You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/11/26 23:16:00 UTC
[jira] [Commented] (METRON-1895) Add Knox SSO as an option in
Metron
[ https://issues.apache.org/jira/browse/METRON-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16699691#comment-16699691 ]
ASF GitHub Bot commented on METRON-1895:
----------------------------------------
GitHub user merrimanr opened a pull request:
https://github.com/apache/metron/pull/1281
METRON-1895: Add Knox SSO as an option in Metron
## Contributor Comments
This PR enables Metron to use Knox SSO for authentication. This PR depends on https://github.com/apache/metron/pull/1275 and, in it's current state, is meant only as a way to demonstrate this capability.
### Testing
1. Follow the instructions in the "Testing" section of https://github.com/apache/metron/pull/1275 to add Metron as a Knox service. Once you can access REST and the UIs through Knox you are ready for the next steps.
2. Add the Metron REST host to the Knox SSO white list. Navigate to the `Advanced knoxsso-topology` setting in Ambari at `Services > Knox > Configs > Advanced knoxsso-topology`. This property contains the complete Knox SSO topology xml. Update the `knoxsso.redirect.whitelist.regex` param value to include `node1`. The complete xml should look like this:
```
<topology>
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param><name>xframe.options.enabled</name><value>true</value></param>
</provider>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>redirectToUrl</name>
<value>/gateway/knoxsso/knoxauth/login.html</value>
</param>
<param>
<name>restrictedCookies</name>
<value>rememberme,WWW-Authenticate</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>main.ldapRealm.authenticationCachingEnabled</name>
<value>false</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<application>
<name>knoxauth</name>
</application>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>30000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1|node1):[0-9].*$</value>
</param>
</service>
</topology>
```
Save and restart Knox.
3. Update the `metron.xml` topology file at `/usr/hdp/current/knox-server/conf/topologies/metron.xml` to use Knox SSO authentication. Replace this:
```
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
```
With this:
```
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://node1:8443/gateway/knoxsso/api/v1/websso</value>
</param>
</provider>
```
4. Extract the Knox public key with this command:
```
openssl s_client -connect node1:8443 < /dev/null | openssl x509 | grep -v 'CERTIFICATE' | paste -sd "" -
```
Copy the key value (on the next line after `Done`). Navigate to the `Metron Spring options` property in Ambari at `Services > Metron > Configs > REST > Metron Spring options`. Append the Knox public key property and value to the existing `Metron Spring options` value. It should look like:
```
--knox.root=/gateway/metron/metron-rest --knox.sso.pubkey=<key generated from openssl command>
```
Restart REST. You should now be able to access Metron using Knox SSO.
5. Request the global config with this url in a browser:
```
https://node1:8443/gateway/metron/metron-rest/api/v1/global/config
```
You should be redirected to the Knox SSO url with the `originalUrl` param properly set:
```
https://node1:8443/gateway/knoxsso/knoxauth/login.html?originalUrl=https://node1:8443/gateway/metron/metron-rest/api/v1/global/config
```
6. After authenticating with LDAP credentials, you should be successfully redirected and see the global config in the browser.
7. Navigate to the Alerts UI:
```
https://node1:8443/gateway/metron/metron-alerts/alerts-list
```
You should go directly to the Alerts UI without being prompted for credentials.
8. To verify roles are working correctly, authenticate as the `admin` user with `admin/admin-password`. The `https://node1:8443/gateway/metron/metron-rest/api/v1/user/whoami/roles` endpoint should return `ROLE_USER` and `ROLE_ADMIN` just as it currently does.
### Outstanding Issues
This is meant only as a demonstration currently and will likely change depending on the outcome of https://github.com/apache/metron/pull/1275. Set up is a cumbersome, manual process right now so we will need to make that easier or automate it.
We also need to consider how we manage the `metron.xml` topology file and potentially add our own Knox SSO topology file. We can apply the decisions we make in https://github.com/apache/metron/pull/1275 for this case as well.
I am also planning on adding a comprehensive unit test for the KnoxSSOAuthenticationFilter class and maybe refactoring it down to a couple different classes. Feedback welcome there.
## Pull Request Checklist
Thank you for submitting a contribution to Apache Metron.
Please refer to our [Development Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235) for the complete guide to follow for contributions.
Please refer also to our [Build Verification Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview) for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? If not one needs to be created at [Metron Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [x] Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target branch (typically master)?
### For code changes:
- [x] Have you included steps to reproduce the behavior or problem that is being changed or addressed?
- [x] Have you included steps or a guide to how the change may be verified and tested manually?
- [ ] Have you ensured that the full suite of tests and checks have been executed in the root metron folder via:
```
mvn -q clean integration-test install && dev-utilities/build-utils/verify_licenses.sh
```
- [ ] Have you written or updated unit tests and or integration tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via `site-book/target/site/index.html`:
```
cd site-book
mvn site
```
#### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that [travis-ci](https://travis-ci.org) is set up for your personal repository such that your branches are built there before submitting a pull request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/merrimanr/incubator-metron knox-sso
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/metron/pull/1281.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1281
----
commit c0345e2faba1f10f495a4c3c3c5ec8b5137e2d1c
Author: merrimanr <me...@...>
Date: 2018-11-16T20:58:46Z
initial commit
commit 6cf7303af1d5cb06fea0d70a52f553c82878de3f
Author: merrimanr <me...@...>
Date: 2018-11-19T21:05:24Z
missing license headers and rpm spec updates
commit 3770304a9c0a187c356c8ba9b2a1fb956830bc03
Author: merrimanr <me...@...>
Date: 2018-11-20T16:40:54Z
fixed failing e2e test
commit 92567808a38b3a7e3a082c6704cbe6a2f3598dd8
Author: merrimanr <me...@...>
Date: 2018-11-20T18:47:09Z
removed only
commit 74df781b6a0437172ba3c46872916d1ec73b791c
Author: merrimanr <me...@...>
Date: 2018-11-26T22:42:57Z
initial commit
----
> Add Knox SSO as an option in Metron
> -----------------------------------
>
> Key: METRON-1895
> URL: https://issues.apache.org/jira/browse/METRON-1895
> Project: Metron
> Issue Type: New Feature
> Reporter: Ryan Merriman
> Priority: Major
>
> This feature will enable accessing Metron REST and the UIs through Knox's SSO mechanism.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)