Skip to main content
Skip table of contents

Knox Prerequisites

Your security manager must provide you with your authentication information and assist you in order to alter the current topology to add Indexima as a Knox service. Each security implementation is specific and the security manager must assist you with the current security settings.

For this page, we will use internal Ambari services and account to provide a quick way to test and implement the required components.

The KNOX_HOME directory depends on the version of Hortonworks installed. In our use case, this is version 2.6.5. Use the command: export KNOX_HOME=/usr/hdp/2.6.5.0-292/knox to fill this variable.

Verify if Knox is configured to use CA certificates

Use the command openssl to show signed certificates

openssl s_client -showcerts -connect $(hostname -f):8443

BASH
CONNECTED(00000003)
depth=0 C = US, ST = Test, L = Test, O = Hadoop, OU = Test, CN = ns3615.co
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Test, L = Test, O = Hadoop, OU = Test, CN = ns3615.co
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Test/L=Test/O=Hadoop/OU=Test/CN=ns3615.co
   i:/C=US/ST=Test/L=Test/O=Hadoop/OU=Test/CN=ns3615.co
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Server certificate
subject=/C=US/ST=Test/L=Test/O=Hadoop/OU=Test/CN=ns3615.co
issuer=/C=US/ST=Test/L=Test/O=Hadoop/OU=Test/CN=ns3615.co
...
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5BB45F6C7CA3033A55BA684A5E3B5DA0EFCD542492F3CAF67432EA30CE7A4D61
    Session-ID-ctx:
    Master-Key: 62E7B449F3A7D59CA36803273D5BC1AAEE7BB095A7CF71727BB649A99F63BB075CC4FBB39DE671441F76DF49AFEAAB0E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1538547564
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

Start LDAP embedded in Knox.

Ambari-Knox comes with a simple LDAP server for test purposes.

BASH
export KNOX_HOME=/usr/hdp/2.6.5.0-292/knox
${KNOX_HOME}/bin/ldap.sh start
${KNOX_HOME}/bin/ldap.sh status
LDAP is running with PID 10202.

This LDAP minimal server identify authenticated users in the file ${KNOX_HOME}/conf/users.ldif

For this document purpose, we will use admin account with its associated password admin-password

vi ${KNOX_HOME}/conf/users.ldif

BASH
...
# entry for sample user admin
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: Admin
sn: Admin
uid: admin
userPassword:admin-password
...

This LDAP server can be started from the Ambari GUI as well as shown in the following screenshot

ambari-ldap

Check the Knox Topology.

The Ambari-Knox gateway is able to manage multiple topologies for complete security coverage. All those topologies can be listed with the command knoxcli.sh list-topologies

BASH
List of files available in the topologies directory
/usr/hdp/2.6.5.0-292/knox/bin/../conf/topologies
knoxsso
default
manager
admin

We will use the topology default in which we will insert the INDEXIMA service.

Validate the Topology definition for default using the following command knoxcli.sh validate-topology.

BASH
File to be validated:
/usr/hdp/2.6.5.0-292/knox/bin/../conf/topologies/default.xml
==========================================
Topology file validated successfully

Then verify, if we can authenticate with the chosen topology by using the command knoxcli.sh user-auth-test as shown as following

BASH
${KNOX_HOME}/bin/knoxcli.sh user-auth-test --cluster default --u admin --p admin-password
LDAP authentication successful!
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.