Skip to content

Instantly share code, notes, and snippets.

@seanorama

seanorama/README.md

Last active October 2, 2019 05:21
Show Gist options
  • Save seanorama/9149a510c0a54b54e3e1f1dc6624c327 to your computer and use it in GitHub Desktop.
Save seanorama/9149a510c0a54b54e3e1f1dc6624c327 to your computer and use it in GitHub Desktop.
Download ZIP
Knox with PAM
Raw
README.md
  1. Create PAM Cloudera file:
sudo tee /etc/pam.d/cloudera> /dev/null <<-'EOF'
#%PAM-1.0
auth    sufficient        pam_unix.so
auth    sufficient        pam_sss.so
account sufficient        pam_unix.so
account sufficient        pam_sss.so
EOF

sudo chmod a+r /etc/pam.d/cloudera
  1. Update advanced-topology:
  • replace LDAP configs with PAM config (use same as knoxsso-topology)
  • replace identity assertion (see knoxsso-topology)

  1. Add Additional UIs to advanced-topology (see document here)

  2. Update knoxxo-topology (see document here)

Raw
additional-uis.md

Knox Proxying of Additional UIs (Ambari, Ranger)

Ambari -> Advanced Topology:

  • Add following after the other items
  • If necessary: Adjust ambari protocol and host
<service>
    <role>AMBARI</role>
    <url>https://HOSTNAME:8443</url>
</service>

<service>
    <role>AMBARIUI</role>
    <url>https://HOSTNAME:8443</url>
</service>

<service>
    <role>ATLAS-API</role>
    <url>https://HOSTNAME:21443</url>
</service>

<service>
    <role>ATLAS</role>
    <url>https://HOSTNAME:21443</url>
</service>

<service>
    <role>RANGER</role>
    <url>{{policymgr_mgr_url}}</url>
</service>

<service>
    <role>RANGERUI</role>
    <url>{{policymgr_mgr_url}}</url>
</service>
Raw
admin-topology.xml
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.pamRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>
</param>
<param>
<name>main.pamRealm.service</name>
<value>cloudera</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>SwitchCase</name>
<enabled>true</enabled>
<param>
<name>principal.case</name>
<value>lower</value>
</param>
<param>
<name>group.principal.case</name>
<value>lower</value>
</param>
</provider>
<provider>
<role>authorization</role>
<name>XASecurePDPKnox</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOX</role>
</service>
</topology>
Raw
knoxsso-topology.xml
<topology>
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>xframe.options.enabled</name>
<value>true</value>
</param>
</provider>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>redirectToUrl</name>
<value>/gateway/knoxsso/knoxauth/login.html</value>
</param>
<param>
<name>restrictedCookies</name>
<value>rememberme,WWW-Authenticate</value>
</param>
<param>
<name>main.pamRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>
</param>
<param>
<name>main.pamRealm.service</name>
<value>cloudera</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>identity-assertion</role>
<name>SwitchCase</name>
<enabled>true</enabled>
<param>
<name>principal.case</name>
<value>lower</value>
</param>
<param>
<name>group.principal.case</name>
<value>lower</value>
</param>
</provider>
</gateway>
<application>
<name>knoxauth</name>
</application>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>36000000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(([a-z0-9_\-\.])+(\.hwp\.int\.videotron\.com|\.hwxopsrv\.com)|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1)(:[0-9]+)?(\/|\/.*)?$</value>
</param>
</service>
</topology>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment