to the originalUrl.
In addition, I notice that the http://dtiotbdmaster01:8080/ does not have ssl/https. Since you have the following configuration for the KnoxSSO service, the secure flag will be set on the cookie if it is indeed successfully set on the browser. This means that the browser will not present the cookie to the target url when not over tls/https.
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>30000</value>
</param>
</service>
Like I said, these are generic cookie type issues and likely the root cause of your issue here.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.