Need help in enabling KnoxSSO authentication in zeppelin

["Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>]

Greetings,

I’m working on enabling knox-sso authentication in Zeppelin on AWS EMR. I configured Zeppelin UI host in the topology XML , made the configuration changes to enable zeppelin in knox ( suggested in the documentation ). Now I’m facing few issues on accessing the zeppelin via knox gateway, which I have detailed below. Could anyone please help me in this, would be very helpful to proceed further.

I’m seeing the below log error messages on starting the zeppelin.


[/var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.png@01D42F1D.6BACC9B0]

Configuration changes:


  1.  Zeppelin : shiro.ini

knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://<dns-domain>:8446/<https://%3cdns-domain%3e:8446/>
knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter


  1.  Knoxsso.xml


<?xml version="1.0" encoding="utf-8"?>

<topology>

   <gateway>

     <provider>

         <role>federation</role>

         <name>pac4j</name>

         <enabled>true</enabled>

         <param>

           <name>pac4j.session.store</name>

           <value>J2ESessionStore</value>

         </param>

         <param>

          <name>pac4j.callbackUrl</name>

          <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso<https://%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso></value>

         </param>



         <param>

           <name>clientName</name>

           <value>SAML2Client</value>

         </param>



         <param>

           <name>saml.identityProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderEntityId</name>

           <value>https:// <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true<https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>&amp;client_name=SAML2Client</value>

         </param>

     </provider>

     <provider>

         <role>identity-assertion</role>

         <name>Default</name>

         <enabled>true</enabled>

     </provider>

     <provider>

            <role>hostmap</role>

            <name>static</name>

            <enabled>true</enabled>

            <param>

                <name>localhost</name>

                <value>XXX.vpc.internal</value>

            </param>

        </provider>

   </gateway>
<service>
       <role>KNOXSSO</role>
        <param>
         <name>knoxsso.cookie.domain.suffix</name>
         <value>.######</value>
       </param>
       <param>
         <name>knoxsso.cookie.secure.only</name>
         <value>false</value>
      </param>
      <param>
         <name>knoxsso.enable.session</name>
         <value>true</value>
      </param>
      <param>
         <name>knoxsso.cookie.max.age</name>
         <value>session</value>
      </param>
      <param>
        <name>knoxsso.token.ttl</name>
        <value>100000</value>
      </param>
      <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>^https?:\/\/( <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
      </param>
   </service>
</topology>


  1.  gate1.xml (topology xml)


<?xml version="1.0" encoding="utf-8"?>

<topology>

  <gateway>

    <provider>

        <role>webappsec</role>

        <name>WebAppSec</name>

        <enabled>true</enabled>

        <param>

           <name>cors.enabled</name>

           <value>true</value>

        </param>

    </provider>

    <provider>

        <role>federation</role>

        <name>SSOCookieProvider</name>

        <enabled>true</enabled>

        <param>

            <name>sso.authentication.provider.url</name>

            <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso<https://%3cdns-name%3e:8446/gateway/knoxsso/api/v1/websso></value>

        </param>

    </provider>

    <provider>

        <role>identity-assertion</role>

        <name>Default</name>

        <enabled>true</enabled>

    </provider>

  </gateway>

  <service>

      <role>YARNUI</role>

      <url>http://XXXX.vpc.internal:8088</url>

  </service>

  <service>

      <role>SPARKHISTORYUI</role>

      <url>http://XXXXX.vpc.internal:18080/</url>

  </service>

  <service>

    <role>ZEPPELINWS</role>

    <url>ws://XXXXXXX.vpc.internal:8890/ws</url>

</service>

<service>

    <role>ZEPPELINUI</role>

    <url>http://XXXXXXX.vpc.internal:8890</url>

</service>

</topology>


Thanks,
Praveen.R

Re: Need help in enabling KnoxSSO authentication in zeppelin

["Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>]

Cool. This helps greatly.

Thanks a lot prabhjyot.

Thanks,
Praveen.

Sent from my iPhone

On Aug 13, 2018, at 2:07 AM, Prabhjyot Singh <pr...@gmail.com>> wrote:

Hi Praveen,

The other thing to take care for KNOX-SSO logout is Zeppelin does not try to delete the "hadoop-jwt" cookie (knoxJwtRealm.cookieName = hadoop-jwt).
Zeppelin relies on Knox to clean up Knox related events i.e. this url gateway/knoxssout/api/v1/webssout (knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout), now this can either be a API call (knoxJwtRealm.logoutAPI = true) or end-web-page (knoxJwtRealm.logoutAPI = false).

On Sun, 12 Aug 2018 at 13:52, Ravikumar, Praveen Krishnamoorthy <rp...@amazon.com>> wrote:
Hello all,

Just a quick update, Finally I made it work – enabled Zeppelin UI via Knox with SAML authentication but I’m facing issue on logout.

The problem before was, Zeppelin 0.7.3 (coming with latest EMR release) didn’t have the functionality to support Knox SSO and this module is implemented only in zeppelin latest release (v0.8.0). So I installed the zeppelin 0.8.0 version on an EMR cluster and made the required configurations to enable SAML/SSO ( in both zeppelin and Knox setup files).

Now I’m facing issues on logging out. I have attached the screenshots, configs and log messages for better understanding. Could anyone help me in resolving this issue.

Log Message:

[/var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.png@01D431F3.3E92A980]

Shiro.ini:

knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://<domain>:<port>/<https://%3cdomain%3e:%3cport%3e/>

knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout

knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter



Screenshot:


[/var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage002.png@01D431F3.3E92A980]


[/var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage003.png@01D431F3.3E92A980]


Thanks,
Praveen.R


From: "Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>>
Date: Saturday, August 11, 2018 at 12:21 AM
To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Cc: "Mahesh_Mohanan@intuit.com<ma...@intuit.com>" <Ma...@intuit.com>>, "prasada_prabhu@intuit.com<ma...@intuit.com>" <pr...@intuit.com>>
Subject: Re: Need help in enabling KnoxSSO authentication in zeppelin

Hi Prabhjyot,

Looks like Zeppelin 0.7.3 version not supports Knox SSO authentication and the functionality is implemented only in Zeppelin 0.8.0 version.

Is there any work around to include Knox SSO patch alone to the Zeppelin 0.7.3 version or do we need to install latest 0.8.0 version for this usecase.

Please provide your thoughts..

Thanks,
Praveen.
Sent from my iPhone

On Aug 10, 2018, at 6:58 AM, Ravikumar, Praveen Krishnamoorthy <rp...@amazon.com>> wrote:
Hi Prabhjyot,

I was using Zeppelin 0.7.3 version coming with AWS emr-5.13.0.

Regarding the maven commands, I was running the commands stated in the zeppelin documentation.
https://zeppelin.apache.org/docs/0.7.0/install/build.html


  1.  git clone https://github.com/apache/zeppelin.git

2.  mvn clean package -DskipTests

Thanks,
Praveen.

From: Prabhjyot Singh <pr...@gmail.com>>
Reply-To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Date: Friday, August 10, 2018 at 12:31 AM
To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Cc: "Mahesh_Mohanan@intuit.com<ma...@intuit.com>" <Ma...@intuit.com>>, "prasada_prabhu@intuit.com<ma...@intuit.com>" <pr...@intuit.com>>
Subject: Re: Need help in enabling KnoxSSO authentication in zeppelin

Hi Praveen,

In your previous mail, what version of Zeppelin were you on?
And over here what is the maven command that you are running?

On Thu, 9 Aug 2018 at 12:22, Ravikumar, Praveen Krishnamoorthy <rp...@amazon.com>> wrote:
Hi,

For the below issue I found jwt/KnoxJwtRealm module under Zeppelin-Server class is missing in Zeppelin version coming with EMR. So I tried to build the Zeppelin-Server.jar file by fetching the latest zeppelin source code from git repo.

I have not worked on maven before. I’m following few steps online and trying to package the zeppelin-server class. While packaging I’m getting the below dependency Issue, which I have no idea how to resolve. Could anyone please help me in this – would be very helpful.

Error! Filename not specified.

Thanks,
Praveen.

From: "Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>>
Date: Wednesday, August 8, 2018 at 1:55 PM
To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Cc: "Mohanan, Mahesh" <Ma...@intuit.com>>, "prasada_prabhu@intuit.com<ma...@intuit.com>" <pr...@intuit.com>>
Subject: Need help in enabling KnoxSSO authentication in zeppelin

Greetings,

I’m working on enabling knox-sso authentication in Zeppelin on AWS EMR. I configured Zeppelin UI host in the topology XML , made the configuration changes to enable zeppelin in knox ( suggested in the documentation ). Now I’m facing few issues on accessing the zeppelin via knox gateway, which I have detailed below. Could anyone please help me in this, would be very helpful to proceed further.

I’m seeing the below log error messages on starting the zeppelin.


Error! Filename not specified.

Configuration changes:


  1.  Zeppelin : shiro.ini

knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://<dns-domain>:8446/<https://%3cdns-domain%3e:8446/>
knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter


  1.  Knoxsso.xml


<?xml version="1.0" encoding="utf-8"?>

<topology>

   <gateway>

     <provider>

         <role>federation</role>

         <name>pac4j</name>

         <enabled>true</enabled>

         <param>

           <name>pac4j.session.store</name>

           <value>J2ESessionStore</value>

         </param>

         <param>

          <name>pac4j.callbackUrl</name>

          <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso<https://%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso></value>

         </param>



         <param>

           <name>clientName</name>

           <value>SAML2Client</value>

         </param>



         <param>

           <name>saml.identityProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderEntityId</name>

           <value>https:// <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true<https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>&amp;client_name=SAML2Client</value>

         </param>

     </provider>

     <provider>

         <role>identity-assertion</role>

         <name>Default</name>

         <enabled>true</enabled>

     </provider>

     <provider>

            <role>hostmap</role>

            <name>static</name>

            <enabled>true</enabled>

            <param>

                <name>localhost</name>

                <value>XXX.vpc.internal</value>

            </param>

        </provider>

   </gateway>
<service>
       <role>KNOXSSO</role>
        <param>
         <name>knoxsso.cookie.domain.suffix</name>
         <value>.######</value>
       </param>
       <param>
         <name>knoxsso.cookie.secure.only</name>
         <value>false</value>
      </param>
      <param>
         <name>knoxsso.enable.session</name>
         <value>true</value>
      </param>
      <param>
         <name>knoxsso.cookie.max.age</name>
         <value>session</value>
      </param>
      <param>
        <name>knoxsso.token.ttl</name>
        <value>100000</value>
      </param>
      <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>^https?:\/\/( <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
      </param>
   </service>
</topology>


  1.  gate1.xml (topology xml)


<?xml version="1.0" encoding="utf-8"?>

<topology>

  <gateway>

    <provider>

        <role>webappsec</role>

        <name>WebAppSec</name>

        <enabled>true</enabled>

        <param>

           <name>cors.enabled</name>

           <value>true</value>

        </param>

    </provider>

    <provider>

        <role>federation</role>


--
Thankx and Regards,

Prabhjyot Singh

Re: Need help in enabling KnoxSSO authentication in zeppelin

[Prabhjyot Singh <pr...@gmail.com>]

Hi Praveen,

The other thing to take care for KNOX-SSO logout is Zeppelin does not try
to delete the "hadoop-jwt" cookie (knoxJwtRealm.cookieName = hadoop-jwt).
Zeppelin relies on Knox to clean up Knox related events i.e. this url
gateway/knoxssout/api/v1/webssout (knoxJwtRealm.logout =
gateway/knoxssout/api/v1/webssout), now this can either be a API call
(knoxJwtRealm.logoutAPI = true) or end-web-page (knoxJwtRealm.logoutAPI =
false).

On Sun, 12 Aug 2018 at 13:52, Ravikumar, Praveen Krishnamoorthy <
rpkrish@amazon.com> wrote:

> Hello all,
>
>
>
> Just a quick update, Finally I made it work – enabled Zeppelin UI via Knox
> with SAML authentication but I’m facing issue on logout.
>
>
>
> The problem before was, Zeppelin 0.7.3 (coming with latest EMR release)
> didn’t have the functionality to support Knox SSO and this module is
> implemented only in zeppelin latest release (v0.8.0). So I installed the
> zeppelin 0.8.0 version on an EMR cluster and made the required
> configurations to enable SAML/SSO ( in both zeppelin and Knox setup files).
>
>
>
> Now I’m facing issues on logging out. I have attached the screenshots,
> configs and log messages for better understanding. Could anyone help me in
> resolving this issue.
>
>
>
> *Log Message:*
>
>
>
> *[image:
> /var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.png@01D431F3.3E92A980]*
>
>
>
> *Shiro.ini:*
>
>
>
> knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
>
> knoxJwtRealm.providerUrl = *https://<domain>:<port>/
> <https://%3cdomain%3e:%3cport%3e/>*
>
>
>
> *knoxJwtRealm.login = gateway/knoxsso/api/v1/websso*
>
> *knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout*
>
>
>
> knoxJwtRealm.logoutAPI = true
>
> knoxJwtRealm.redirectParam = originalUrl
>
> knoxJwtRealm.cookieName = hadoop-jwt
>
> knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
>
> knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
>
> knoxJwtRealm.principalMapping = principal.mapping
>
> authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
>
>
>
>
>
>
>
> *Screenshot:*
>
>
>
>
>
> [image:
> /var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage002.png@01D431F3.3E92A980]
>
>
>
>
>
> [image:
> /var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage003.png@01D431F3.3E92A980]
>
>
>
>
>
> Thanks,
>
> Praveen.R
>
>
>
>
>
> *From: *"Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>
> *Date: *Saturday, August 11, 2018 at 12:21 AM
> *To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Cc: *"Mahesh_Mohanan@intuit.com" <Ma...@intuit.com>, "
> prasada_prabhu@intuit.com" <pr...@intuit.com>
> *Subject: *Re: Need help in enabling KnoxSSO authentication in zeppelin
>
>
>
> Hi Prabhjyot,
>
>
>
> Looks like Zeppelin 0.7.3 version not supports Knox SSO authentication and
> the functionality is implemented only in Zeppelin 0.8.0 version.
>
>
>
> Is there any work around to include Knox SSO patch alone to the Zeppelin
> 0.7.3 version or do we need to install latest 0.8.0 version for this
> usecase.
>
>
>
> Please provide your thoughts..
>
>
>
> Thanks,
>
> Praveen.
>
> Sent from my iPhone
>
>
> On Aug 10, 2018, at 6:58 AM, Ravikumar, Praveen Krishnamoorthy <
> rpkrish@amazon.com> wrote:
>
> Hi Prabhjyot,
>
>
>
> I was using Zeppelin 0.7.3 version coming with AWS emr-5.13.0.
>
>
>
> Regarding the maven commands, I was running the commands stated in the
> zeppelin documentation.
>
> https://zeppelin.apache.org/docs/0.7.0/install/build.html
>
>
>
>    1. git clone https://github.com/apache/zeppelin.git
>
> 2.  mvn clean package -DskipTests
>
>
>
> Thanks,
>
> Praveen.
>
>
>
> *From: *Prabhjyot Singh <pr...@gmail.com>
> *Reply-To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Date: *Friday, August 10, 2018 at 12:31 AM
> *To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Cc: *"Mahesh_Mohanan@intuit.com" <Ma...@intuit.com>, "
> prasada_prabhu@intuit.com" <pr...@intuit.com>
> *Subject: *Re: Need help in enabling KnoxSSO authentication in zeppelin
>
>
>
> Hi Praveen,
>
>
>
> In your previous mail, what version of Zeppelin were you on?
>
> And over here what is the maven command that you are running?
>
>
>
> On Thu, 9 Aug 2018 at 12:22, Ravikumar, Praveen Krishnamoorthy <
> rpkrish@amazon.com> wrote:
>
> Hi,
>
>
>
> For the below issue I found *jwt/KnoxJwtRealm *module under
> Zeppelin-Server class is missing in Zeppelin version coming with EMR. So I
> tried to build the Zeppelin-Server.jar file by fetching the latest zeppelin
> source code from git repo.
>
>
>
> I have not worked on maven before. I’m following few steps online and
> trying to package the zeppelin-server class. While packaging I’m getting
> the below dependency Issue, which I have no idea how to resolve. Could
> anyone please help me in this – would be very helpful.
>
>
>
> *Error! Filename not specified.*
>
>
>
> Thanks,
>
> Praveen.
>
>
>
> *From: *"Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>
> *Date: *Wednesday, August 8, 2018 at 1:55 PM
> *To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Cc: *"Mohanan, Mahesh" <Ma...@intuit.com>, "
> prasada_prabhu@intuit.com" <pr...@intuit.com>
> *Subject: *Need help in enabling KnoxSSO authentication in zeppelin
>
>
>
> Greetings,
>
>
>
> I’m working on enabling knox-sso authentication in Zeppelin on AWS EMR. I
> configured Zeppelin UI host in the topology XML , made the configuration
> changes to enable zeppelin in knox ( suggested in the documentation ). Now
> I’m facing few issues on accessing the zeppelin via knox gateway, which I
> have detailed below. Could anyone please help me in this, would be very
> helpful to proceed further.
>
>
>
> I’m seeing the below log error messages on starting the zeppelin.
>
>
>
>
>
> *Error! Filename not specified.*
>
>
>
> *Configuration changes:*
>
>
>
>    1. Zeppelin : shiro.ini
>
>
>
> knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
>
> knoxJwtRealm.providerUrl = https://<dns-domain>:8446/
>
> knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
>
> knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
>
> knoxJwtRealm.logoutAPI = true
>
> knoxJwtRealm.redirectParam = originalUrl
>
> knoxJwtRealm.cookieName = hadoop-jwt
>
> knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
>
> knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
>
> knoxJwtRealm.principalMapping = principal.mapping
>
> authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
>
>
>
>    1. Knoxsso.xml
>
>
>
> <?xml version="1.0" encoding="utf-8"?>
>
> <topology>
>
>    <gateway>
>
>      <provider>
>
>          <role>federation</role>
>
>          <name>pac4j</name>
>
>          <enabled>true</enabled>
>
>          <param>
>
>            <name>pac4j.session.store</name>
>
>            <value>J2ESessionStore</value>
>
>          </param>
>
>          <param>
>
>           <name>pac4j.callbackUrl</name>
>
>           <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso
> </value>
>
>          </param>
>
>
>
>          <param>
>
>            <name>clientName</name>
>
>            <value>SAML2Client</value>
>
>          </param>
>
>
>
>          <param>
>
>            <name>saml.identityProviderMetadataPath</name>
>
>            <value>/tmp/preprod_metadata_SP.xml</value>
>
>          </param>
>
>
>
>          <param>
>
>            <name>saml.serviceProviderMetadataPath</name>
>
>            <value>/tmp/preprod_metadata_SP.xml</value>
>
>          </param>
>
>
>
>          <param>
>
>            <name>saml.serviceProviderEntityId</name>
>
>            <value>https://
> <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true
> <https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>
> &amp;client_name=SAML2Client</value>
>
>          </param>
>
>      </provider>
>
>      <provider>
>
>          <role>identity-assertion</role>
>
>          <name>Default</name>
>
>          <enabled>true</enabled>
>
>      </provider>
>
>      <provider>
>
>             <role>hostmap</role>
>
>             <name>static</name>
>
>             <enabled>true</enabled>
>
>             <param>
>
>                 <name>localhost</name>
>
>                 <value>XXX.vpc.internal</value>
>
>             </param>
>
>         </provider>
>
>    </gateway>
>
> <service>
>
>        <role>KNOXSSO</role>
>
>         <param>
>
>          <name>knoxsso.cookie.domain.suffix</name>
>
>          <value>.######</value>
>
>        </param>
>
>        <param>
>
>          <name>knoxsso.cookie.secure.only</name>
>
>          <value>false</value>
>
>       </param>
>
>       <param>
>
>          <name>knoxsso.enable.session</name>
>
>          <value>true</value>
>
>       </param>
>
>       <param>
>
>          <name>knoxsso.cookie.max.age</name>
>
>          <value>session</value>
>
>       </param>
>
>       <param>
>
>         <name>knoxsso.token.ttl</name>
>
>         <value>100000</value>
>
>       </param>
>
>       <param>
>
>         <name>knoxsso.redirect.whitelist.regex</name>
>
>         <value>^https?:\/\/(
> <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
>
>       </param>
>
>    </service>
>
> </topology>
>
>
>
>    1. gate1.xml (topology xml)
>
>
>
> <?xml version="1.0" encoding="utf-8"?>
>
> <topology>
>
>   <gateway>
>
>     <provider>
>
>         <role>webappsec</role>
>
>         <name>WebAppSec</name>
>
>         <enabled>true</enabled>
>
>         <param>
>
>            <name>cors.enabled</name>
>
>            <value>true</value>
>
>         </param>
>
>     </provider>
>
>     <provider>
>
>         <role>federation</role>
>
>

-- 
Thankx and Regards,

Prabhjyot Singh

Re: Need help in enabling KnoxSSO authentication in zeppelin

["Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>]

Hello all,

Just a quick update, Finally I made it work – enabled Zeppelin UI via Knox with SAML authentication but I’m facing issue on logout.

The problem before was, Zeppelin 0.7.3 (coming with latest EMR release) didn’t have the functionality to support Knox SSO and this module is implemented only in zeppelin latest release (v0.8.0). So I installed the zeppelin 0.8.0 version on an EMR cluster and made the required configurations to enable SAML/SSO ( in both zeppelin and Knox setup files).

Now I’m facing issues on logging out. I have attached the screenshots, configs and log messages for better understanding. Could anyone help me in resolving this issue.

Log Message:

[/var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.png@01D431F3.3E92A980]

Shiro.ini:

knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://<domain>:<port>/<https://%3cdomain%3e:%3cport%3e/>

knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout

knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter



Screenshot:


[/var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage002.png@01D431F3.3E92A980]


[/var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage003.png@01D431F3.3E92A980]


Thanks,
Praveen.R


From: "Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>
Date: Saturday, August 11, 2018 at 12:21 AM
To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Mahesh_Mohanan@intuit.com" <Ma...@intuit.com>, "prasada_prabhu@intuit.com" <pr...@intuit.com>
Subject: Re: Need help in enabling KnoxSSO authentication in zeppelin

Hi Prabhjyot,

Looks like Zeppelin 0.7.3 version not supports Knox SSO authentication and the functionality is implemented only in Zeppelin 0.8.0 version.

Is there any work around to include Knox SSO patch alone to the Zeppelin 0.7.3 version or do we need to install latest 0.8.0 version for this usecase.

Please provide your thoughts..

Thanks,
Praveen.
Sent from my iPhone

On Aug 10, 2018, at 6:58 AM, Ravikumar, Praveen Krishnamoorthy <rp...@amazon.com>> wrote:
Hi Prabhjyot,

I was using Zeppelin 0.7.3 version coming with AWS emr-5.13.0.

Regarding the maven commands, I was running the commands stated in the zeppelin documentation.
https://zeppelin.apache.org/docs/0.7.0/install/build.html


  1.  git clone https://github.com/apache/zeppelin.git

2.  mvn clean package -DskipTests

Thanks,
Praveen.

From: Prabhjyot Singh <pr...@gmail.com>>
Reply-To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Date: Friday, August 10, 2018 at 12:31 AM
To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Cc: "Mahesh_Mohanan@intuit.com<ma...@intuit.com>" <Ma...@intuit.com>>, "prasada_prabhu@intuit.com<ma...@intuit.com>" <pr...@intuit.com>>
Subject: Re: Need help in enabling KnoxSSO authentication in zeppelin

Hi Praveen,

In your previous mail, what version of Zeppelin were you on?
And over here what is the maven command that you are running?

On Thu, 9 Aug 2018 at 12:22, Ravikumar, Praveen Krishnamoorthy <rp...@amazon.com>> wrote:
Hi,

For the below issue I found jwt/KnoxJwtRealm module under Zeppelin-Server class is missing in Zeppelin version coming with EMR. So I tried to build the Zeppelin-Server.jar file by fetching the latest zeppelin source code from git repo.

I have not worked on maven before. I’m following few steps online and trying to package the zeppelin-server class. While packaging I’m getting the below dependency Issue, which I have no idea how to resolve. Could anyone please help me in this – would be very helpful.

Error! Filename not specified.

Thanks,
Praveen.

From: "Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>>
Date: Wednesday, August 8, 2018 at 1:55 PM
To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Cc: "Mohanan, Mahesh" <Ma...@intuit.com>>, "prasada_prabhu@intuit.com<ma...@intuit.com>" <pr...@intuit.com>>
Subject: Need help in enabling KnoxSSO authentication in zeppelin

Greetings,

I’m working on enabling knox-sso authentication in Zeppelin on AWS EMR. I configured Zeppelin UI host in the topology XML , made the configuration changes to enable zeppelin in knox ( suggested in the documentation ). Now I’m facing few issues on accessing the zeppelin via knox gateway, which I have detailed below. Could anyone please help me in this, would be very helpful to proceed further.

I’m seeing the below log error messages on starting the zeppelin.


Error! Filename not specified.

Configuration changes:


  1.  Zeppelin : shiro.ini

knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://<dns-domain>:8446/<https://%3cdns-domain%3e:8446/>
knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter


  1.  Knoxsso.xml


<?xml version="1.0" encoding="utf-8"?>

<topology>

   <gateway>

     <provider>

         <role>federation</role>

         <name>pac4j</name>

         <enabled>true</enabled>

         <param>

           <name>pac4j.session.store</name>

           <value>J2ESessionStore</value>

         </param>

         <param>

          <name>pac4j.callbackUrl</name>

          <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso<https://%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso></value>

         </param>



         <param>

           <name>clientName</name>

           <value>SAML2Client</value>

         </param>



         <param>

           <name>saml.identityProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderEntityId</name>

           <value>https:// <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true<https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>&amp;client_name=SAML2Client</value>

         </param>

     </provider>

     <provider>

         <role>identity-assertion</role>

         <name>Default</name>

         <enabled>true</enabled>

     </provider>

     <provider>

            <role>hostmap</role>

            <name>static</name>

            <enabled>true</enabled>

            <param>

                <name>localhost</name>

                <value>XXX.vpc.internal</value>

            </param>

        </provider>

   </gateway>
<service>
       <role>KNOXSSO</role>
        <param>
         <name>knoxsso.cookie.domain.suffix</name>
         <value>.######</value>
       </param>
       <param>
         <name>knoxsso.cookie.secure.only</name>
         <value>false</value>
      </param>
      <param>
         <name>knoxsso.enable.session</name>
         <value>true</value>
      </param>
      <param>
         <name>knoxsso.cookie.max.age</name>
         <value>session</value>
      </param>
      <param>
        <name>knoxsso.token.ttl</name>
        <value>100000</value>
      </param>
      <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>^https?:\/\/( <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
      </param>
   </service>
</topology>


  1.  gate1.xml (topology xml)


<?xml version="1.0" encoding="utf-8"?>

<topology>

  <gateway>

    <provider>

        <role>webappsec</role>

        <name>WebAppSec</name>

        <enabled>true</enabled>

        <param>

           <name>cors.enabled</name>

           <value>true</value>

        </param>

    </provider>

    <provider>

        <role>federation</role>

        <name>SSOCookieProvider</name>

        <enabled>true</enabled>

        <param>

            <name>sso.authentication.provider.url</name>

            <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso<https://%3cdns-name%3e:8446/gateway/knoxsso/api/v1/websso></value>

        </param>

    </provider>

    <provider>

        <role>identity-assertion</role>

        <name>Default</name>

        <enabled>true</enabled>

    </provider>

  </gateway>

  <service>

      <role>YARNUI</role>

      <url>http://XXXX.vpc.internal:8088</url>

  </service>

  <service>

      <role>SPARKHISTORYUI</role>

      <url>http://XXXXX.vpc.internal:18080/</url>

  </service>

  <service>

    <role>ZEPPELINWS</role>

    <url>ws://XXXXXXX.vpc.internal:8890/ws</url>

</service>


--
Thankx and Regards,

Prabhjyot Singh

Re: Need help in enabling KnoxSSO authentication in zeppelin

["Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>]

Hi Prabhjyot,

Looks like Zeppelin 0.7.3 version not supports Knox SSO authentication and the functionality is implemented only in Zeppelin 0.8.0 version.

Is there any work around to include Knox SSO patch alone to the Zeppelin 0.7.3 version or do we need to install latest 0.8.0 version for this usecase.

Please provide your thoughts..

Thanks,
Praveen.

Sent from my iPhone

On Aug 10, 2018, at 6:58 AM, Ravikumar, Praveen Krishnamoorthy <rp...@amazon.com>> wrote:

Hi Prabhjyot,

I was using Zeppelin 0.7.3 version coming with AWS emr-5.13.0.

Regarding the maven commands, I was running the commands stated in the zeppelin documentation.
https://zeppelin.apache.org/docs/0.7.0/install/build.html


1.  git clone https://github.com/apache/zeppelin.git

2.  mvn clean package -DskipTests

Thanks,
Praveen.

From: Prabhjyot Singh <pr...@gmail.com>>
Reply-To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Date: Friday, August 10, 2018 at 12:31 AM
To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Cc: "Mahesh_Mohanan@intuit.com<ma...@intuit.com>" <Ma...@intuit.com>>, "prasada_prabhu@intuit.com<ma...@intuit.com>" <pr...@intuit.com>>
Subject: Re: Need help in enabling KnoxSSO authentication in zeppelin

Hi Praveen,

In your previous mail, what version of Zeppelin were you on?
And over here what is the maven command that you are running?

On Thu, 9 Aug 2018 at 12:22, Ravikumar, Praveen Krishnamoorthy <rp...@amazon.com>> wrote:
Hi,

For the below issue I found jwt/KnoxJwtRealm module under Zeppelin-Server class is missing in Zeppelin version coming with EMR. So I tried to build the Zeppelin-Server.jar file by fetching the latest zeppelin source code from git repo.

I have not worked on maven before. I’m following few steps online and trying to package the zeppelin-server class. While packaging I’m getting the below dependency Issue, which I have no idea how to resolve. Could anyone please help me in this – would be very helpful.

Error! Filename not specified.

Thanks,
Praveen.

From: "Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>>
Date: Wednesday, August 8, 2018 at 1:55 PM
To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Cc: "Mohanan, Mahesh" <Ma...@intuit.com>>, "prasada_prabhu@intuit.com<ma...@intuit.com>" <pr...@intuit.com>>
Subject: Need help in enabling KnoxSSO authentication in zeppelin

Greetings,

I’m working on enabling knox-sso authentication in Zeppelin on AWS EMR. I configured Zeppelin UI host in the topology XML , made the configuration changes to enable zeppelin in knox ( suggested in the documentation ). Now I’m facing few issues on accessing the zeppelin via knox gateway, which I have detailed below. Could anyone please help me in this, would be very helpful to proceed further.

I’m seeing the below log error messages on starting the zeppelin.


Error! Filename not specified.

Configuration changes:


  1.  Zeppelin : shiro.ini

knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://<dns-domain>:8446/<https://%3cdns-domain%3e:8446/>
knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter


  1.  Knoxsso.xml


<?xml version="1.0" encoding="utf-8"?>

<topology>

   <gateway>

     <provider>

         <role>federation</role>

         <name>pac4j</name>

         <enabled>true</enabled>

         <param>

           <name>pac4j.session.store</name>

           <value>J2ESessionStore</value>

         </param>

         <param>

          <name>pac4j.callbackUrl</name>

          <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso<https://%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso></value>

         </param>



         <param>

           <name>clientName</name>

           <value>SAML2Client</value>

         </param>



         <param>

           <name>saml.identityProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderEntityId</name>

           <value>https:// <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true<https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>&amp;client_name=SAML2Client</value>

         </param>

     </provider>

     <provider>

         <role>identity-assertion</role>

         <name>Default</name>

         <enabled>true</enabled>

     </provider>

     <provider>

            <role>hostmap</role>

            <name>static</name>

            <enabled>true</enabled>

            <param>

                <name>localhost</name>

                <value>XXX.vpc.internal</value>

            </param>

        </provider>

   </gateway>
<service>
       <role>KNOXSSO</role>
        <param>
         <name>knoxsso.cookie.domain.suffix</name>
         <value>.######</value>
       </param>
       <param>
         <name>knoxsso.cookie.secure.only</name>
         <value>false</value>
      </param>
      <param>
         <name>knoxsso.enable.session</name>
         <value>true</value>
      </param>
      <param>
         <name>knoxsso.cookie.max.age</name>
         <value>session</value>
      </param>
      <param>
        <name>knoxsso.token.ttl</name>
        <value>100000</value>
      </param>
      <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>^https?:\/\/( <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
      </param>
   </service>
</topology>


  1.  gate1.xml (topology xml)


<?xml version="1.0" encoding="utf-8"?>

<topology>

  <gateway>

    <provider>

        <role>webappsec</role>

        <name>WebAppSec</name>

        <enabled>true</enabled>

        <param>

           <name>cors.enabled</name>

           <value>true</value>

        </param>

    </provider>

    <provider>

        <role>federation</role>

        <name>SSOCookieProvider</name>

        <enabled>true</enabled>

        <param>

            <name>sso.authentication.provider.url</name>

            <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso<https://%3cdns-name%3e:8446/gateway/knoxsso/api/v1/websso></value>

        </param>

    </provider>

    <provider>

        <role>identity-assertion</role>

        <name>Default</name>

        <enabled>true</enabled>

    </provider>

  </gateway>

  <service>

      <role>YARNUI</role>

      <url>http://XXXX.vpc.internal:8088</url>

  </service>

  <service>

      <role>SPARKHISTORYUI</role>

      <url>http://XXXXX.vpc.internal:18080/</url>

  </service>

  <service>

    <role>ZEPPELINWS</role>

    <url>ws://XXXXXXX.vpc.internal:8890/ws</url>

</service>


--
Thankx and Regards,

Prabhjyot Singh

Re: Need help in enabling KnoxSSO authentication in zeppelin

["Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>]

Hi Prabhjyot,

I was using Zeppelin 0.7.3 version coming with AWS emr-5.13.0.

Regarding the maven commands, I was running the commands stated in the zeppelin documentation.
https://zeppelin.apache.org/docs/0.7.0/install/build.html


1.  git clone https://github.com/apache/zeppelin.git

2.  mvn clean package -DskipTests

Thanks,
Praveen.

From: Prabhjyot Singh <pr...@gmail.com>
Reply-To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Date: Friday, August 10, 2018 at 12:31 AM
To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Mahesh_Mohanan@intuit.com" <Ma...@intuit.com>, "prasada_prabhu@intuit.com" <pr...@intuit.com>
Subject: Re: Need help in enabling KnoxSSO authentication in zeppelin

Hi Praveen,

In your previous mail, what version of Zeppelin were you on?
And over here what is the maven command that you are running?

On Thu, 9 Aug 2018 at 12:22, Ravikumar, Praveen Krishnamoorthy <rp...@amazon.com>> wrote:
Hi,

For the below issue I found jwt/KnoxJwtRealm module under Zeppelin-Server class is missing in Zeppelin version coming with EMR. So I tried to build the Zeppelin-Server.jar file by fetching the latest zeppelin source code from git repo.

I have not worked on maven before. I’m following few steps online and trying to package the zeppelin-server class. While packaging I’m getting the below dependency Issue, which I have no idea how to resolve. Could anyone please help me in this – would be very helpful.

Error! Filename not specified.

Thanks,
Praveen.

From: "Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>>
Date: Wednesday, August 8, 2018 at 1:55 PM
To: "users@zeppelin.apache.org<ma...@zeppelin.apache.org>" <us...@zeppelin.apache.org>>
Cc: "Mohanan, Mahesh" <Ma...@intuit.com>>, "prasada_prabhu@intuit.com<ma...@intuit.com>" <pr...@intuit.com>>
Subject: Need help in enabling KnoxSSO authentication in zeppelin

Greetings,

I’m working on enabling knox-sso authentication in Zeppelin on AWS EMR. I configured Zeppelin UI host in the topology XML , made the configuration changes to enable zeppelin in knox ( suggested in the documentation ). Now I’m facing few issues on accessing the zeppelin via knox gateway, which I have detailed below. Could anyone please help me in this, would be very helpful to proceed further.

I’m seeing the below log error messages on starting the zeppelin.


Error! Filename not specified.

Configuration changes:


  1.  Zeppelin : shiro.ini

knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://<dns-domain>:8446/<https://%3cdns-domain%3e:8446/>
knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter


  1.  Knoxsso.xml


<?xml version="1.0" encoding="utf-8"?>

<topology>

   <gateway>

     <provider>

         <role>federation</role>

         <name>pac4j</name>

         <enabled>true</enabled>

         <param>

           <name>pac4j.session.store</name>

           <value>J2ESessionStore</value>

         </param>

         <param>

          <name>pac4j.callbackUrl</name>

          <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso<https://%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso></value>

         </param>



         <param>

           <name>clientName</name>

           <value>SAML2Client</value>

         </param>



         <param>

           <name>saml.identityProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderEntityId</name>

           <value>https:// <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true<https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>&amp;client_name=SAML2Client</value>

         </param>

     </provider>

     <provider>

         <role>identity-assertion</role>

         <name>Default</name>

         <enabled>true</enabled>

     </provider>

     <provider>

            <role>hostmap</role>

            <name>static</name>

            <enabled>true</enabled>

            <param>

                <name>localhost</name>

                <value>XXX.vpc.internal</value>

            </param>

        </provider>

   </gateway>
<service>
       <role>KNOXSSO</role>
        <param>
         <name>knoxsso.cookie.domain.suffix</name>
         <value>.######</value>
       </param>
       <param>
         <name>knoxsso.cookie.secure.only</name>
         <value>false</value>
      </param>
      <param>
         <name>knoxsso.enable.session</name>
         <value>true</value>
      </param>
      <param>
         <name>knoxsso.cookie.max.age</name>
         <value>session</value>
      </param>
      <param>
        <name>knoxsso.token.ttl</name>
        <value>100000</value>
      </param>
      <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>^https?:\/\/( <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
      </param>
   </service>
</topology>


  1.  gate1.xml (topology xml)


<?xml version="1.0" encoding="utf-8"?>

<topology>

  <gateway>

    <provider>

        <role>webappsec</role>

        <name>WebAppSec</name>

        <enabled>true</enabled>

        <param>

           <name>cors.enabled</name>

           <value>true</value>

        </param>

    </provider>

    <provider>

        <role>federation</role>

        <name>SSOCookieProvider</name>

        <enabled>true</enabled>

        <param>

            <name>sso.authentication.provider.url</name>

            <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso<https://%3cdns-name%3e:8446/gateway/knoxsso/api/v1/websso></value>

        </param>

    </provider>

    <provider>

        <role>identity-assertion</role>

        <name>Default</name>

        <enabled>true</enabled>

    </provider>

  </gateway>

  <service>

      <role>YARNUI</role>

      <url>http://XXXX.vpc.internal:8088</url>

  </service>

  <service>

      <role>SPARKHISTORYUI</role>

      <url>http://XXXXX.vpc.internal:18080/</url>

  </service>

  <service>

    <role>ZEPPELINWS</role>

    <url>ws://XXXXXXX.vpc.internal:8890/ws</url>

</service>


--
Thankx and Regards,

Prabhjyot Singh

Re: Need help in enabling KnoxSSO authentication in zeppelin

[Prabhjyot Singh <pr...@gmail.com>]

Hi Praveen,

In your previous mail, what version of Zeppelin were you on?
And over here what is the maven command that you are running?

On Thu, 9 Aug 2018 at 12:22, Ravikumar, Praveen Krishnamoorthy <
rpkrish@amazon.com> wrote:

> Hi,
>
>
>
> For the below issue I found *jwt/KnoxJwtRealm *module under
> Zeppelin-Server class is missing in Zeppelin version coming with EMR. So I
> tried to build the Zeppelin-Server.jar file by fetching the latest zeppelin
> source code from git repo.
>
>
>
> I have not worked on maven before. I’m following few steps online and
> trying to package the zeppelin-server class. While packaging I’m getting
> the below dependency Issue, which I have no idea how to resolve. Could
> anyone please help me in this – would be very helpful.
>
>
>
>
>
> Thanks,
>
> Praveen.
>
>
>
> *From: *"Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>
> *Date: *Wednesday, August 8, 2018 at 1:55 PM
> *To: *"users@zeppelin.apache.org" <us...@zeppelin.apache.org>
> *Cc: *"Mohanan, Mahesh" <Ma...@intuit.com>, "
> prasada_prabhu@intuit.com" <pr...@intuit.com>
> *Subject: *Need help in enabling KnoxSSO authentication in zeppelin
>
>
>
> Greetings,
>
>
>
> I’m working on enabling knox-sso authentication in Zeppelin on AWS EMR. I
> configured Zeppelin UI host in the topology XML , made the configuration
> changes to enable zeppelin in knox ( suggested in the documentation ). Now
> I’m facing few issues on accessing the zeppelin via knox gateway, which I
> have detailed below. Could anyone please help me in this, would be very
> helpful to proceed further.
>
>
>
> I’m seeing the below log error messages on starting the zeppelin.
>
>
>
>
>
> [image:
> /var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.png@01D42F1D.6BACC9B0]
>
>
>
> *Configuration changes:*
>
>
>
>    1. Zeppelin : shiro.ini
>
>
>
> knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
>
> knoxJwtRealm.providerUrl = https://<dns-domain>:8446/
>
> knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
>
> knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
>
> knoxJwtRealm.logoutAPI = true
>
> knoxJwtRealm.redirectParam = originalUrl
>
> knoxJwtRealm.cookieName = hadoop-jwt
>
> knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
>
> knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
>
> knoxJwtRealm.principalMapping = principal.mapping
>
> authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
>
>
>
>    1. Knoxsso.xml
>
>
>
> <?xml version="1.0" encoding="utf-8"?>
>
> <topology>
>
>    <gateway>
>
>      <provider>
>
>          <role>federation</role>
>
>          <name>pac4j</name>
>
>          <enabled>true</enabled>
>
>          <param>
>
>            <name>pac4j.session.store</name>
>
>            <value>J2ESessionStore</value>
>
>          </param>
>
>          <param>
>
>           <name>pac4j.callbackUrl</name>
>
>           <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso
> </value>
>
>          </param>
>
>
>
>          <param>
>
>            <name>clientName</name>
>
>            <value>SAML2Client</value>
>
>          </param>
>
>
>
>          <param>
>
>            <name>saml.identityProviderMetadataPath</name>
>
>            <value>/tmp/preprod_metadata_SP.xml</value>
>
>          </param>
>
>
>
>          <param>
>
>            <name>saml.serviceProviderMetadataPath</name>
>
>            <value>/tmp/preprod_metadata_SP.xml</value>
>
>          </param>
>
>
>
>          <param>
>
>            <name>saml.serviceProviderEntityId</name>
>
>            <value>https://
> <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true
> <https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>
> &amp;client_name=SAML2Client</value>
>
>          </param>
>
>      </provider>
>
>      <provider>
>
>          <role>identity-assertion</role>
>
>          <name>Default</name>
>
>          <enabled>true</enabled>
>
>      </provider>
>
>      <provider>
>
>             <role>hostmap</role>
>
>             <name>static</name>
>
>             <enabled>true</enabled>
>
>             <param>
>
>                 <name>localhost</name>
>
>                 <value>XXX.vpc.internal</value>
>
>             </param>
>
>         </provider>
>
>    </gateway>
>
> <service>
>
>        <role>KNOXSSO</role>
>
>         <param>
>
>          <name>knoxsso.cookie.domain.suffix</name>
>
>          <value>.######</value>
>
>        </param>
>
>        <param>
>
>          <name>knoxsso.cookie.secure.only</name>
>
>          <value>false</value>
>
>       </param>
>
>       <param>
>
>          <name>knoxsso.enable.session</name>
>
>          <value>true</value>
>
>       </param>
>
>       <param>
>
>          <name>knoxsso.cookie.max.age</name>
>
>          <value>session</value>
>
>       </param>
>
>       <param>
>
>         <name>knoxsso.token.ttl</name>
>
>         <value>100000</value>
>
>       </param>
>
>       <param>
>
>         <name>knoxsso.redirect.whitelist.regex</name>
>
>         <value>^https?:\/\/(
> <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
>
>       </param>
>
>    </service>
>
> </topology>
>
>
>
>    1. gate1.xml (topology xml)
>
>
>
> <?xml version="1.0" encoding="utf-8"?>
>
> <topology>
>
>   <gateway>
>
>     <provider>
>
>         <role>webappsec</role>
>
>         <name>WebAppSec</name>
>
>         <enabled>true</enabled>
>
>         <param>
>
>            <name>cors.enabled</name>
>
>            <value>true</value>
>
>         </param>
>
>     </provider>
>
>     <provider>
>
>         <role>federation</role>
>
>         <name>SSOCookieProvider</name>
>
>         <enabled>true</enabled>
>
>         <param>
>
>             <name>sso.authentication.provider.url</name>
>
>             <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso
> </value>
>
>         </param>
>
>     </provider>
>
>     <provider>
>
>         <role>identity-assertion</role>
>
>         <name>Default</name>
>
>         <enabled>true</enabled>
>
>     </provider>
>
>   </gateway>
>
>   <service>
>
>       <role>YARNUI</role>
>
>       <url>http://XXXX.vpc.internal:8088</url>
>
>   </service>
>
>   <service>
>
>       <role>SPARKHISTORYUI</role>
>
>       <url>http://XXXXX.vpc.internal:18080/</url>
>
>   </service>
>
>   <service>
>
>     <role>ZEPPELINWS</role>
>
>     <url>ws://XXXXXXX.vpc.internal:8890/ws</url>
>
> </service>
>
>

-- 
Thankx and Regards,

Prabhjyot Singh

Re: Need help in enabling KnoxSSO authentication in zeppelin

["Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>]

Hi,

For the below issue I found jwt/KnoxJwtRealm module under Zeppelin-Server class is missing in Zeppelin version coming with EMR. So I tried to build the Zeppelin-Server.jar file by fetching the latest zeppelin source code from git repo.

I have not worked on maven before. I’m following few steps online and trying to package the zeppelin-server class. While packaging I’m getting the below dependency Issue, which I have no idea how to resolve. Could anyone please help me in this – would be very helpful.

[cid:image001.png@01D42F72.BC07C4F0]

Thanks,
Praveen.

From: "Ravikumar, Praveen Krishnamoorthy" <rp...@amazon.com>
Date: Wednesday, August 8, 2018 at 1:55 PM
To: "users@zeppelin.apache.org" <us...@zeppelin.apache.org>
Cc: "Mohanan, Mahesh" <Ma...@intuit.com>, "prasada_prabhu@intuit.com" <pr...@intuit.com>
Subject: Need help in enabling KnoxSSO authentication in zeppelin

Greetings,

I’m working on enabling knox-sso authentication in Zeppelin on AWS EMR. I configured Zeppelin UI host in the topology XML , made the configuration changes to enable zeppelin in knox ( suggested in the documentation ). Now I’m facing few issues on accessing the zeppelin via knox gateway, which I have detailed below. Could anyone please help me in this, would be very helpful to proceed further.

I’m seeing the below log error messages on starting the zeppelin.


[/var/folders/xz/7j115t_j365gcypfb10hq_p5qwy444/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.png@01D42F1D.6BACC9B0]

Configuration changes:


  1.  Zeppelin : shiro.ini

knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
knoxJwtRealm.providerUrl = https://<dns-domain>:8446/<https://%3cdns-domain%3e:8446/>
knoxJwtRealm.login = gateway/knoxsso/api/v1/websso
knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
knoxJwtRealm.logoutAPI = true
knoxJwtRealm.redirectParam = originalUrl
knoxJwtRealm.cookieName = hadoop-jwt
knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knoxsso.pem
knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
knoxJwtRealm.principalMapping = principal.mapping
authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter


  1.  Knoxsso.xml


<?xml version="1.0" encoding="utf-8"?>

<topology>

   <gateway>

     <provider>

         <role>federation</role>

         <name>pac4j</name>

         <enabled>true</enabled>

         <param>

           <name>pac4j.session.store</name>

           <value>J2ESessionStore</value>

         </param>

         <param>

          <name>pac4j.callbackUrl</name>

          <value>https://<dnsname>:8446/gateway/knoxsso/api/v1/websso<https://%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso></value>

         </param>



         <param>

           <name>clientName</name>

           <value>SAML2Client</value>

         </param>



         <param>

           <name>saml.identityProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderMetadataPath</name>

           <value>/tmp/preprod_metadata_SP.xml</value>

         </param>



         <param>

           <name>saml.serviceProviderEntityId</name>

           <value>https:// <dnsname>:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true<https://%20%3cdnsname%3e:8446/gateway/knoxsso/api/v1/websso?pac4jCallback=true>&amp;client_name=SAML2Client</value>

         </param>

     </provider>

     <provider>

         <role>identity-assertion</role>

         <name>Default</name>

         <enabled>true</enabled>

     </provider>

     <provider>

            <role>hostmap</role>

            <name>static</name>

            <enabled>true</enabled>

            <param>

                <name>localhost</name>

                <value>XXX.vpc.internal</value>

            </param>

        </provider>

   </gateway>
<service>
       <role>KNOXSSO</role>
        <param>
         <name>knoxsso.cookie.domain.suffix</name>
         <value>.######</value>
       </param>
       <param>
         <name>knoxsso.cookie.secure.only</name>
         <value>false</value>
      </param>
      <param>
         <name>knoxsso.enable.session</name>
         <value>true</value>
      </param>
      <param>
         <name>knoxsso.cookie.max.age</name>
         <value>session</value>
      </param>
      <param>
        <name>knoxsso.token.ttl</name>
        <value>100000</value>
      </param>
      <param>
        <name>knoxsso.redirect.whitelist.regex</name>
        <value>^https?:\/\/( <dnsname>|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
      </param>
   </service>
</topology>


  1.  gate1.xml (topology xml)


<?xml version="1.0" encoding="utf-8"?>

<topology>

  <gateway>

    <provider>

        <role>webappsec</role>

        <name>WebAppSec</name>

        <enabled>true</enabled>

        <param>

           <name>cors.enabled</name>

           <value>true</value>

        </param>

    </provider>

    <provider>

        <role>federation</role>

        <name>SSOCookieProvider</name>

        <enabled>true</enabled>

        <param>

            <name>sso.authentication.provider.url</name>

            <value>https://<dns-name>:8446/gateway/knoxsso/api/v1/websso<https://%3cdns-name%3e:8446/gateway/knoxsso/api/v1/websso></value>

        </param>

    </provider>

    <provider>

        <role>identity-assertion</role>

        <name>Default</name>

        <enabled>true</enabled>

    </provider>

  </gateway>

  <service>

      <role>YARNUI</role>

      <url>http://XXXX.vpc.internal:8088</url>

  </service>

  <service>

      <role>SPARKHISTORYUI</role>

      <url>http://XXXXX.vpc.internal:18080/</url>

  </service>

  <service>

    <role>ZEPPELINWS</role>

    <url>ws://XXXXXXX.vpc.internal:8890/ws</url>

</service>

<service>

    <role>ZEPPELINUI</role>

    <url>http://XXXXXXX.vpc.internal:8890</url>

</service>

</topology>


Thanks,
Praveen.R