Knox Redirecting to Ambari UI issue

Question

I am using Ambari V 2.7.3, I have installed Knox. I have tried to implement SSO for Ambari.I have followed the Below Url to implement the same.

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/setting_up_knox_sso_for_ambari.html

Below are the Knox configs:

Advanced admin-topology :

<topology>
    <gateway>
         <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
                <name>sessionTimeout</name>
                <value>30</value>
            </param>
            <param>
                <name>main.ldapRealm</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
                <name>main.ldapRealm.userDnTemplate</name>
                <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.url</name>
                <value>ldap://DtIoTBDMaster01:33389</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                <value>simple</value>
            </param>
            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>
        </provider>
        <provider>
            <role>authorization</role>
            <name>AclsAuthz</name>
            <enabled>true</enabled>
            <param>
               <name>knox.acl.mode</name>
               <value>OR</value>
               </param>
            <param>
                <name>knox.acl</name>
                <value>KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>HadoopGroupProvider</name>
            <enabled>true</enabled>
            <param>
                <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
                <value>gateway.group.config.</value>
            </param>
        </provider>
    </gateway>
    <service>
        <role>KNOX</role>
    </service>
</topology>

gateway.dispatch.whitelist : https?:\/\/(HOSTNAME|0\.0\.0\.0|0:0:0:0:0:0:0:1|::1):[0-9].*$

Advanced knoxsso-topology :

    <topology>
            <gateway>
            <provider>
            <role>webappsec</role>
            <name>WebAppSec</name>
            <enabled>true</enabled>
            <param><name>xframe.options.enabled</name><value>true</value></param>
            </provider>
            <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
            <name>sessionTimeout</name>
            <value>30</value>
            </param>
            <param>
            <name>redirectToUrl</name>
            <value>/gateway/knoxsso/knoxauth/login.html</value>
            </param>
            <param>
            <name>restrictedCookies</name>
            <value>rememberme,WWW-Authenticate</value>
            </param>
            <param>
            <name>main.ldapRealm</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
            <name>main.ldapContextFactory</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory</name>
            <value>$ldapContextFactory</value>
            </param>
            <param>
            <name>main.ldapRealm.userDnTemplate</name>
            <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldap://x.x.x.x:33389</value>
            </param>
            <param>
            <name>main.ldapRealm.authenticationCachingEnabled</name>
            <value>false</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
            <value>simple</value>
            </param>
            <param>
            <name>urls./**</name>
            <value>authcBasic</value>
            </param>
            </provider>
            <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
            </provider>
            </gateway>
            <application>
            <name>knoxauth</name>
            </application>
            <service>
            <role>KNOXSSO</role>
            <param>
            <name>knoxsso.cookie.secure.only</name>
            <value>true</value>
            </param>
            <param>
            <name>knoxsso.token.ttl</name>
            <value>30000</value>
            </param>
            </service>
<service>
        <role>AMBARI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
            </topology>

Advanced topology :

<topology>
        <gateway>
            <provider>
                <role>authentication</role>
                <name>ShiroProvider</name>
                <enabled>true</enabled>
                <param>
                    <name>sessionTimeout</name>
                    <value>30</value>
                </param>
                <param>
                    <name>main.ldapRealm</name>
                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                </param>
                <param>
                    <name>main.ldapRealm.userDnTemplate</name>
                    <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.url</name>
                    <value>ldap://{{knox_host_name}}:33389</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                    <value>simple</value>
                </param>
                <param>
                    <name>urls./**</name>
                    <value>authcBasic</value>
                </param>
            </provider>
            <provider>
                <role>identity-assertion</role>
                <name>Default</name>
                <enabled>true</enabled>
            </provider>
            <provider>
                <role>authorization</role>
                <name>AclsAuthz</name>
                <enabled>true</enabled>
            </provider>
        </gateway>
        <service>
            <role>NAMENODE</role>
            <url>{{namenode_address}}</url>
        </service>
        <service>
            <role>JOBTRACKER</role>
            <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
        </service>
        <service>
            <role>WEBHDFS</role>
            {{webhdfs_service_urls}}
        </service>
        <service>
            <role>WEBHCAT</role>
            <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
        </service>
        <service>
            <role>OOZIE</role>
            <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
        </service>

        <service>
            <role>OOZIEUI</role>
            <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie/</url>
        </service>
        <service>
            <role>WEBHBASE</role>
            <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
        </service>
        <service>
            <role>HIVE</role>
            <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
        </service>
        <service>
            <role>RESOURCEMANAGER</role>
            <url>http://{{rm_host}}:{{rm_port}}/ws</url>
        </service>
        <service>
            <role>DRUID-COORDINATOR-UI</role>
            {{druid_coordinator_urls}}
        </service>
        <service>
            <role>DRUID-COORDINATOR</role>
            {{druid_coordinator_urls}}
        </service>

        <service>
            <role>DRUID-OVERLORD-UI</role>
            {{druid_overlord_urls}}
        </service>
        <service>
            <role>DRUID-OVERLORD</role>
            {{druid_overlord_urls}}
        </service>
        <service>
            <role>DRUID-ROUTER</role>
            {{druid_router_urls}}
        </service>
        <service>
            <role>DRUID-BROKER</role>
            {{druid_broker_urls}}
        </service>
        <service>
            <role>ZEPPELINUI</role>
            {{zeppelin_ui_urls}}
        </service>
        <service>
            <role>ZEPPELINWS</role>
            {{zeppelin_ws_urls}}
        </service>
    </topology>

The moment While login into AMBARI UI, it's redirecting into Knox UI, the moment I entered the default creds of Knox Then it's redirecting to AMBARI UI, and again it's opening Knox UI Below ie the error i got from Knox gateway

2021-01-11 10:43:17,080 INFO  knox.gateway (KnoxLdapRealm.java:getUserDn(692)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for pr
incipal: admin
2021-01-11 10:43:17,090 INFO  service.knoxsso (WebSSOResource.java:getCookieValue(365)) - Unable to find cookie with name: original-url
2021-01-11 10:43:17,092 INFO  service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(339)) - JWT cookie successfully added.
2021-01-11 10:43:17,093 INFO  service.knoxsso (WebSSOResource.java:getAuthenticationToken(240)) - About to redirect to original URL: http://dtiotbdmaster01:8080/

rikamamanus · Answer 1 · 2021-01-14T19:47:55.830

You have few issues with knosso topology, Knoxsso should be used for authentication you do need to mention following config in it:-

<service>
        <role>AMBARI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
            </topology>

Try adding whitelist regex in knoxsso and no it admin topology.

<param>
 <name>knoxsso.redirect.whitelist.regex</name>
 <value>^https?:\/\/(c64\d\d\.ambari\.apache\.org|localhost|
127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
 </param>

Remove gateway.dispatch.whitelist from admin topology.

Note:- You need to make regex value, * would not work.

when I log in to Ambari, it is successfully getting redirected to Knox gateway and after I give credentials it goes to Ambari UI and then coming back to Knox gateway UI screen, I am not getting any error logs from Knox and Ambari also — satish pujara, Jan 22 '21 at 07:06

score 0 · Answer 2 · answered Jan 22 '21 at 22:10

I suspect that the issue you are encountering here is just a typical cookie related issue. It seems that the cookie is likely being set - since it is attempting to redirect to the originalUrl post authentication.

Noting the originalUrl and related redirect is going to http://dtiotbdmaster01:8080/ this looks like something that may present a domain issue for a cookie. Since this is a hostname and not a domain, it may not set properly on your browser and may not be presented to the originalUrl.

In addition, I notice that the http://dtiotbdmaster01:8080/ does not have ssl/https. Since you have the following configuration for the KnoxSSO service, the secure flag will be set on the cookie if it is indeed successfully set on the browser. This means that the browser will not present the cookie to the target url when not over tls/https.

        <service>
        <role>KNOXSSO</role>
        <param>
        <name>knoxsso.cookie.secure.only</name>
        <value>true</value>
        </param>
        <param>
        <name>knoxsso.token.ttl</name>
        <value>30000</value>
        </param>
        </service>

Like I said, these are generic cookie type issues and likely the root cause of your issue here.

Knox Redirecting to Ambari UI issue

2 Answers2