0

For now, in our HDP environment, we have been try set 1st and 2nd layer security, kerberos and ranger. Then we want to add the 3rd layer, Knox.

After we read some documentation in Knox reference for HDP 3.1.4, and the other page, we found 3 option for knox being implemented to a HDP cluster, first knox proxy (api), proxy (ui), and SSO.

In our needs, we want use the proxy (api) and we get the hint to implement it (combined with kerberos). But we confused to implement the feature proxy ui and SSO

  1. What is the different both of them?
  2. when we use proxy ui and when we use SSO?
  3. can we use three Knox options together?

  4. Based on this link, there is a step that need to configure ambari authentication, "Configure Ambari Authentication for LDAP/AD". Does it mean we drop ambari authentication with kerberos? But what about knox supported matrix that state Knox SSO can be configured in kerberized cluster?

  5. We can't find how to use and configure Knox proxy (UI). Does it mean if we want launch atlas apps, the knox authentication form appear first or something different about that?

Regards

m hanif f
  • 406
  • 1
  • 7
  • 20
  • After reading your post I, too, am confused. Knox is used as an **authentication endpoint** i.e. end users typically provide HTTP BASIC auth _(user/pwd masked by SSL)_ that Knox validates against an LDAP back-end, then Knox forwards the traffic using Kerberos auth (SPNego on HTTP) using its own credentials with some flag requesting _"tun this for user X, trust me, I'm Knox, I know him/her, and I have privileges to impersonate him/her "_ (cf. `proxyuser.knox` settings in Hadoop config files). – Samson Scharfrichter Feb 10 '20 at 21:29
  • Knox also has an admin UI, that typically uses the same HTTP BASIC auth backed by LDAP. But when using Ambari or Cloudera Manager you typically don't care about that UI. – Samson Scharfrichter Feb 10 '20 at 21:32
  • Finally, if your organization already has SSO for its intranet portals and whatnot, you can use that same SSO mechanism to authenticate against Knox (using SPNego instead of HTTP BASIC). Can be useful if your Hadoop cluster uses its own Kerberos KDC instead of the corporate KDC used by SSO. – Samson Scharfrichter Feb 10 '20 at 21:35
  • Firstly, I've edit my question above. "Knox is used as an authentication endpoint ... Hadoop config file)" is it about knox as proxy api? If yes, how to identify a user via api with LDAP auth then forwarded to cluster through kerberos auth? must we register the user in KDC too? – m hanif f Feb 11 '20 at 02:21
  • "Knox also has...about that UI" >>> Is it about knox admin ui? Or something different like Knox give one layer auth to validate before access each atlas/ranger/ambari? – m hanif f Feb 11 '20 at 02:24
  • "Finally, if your...used by SSO" >>> First, this SSO is look like if we want get all UI services we just only auth once? | And from your statement "Can be useful if your hadoop... KDC used by SSO", Is it better just use Kerb KDC rather than SSO (don't use SSO)? – m hanif f Feb 11 '20 at 02:30
  • I guess there are HortonWorks presentations on SlideShare and/or YouTube -- this discussion goes nowhere, you need to get the Big Picture first. – Samson Scharfrichter Feb 11 '20 at 14:09

0 Answers0