Versions Compared

Old Version 3

changes.mady.by.user Larry McCay

Saved on

compared with

New Version Current

changes.mady.by.user Kevin Minder

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Follow the Ambari Vagrant Quick Start guide (https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide) to create a three node cluster with Centos 6.4 using Ambari 2.4 (trunk) or greater

  2. Unzip the Apache Knox v0.9.0 release candidate to the {AMBARI_VAGRANT_HOME}/centos6.4 directory which is a shared volume inside the vagrant machine /vagrant

  3. vagrant ssh into c6401

  4. Stop the Apache Knox instance that is already running (if there is one)

  5. The knoxsso.xml topology file should be deployed by default and can be found at {GATEWAY_HOME}/conf/topologies/knoxsso.xml file. The LDAP/AD configuration will need to be changed to match your deployment scenario. By default it is configured for the Knox Demo LDAP server - just as sandbox.xml is.

  6. Change the knoxsso.cookie.secure.only param in knoxsso.xml to false. Ambari does not have SSL enabled by default and if we set the cookie to secure only it will not be presented to Ambari by the browser.  NOTE: THIS IS INSECURE AND ONLY USED FOR TESTING

  7. Change the knoxsso.token.ttl parameter to something like 30 secs (30000) - the default value of -1 will not work with Ambari until 

    Jira
    serverASF JIRA
    serverId5aa69414-a9e9-3523-82ec-879b028fb15b
    keyAMBARI-15479
     is resolved.

  8. Ensure that the knoxsso.redirect.whitelist.regex parameter for KNOXSSO includes the c6401.ambari.apache.org host in the set of acceptable hosts. See the example at the end of this article.

  9. Start your v0.9.0 version of Knox via:  {GATEWAY_HOME}/bin/gateway.sh start - ensure that you are using Java 7 or 8 by exporting JAVA_HOME appropriately

  10. Configure Ambari for SSO with KnoxSSO through the SSO Wizard via the ambari-server CLI

    1. Get the gateway-identity public key from Apache Knox {GATEWAY_HOME}/data/security/keystores/gateway.jks via keytool or portecle (see Extracting Knox Public Key for SAML IdP Configuration section for details)

    2. Get the SSO provider URL for the KnoxSSO websso endpoint (i.e. https://c6401.ambari.apache.org:8443/gateway/knoxsso/api/v1/websso)

    3. su to root {pw: su to root {pw: vagrant}

    4. start the sso wizard:

...

[root@c6401 knox-0.9.0]# ambari-server restart

Extracting Knox Public Key for

...

IdP Configuration

There are multiple ways that you can do this.

The following will use keytool and openssl to first extract a der PEM encoded cert and then to convert DER to PEM encodingfrom the gateway keystore:

 [vagrant@c6401 knox-0.9.0]$ keytool -exportexportcert -keystore data/security/keystores/gateway.jks -alias gateway-identity -file gateway.cer
Enter keystore password:{master secret}
Certificate stored in file <gateway.cer>
Now convert the cer file into pem encoding via openssl:
 -alias gateway-identity -rfc -file gateway.pem
Enter keystore password:{master secret}
Certificate stored in file <gateway.pem>[vagrant@c6401 knox-0.9.0]$ openssl x509 -inform der -in gateway.cer -out gateway.pem

 

For the Ambari SSO wizard the content between

...

            <value>30000</value>

        </param>

        <param>

           <name>knoxsso.redirect.whitelist.regex</name>

           <value>^https?:\/\/(c64\d\d\.ambari\.apache\.org|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>

        </param>

    </service>

</topology>