You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@knox.apache.org by Thibault VERBEQUE <th...@omnilog.fr> on 2019/04/04 16:20:40 UTC
Nifi + Knox + Knoxsso
Hi all,
I'm struggling to configure correctly Knox in order to publish a Nifi cluster.
Currently I'm using the following topologie :
<topology>
<gateway>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>1800</value>
</param>
LDAP_CFG_REDACTED
<param>
<name>redirectToUrl</name>
<value>/gateway/discovery-preprod/knoxauth/login.html</value>
</param>
<param>
<name>restrictedCookies</name>
<value>rememberme,WWW-Authenticate</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://host1.sub.dom.tld:9243/gateway/topologie-name/api/v1/websso</value<https://host1.sub.dom.tld:9243/gateway/topologie-name/api/v1/websso%3c/value>>
</param>
</provider>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>csrf.enabled</name>
<value>false</value>
</param>
<param>
<name>csrf.customHeader</name>
<value>X-XSRF-Header</value>
</param>
<param>
<name>csrf.methodsToIgnore</name>
<value>GET,OPTIONS,HEAD</value>
</param>
<param>
<name>xframe.options.enabled</name>
<value>true</value>
</param>
<param>
<name>xss.protection.enabled</name>
<value>false</value>
</param>
<param>
<name>strict.transport.enabled</name>
<value>false</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>hostmap</role>
<name>static</name>
<enabled>true</enabled>
<param>
<name>host1.dom2.tld2</name>
<value>host1.sub.dom.tld</value>
</param>
</provider>
<provider>
<role>authorization</role>
<name>XASecurePDPKnox</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.enable.session</name>
<value>true</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>360000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^/.*$;^https?://(.+\.sub\.dom\.tld|.+\.dom2\.tld2)(:[0-9]+)(/|/.*)?$</value>
</param>
</service>
<service>
<role>NIFI</role>
<url>https://host1.dom2.tld:9091</url<https://host1.dom2.tld:9091%3c/url>>
<url>https://host2.dom2.tld:9091</url<https://host2.dom2.tld:9091%3c/url>>
<url>https://host3.dom2.tld:9091</url<https://host3.dom2.tld:9091%3c/url>>
<param>
<name>useTwoWaySsl</name>
<value>true</value>
</param>
</service>
<application>
<name>knoxauth</name>
</application>
</topology>
Relevant certs are already created and imported (user cert, key and nifi CA certificate) in gateway.jks. I set up proxy host, path and knox params in nifi.properties and disabled other users sources (empty nifi.security.user.login.identity.provider).
I can successfully authenticate in Nifi with generated certs, so Ranger policy seems correct.
I observed the following behavior when I enter https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/nifi :
* Without modification to service.xml:
* Knox redirects the user to https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html (no request forwarding to the backend)
* If I manually add ?OriginalUrl=https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/access/knox/callback . Knox redirects me again to https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html after the login attempt
* If I add <policy role="authentication" name="Anonymous" /> in service.xml: Knox forwards the request to Nifi which finally redirects my browser under https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html?OriginalUrl=https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/access/knox/callback then Nifi redirects back my browser via Knox to the same URL when I authenticate because in subsequent calls Knox resolve the user to anonymous (?doAs=anonymous).
I have seen this policy defined for others services like ambari, Yarnuiv2 when they use tokens provided by knox.
Knox is version 1.0 and Nifi 1.9.
Regards
Re: Nifi + Knox + Knoxsso
Posted by Kevin Risden <kr...@apache.org>.
Not sure this reference will help but might give you a push in the right
direction:
https://risdenk.github.io/2018/03/18/apache-knox-proxying-apache-nifi.html
The blog post is focused on setting up NiFi/Knox correctly. The blog post
doesn't use KnoxSSO for the authentication but should be possible to
replace the LDAP stuff with KnoxSSO.
I don't think you need Shiro and SSOCookieProvider. manager.xml has an
example of just KnoxSSO without needing the Shiro provider.
Kevin Risden
On Thu, Apr 4, 2019 at 12:20 PM Thibault VERBEQUE <
thibault.verbeque@omnilog.fr> wrote:
> Hi all,
>
> I’m struggling to configure correctly Knox in order to publish a Nifi
> cluster.
> Currently I’m using the following topologie :
>
> <topology>
>
> <gateway>
>
> <provider>
>
> <role>authentication</role>
>
> <name>ShiroProvider</name>
>
> <enabled>true</enabled>
>
> <param>
>
> <name>sessionTimeout</name>
>
> <value>1800</value>
>
> </param>
>
> LDAP_CFG_REDACTED
>
> <param>
>
> <name>redirectToUrl</name>
>
>
> <value>/gateway/discovery-preprod/knoxauth/login.html</value>
>
> </param>
>
> <param>
>
> <name>restrictedCookies</name>
>
> <value>rememberme,WWW-Authenticate</value>
>
> </param>
>
> <param>
>
> <name>urls./**</name>
>
> <value>authcBasic</value>
>
> </param>
>
> </provider>
>
> <provider>
>
> <role>federation</role>
>
> <name>SSOCookieProvider</name>
>
> <enabled>true</enabled>
>
> <param>
>
> <name>sso.authentication.provider.url</name>
>
> <value>
> https://host1.sub.dom.tld:9243/gateway/topologie-name/api/v1/websso</value
> >
>
> </param>
>
> </provider>
>
> <provider>
>
> <role>webappsec</role>
>
> <name>WebAppSec</name>
>
> <enabled>true</enabled>
>
> <param>
>
> <name>csrf.enabled</name>
>
> <value>false</value>
>
> </param>
>
> <param>
>
> <name>csrf.customHeader</name>
>
> <value>X-XSRF-Header</value>
>
> </param>
>
> <param>
>
> <name>csrf.methodsToIgnore</name>
>
> <value>GET,OPTIONS,HEAD</value>
>
> </param>
>
> <param>
>
> <name>xframe.options.enabled</name>
>
> <value>true</value>
>
> </param>
>
> <param>
>
> <name>xss.protection.enabled</name>
>
> <value>false</value>
>
> </param>
>
> <param>
>
> <name>strict.transport.enabled</name>
>
> <value>false</value>
>
> </param>
>
> </provider>
>
> <provider>
>
> <role>identity-assertion</role>
>
> <name>Default</name>
>
> <enabled>true</enabled>
>
> </provider>
>
> <provider>
>
> <role>hostmap</role>
>
> <name>static</name>
>
> <enabled>true</enabled>
>
> <param>
>
> <name>host1.dom2.tld2</name>
>
> <value>host1.sub.dom.tld</value>
>
> </param>
>
> </provider>
>
> <provider>
>
> <role>authorization</role>
>
> <name>XASecurePDPKnox</name>
>
> <enabled>true</enabled>
>
> </provider>
>
> </gateway>
>
> <service>
>
> <role>KNOXSSO</role>
>
> <param>
>
> <name>knoxsso.cookie.secure.only</name>
>
> <value>false</value>
>
> </param>
>
> <param>
>
> <name>knoxsso.enable.session</name>
>
> <value>true</value>
>
> </param>
>
> <param>
>
> <name>knoxsso.token.ttl</name>
>
> <value>360000</value>
>
> </param>
>
> <param>
>
> <name>knoxsso.redirect.whitelist.regex</name>
>
>
> <value>^/.*$;^https?://(.+\.sub\.dom\.tld|.+\.dom2\.tld2)(:[0-9]+)(/|/.*)?$</value>
>
> </param>
>
> </service>
>
> <service>
>
> <role>NIFI</role>
>
> <url>https://host1.dom2.tld:9091</url>
>
> <url>https://host2.dom2.tld:9091</url>
>
> <url>https://host3.dom2.tld:9091</url>
>
> <param>
>
> <name>useTwoWaySsl</name>
>
> <value>true</value>
>
> </param>
>
> </service>
>
> <application>
>
> <name>knoxauth</name>
>
> </application>
>
> </topology>
>
>
>
> Relevant certs are already created and imported (user cert, key and nifi CA certificate) in gateway.jks. I set up proxy host, path and knox params in nifi.properties and disabled other users sources (empty nifi.security.user.login.identity.provider).
>
> I can successfully authenticate in Nifi with generated certs, so Ranger
> policy seems correct.
> I observed the following behavior when I enter
> https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/nifi :
>
> - Without modification to service.xml:
> - Knox redirects the user to
> https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html
> (no request forwarding to the backend)
> - If I manually add ?OriginalUrl=
> https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/access/knox/callback
> . Knox redirects me again to
> https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html
> after the login attempt
> - If I add <policy role=”authentication” name=”Anonymous” /> in
> service.xml: Knox forwards the request to Nifi which finally redirects my
> browser under
> https://host1.sub.dom.tld:9243/gateway/topologie-name/knoxauth/login.html?OriginalUrl=https://host1.sub.dom.tld:9243/gateway/topologie-name/nifi-app/access/knox/callback
> then Nifi redirects back my browser via Knox to the same URL when I
> authenticate because in subsequent calls Knox resolve the user to anonymous
> (?doAs=anonymous).
>
>
>
> I have seen this policy defined for others services like ambari, Yarnuiv2
> when they use tokens provided by knox.
>
>
>
> Knox is version 1.0 and Nifi 1.9.
>
>
>
> Regards
>
>
>