knox重定向到ambari用户界面问题

wfveoks0  于 2021-07-15  发布在  Hadoop
关注(0)|答案(2)|浏览(762)

我使用的是ambariv2.7.3,我已经安装了knox。我已经尝试为ambari实现sso。我已经按照下面的url实现了相同的。

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/setting_up_knox_sso_for_ambari.html

以下是knox配置:
高级管理拓扑:

<topology>
    <gateway>
         <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
                <name>sessionTimeout</name>
                <value>30</value>
            </param>
            <param>
                <name>main.ldapRealm</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
                <name>main.ldapRealm.userDnTemplate</name>
                <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.url</name>
                <value>ldap://DtIoTBDMaster01:33389</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                <value>simple</value>
            </param>
            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>
        </provider>
        <provider>
            <role>authorization</role>
            <name>AclsAuthz</name>
            <enabled>true</enabled>
            <param>
               <name>knox.acl.mode</name>
               <value>OR</value>
               </param>
            <param>
                <name>knox.acl</name>
                <value>KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>HadoopGroupProvider</name>
            <enabled>true</enabled>
            <param>
                <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
                <value>gateway.group.config.</value>
            </param>
        </provider>
    </gateway>
    <service>
        <role>KNOX</role>
    </service>
</topology>

gateway.dispatch.whitelist : https?:\/\/(HOSTNAME|0\.0\.0\.0|0:0:0:0:0:0:0:1|::1):[0-9].*$

高级Knoxso拓扑:

<topology>
            <gateway>
            <provider>
            <role>webappsec</role>
            <name>WebAppSec</name>
            <enabled>true</enabled>
            <param><name>xframe.options.enabled</name><value>true</value></param>
            </provider>
            <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
            <name>sessionTimeout</name>
            <value>30</value>
            </param>
            <param>
            <name>redirectToUrl</name>
            <value>/gateway/knoxsso/knoxauth/login.html</value>
            </param>
            <param>
            <name>restrictedCookies</name>
            <value>rememberme,WWW-Authenticate</value>
            </param>
            <param>
            <name>main.ldapRealm</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
            <name>main.ldapContextFactory</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory</name>
            <value>$ldapContextFactory</value>
            </param>
            <param>
            <name>main.ldapRealm.userDnTemplate</name>
            <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldap://x.x.x.x:33389</value>
            </param>
            <param>
            <name>main.ldapRealm.authenticationCachingEnabled</name>
            <value>false</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
            <value>simple</value>
            </param>
            <param>
            <name>urls./**</name>
            <value>authcBasic</value>
            </param>
            </provider>
            <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
            </provider>
            </gateway>
            <application>
            <name>knoxauth</name>
            </application>
            <service>
            <role>KNOXSSO</role>
            <param>
            <name>knoxsso.cookie.secure.only</name>
            <value>true</value>
            </param>
            <param>
            <name>knoxsso.token.ttl</name>
            <value>30000</value>
            </param>
            </service>
<service>
        <role>AMBARI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
            </topology>

高级拓扑:

<topology>
        <gateway>
            <provider>
                <role>authentication</role>
                <name>ShiroProvider</name>
                <enabled>true</enabled>
                <param>
                    <name>sessionTimeout</name>
                    <value>30</value>
                </param>
                <param>
                    <name>main.ldapRealm</name>
                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                </param>
                <param>
                    <name>main.ldapRealm.userDnTemplate</name>
                    <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.url</name>
                    <value>ldap://{{knox_host_name}}:33389</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                    <value>simple</value>
                </param>
                <param>
                    <name>urls./**</name>
                    <value>authcBasic</value>
                </param>
            </provider>
            <provider>
                <role>identity-assertion</role>
                <name>Default</name>
                <enabled>true</enabled>
            </provider>
            <provider>
                <role>authorization</role>
                <name>AclsAuthz</name>
                <enabled>true</enabled>
            </provider>
        </gateway>
        <service>
            <role>NAMENODE</role>
            <url>{{namenode_address}}</url>
        </service>
        <service>
            <role>JOBTRACKER</role>
            <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
        </service>
        <service>
            <role>WEBHDFS</role>
            {{webhdfs_service_urls}}
        </service>
        <service>
            <role>WEBHCAT</role>
            <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
        </service>
        <service>
            <role>OOZIE</role>
            <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
        </service>

        <service>
            <role>OOZIEUI</role>
            <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie/</url>
        </service>
        <service>
            <role>WEBHBASE</role>
            <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
        </service>
        <service>
            <role>HIVE</role>
            <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
        </service>
        <service>
            <role>RESOURCEMANAGER</role>
            <url>http://{{rm_host}}:{{rm_port}}/ws</url>
        </service>
        <service>
            <role>DRUID-COORDINATOR-UI</role>
            {{druid_coordinator_urls}}
        </service>
        <service>
            <role>DRUID-COORDINATOR</role>
            {{druid_coordinator_urls}}
        </service>

        <service>
            <role>DRUID-OVERLORD-UI</role>
            {{druid_overlord_urls}}
        </service>
        <service>
            <role>DRUID-OVERLORD</role>
            {{druid_overlord_urls}}
        </service>
        <service>
            <role>DRUID-ROUTER</role>
            {{druid_router_urls}}
        </service>
        <service>
            <role>DRUID-BROKER</role>
            {{druid_broker_urls}}
        </service>
        <service>
            <role>ZEPPELINUI</role>
            {{zeppelin_ui_urls}}
        </service>
        <service>
            <role>ZEPPELINWS</role>
            {{zeppelin_ws_urls}}
        </service>
    </topology>

登录到ambari ui的那一刻,它正在重定向到knox ui,我输入knox的默认凭据的那一刻,它正在重定向到ambari ui,它再次打开knox ui,即我从knox gateway得到的错误

2021-01-11 10:43:17,080 INFO  knox.gateway (KnoxLdapRealm.java:getUserDn(692)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for pr
incipal: admin
2021-01-11 10:43:17,090 INFO  service.knoxsso (WebSSOResource.java:getCookieValue(365)) - Unable to find cookie with name: original-url
2021-01-11 10:43:17,092 INFO  service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(339)) - JWT cookie successfully added.
2021-01-11 10:43:17,093 INFO  service.knoxsso (WebSSOResource.java:getAuthenticationToken(240)) - About to redirect to original URL: http://dtiotbdmaster01:8080/
u5rb5r59

u5rb5r591#

您对knosso拓扑没有什么问题,knoxso应该用于身份验证您需要在其中提到以下配置:-

<service>
        <role>AMBARI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
            </topology>

尝试在knoxso和no-it管理拓扑中添加白名单regex。

<param>
 <name>knoxsso.redirect.whitelist.regex</name>
 <value>^https?:\/\/(c64\d\d\.ambari\.apache\.org|localhost|
127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
 </param>

删除 gateway.dispatch.whitelist 从管理拓扑。
note:- you 需要使regex值, * 不起作用。

nfs0ujit

nfs0ujit2#

我怀疑你在这里遇到的问题只是一个典型的饼干相关的问题。看起来cookie很可能被设置了,因为它试图重定向到originalurl post身份验证。
注意到originalurl和相关的重定向http://dtiotbdmaster01:8080/这看起来像是cookie的域问题。由于这是一个主机名而不是域,因此可能无法在浏览器上正确设置,也可能无法显示给源URL。
此外,我注意到http://dtiotbdmaster01:8080/没有ssl/https。由于knoxso服务具有以下配置,因此如果确实在浏览器上成功设置了安全标志,则会在cookie上设置该标志。这意味着浏览器在不通过tls/https时不会将cookie呈现给目标url。

<service>
        <role>KNOXSSO</role>
        <param>
        <name>knoxsso.cookie.secure.only</name>
        <value>true</value>
        </param>
        <param>
        <name>knoxsso.token.ttl</name>
        <value>30000</value>
        </param>
        </service>

就像我说的,这些都是常见的cookie类型的问题,很可能是您的问题的根本原因。

相关问题