You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Patrick Ethier (JIRA)" <ji...@apache.org> on 2018/01/02 12:26:00 UTC

[jira] [Created] (ZEPPELIN-3124) KnoxSSO Authentication returns 503 when using the websso service

Patrick Ethier created ZEPPELIN-3124:
----------------------------------------

             Summary: KnoxSSO Authentication returns 503 when using the websso service
                 Key: ZEPPELIN-3124
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-3124
             Project: Zeppelin
          Issue Type: Bug
    Affects Versions: 0.8.0
         Environment: Knox 0.14.0 & Zeppelin 0.8.0-SNAPSHOT (see config files included below)
            Reporter: Patrick Ethier
            Priority: Minor
         Attachments: knox-knoxsso.xml, knox-topology-ui.xml, zeppelin-shiro.ini

I am unsure if this is Knox related or Zeppelin related but the fact that zeppelin returns 503 I am starting here.

In short, KnoxSSO-enabled services, from what I understand, should be pointing to https://<gatewayurl>/gateway/knoxsso/api/v1/websso. This URL will then redirect the user to whatever "provider" to be used by knox which, when done, will redirect to zeppelin with hadoop-jwt.

The current patch for the knox-sso points directly to the form-login, which bypasses the ability of KnoxSSO from using an external provider.

So, knowJwtRealm.login= gateway/knoxsso/api/v1/websso returns 503
but  knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html returns the knox login form and works (but it is impossible to use an oauth or SAML provider since this is bypassing the upstream knoxsso providers).

To reproduce this, on the same host, install knox on port 8443, install zeppelin on 8080 using the default untarred distributions for both (in my case I put them in /opt)

Copy the included/attached files (I configured my DNS to return zeppelin01.example.com that points to the host) as follows:
zeppelin-shiro.ini is <base>/zeppelin-0.8.0-SNAPSHOT/conf/shiro.ini
knox-knoxsso.xml is <base>/knox-0.14.0/conf/topologies/knoxsso.xml
knox-topology-ui.xml is <base>/knox-0.14.0/conf/topologies/ui.xml

By commenting/uncommenting the line in shiro.ini:
knowJwtRealm.login=

Browse to http://zeppelin01.example.com:8080. In the login.html case it works, in the websso case it returns 503.

Also note, the above configuration should also work for https://zeppelin01.example.com:8443/gateway/ui/zeppelin but the redirects aren't working (I'm not sure if this is related to this issue, is a misconfiguration on my part, or is a knox problem but I am providing it just in case).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)