2

我使用的是 Ambari V 2.7.3,我已经安装了 Knox。我已经尝试为 Ambari 实现 SSO。我已经按照下面的 Url 来实现相同的。

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/setting_up_knox_sso_for_ambari.html

以下是 Knox 配置:

高级管理拓扑:

<topology>
    <gateway>
         <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
                <name>sessionTimeout</name>
                <value>30</value>
            </param>
            <param>
                <name>main.ldapRealm</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
                <name>main.ldapRealm.userDnTemplate</name>
                <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.url</name>
                <value>ldap://DtIoTBDMaster01:33389</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                <value>simple</value>
            </param>
            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>
        </provider>
        <provider>
            <role>authorization</role>
            <name>AclsAuthz</name>
            <enabled>true</enabled>
            <param>
               <name>knox.acl.mode</name>
               <value>OR</value>
               </param>
            <param>
                <name>knox.acl</name>
                <value>KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>HadoopGroupProvider</name>
            <enabled>true</enabled>
            <param>
                <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
                <value>gateway.group.config.</value>
            </param>
        </provider>
    </gateway>
    <service>
        <role>KNOX</role>
    </service>
</topology>

gateway.dispatch.whitelist : https?:\/\/(HOSTNAME|0\.0\.0\.0|0:0:0:0:0:0:0:1|::1):[0-9].*$

高级 knoxsso 拓扑:

    <topology>
            <gateway>
            <provider>
            <role>webappsec</role>
            <name>WebAppSec</name>
            <enabled>true</enabled>
            <param><name>xframe.options.enabled</name><value>true</value></param>
            </provider>
            <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
            <name>sessionTimeout</name>
            <value>30</value>
            </param>
            <param>
            <name>redirectToUrl</name>
            <value>/gateway/knoxsso/knoxauth/login.html</value>
            </param>
            <param>
            <name>restrictedCookies</name>
            <value>rememberme,WWW-Authenticate</value>
            </param>
            <param>
            <name>main.ldapRealm</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
            <name>main.ldapContextFactory</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory</name>
            <value>$ldapContextFactory</value>
            </param>
            <param>
            <name>main.ldapRealm.userDnTemplate</name>
            <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldap://x.x.x.x:33389</value>
            </param>
            <param>
            <name>main.ldapRealm.authenticationCachingEnabled</name>
            <value>false</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
            <value>simple</value>
            </param>
            <param>
            <name>urls./**</name>
            <value>authcBasic</value>
            </param>
            </provider>
            <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
            </provider>
            </gateway>
            <application>
            <name>knoxauth</name>
            </application>
            <service>
            <role>KNOXSSO</role>
            <param>
            <name>knoxsso.cookie.secure.only</name>
            <value>true</value>
            </param>
            <param>
            <name>knoxsso.token.ttl</name>
            <value>30000</value>
            </param>
            </service>
<service>
        <role>AMBARI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
            </topology>

高级拓扑:

<topology>
        <gateway>
            <provider>
                <role>authentication</role>
                <name>ShiroProvider</name>
                <enabled>true</enabled>
                <param>
                    <name>sessionTimeout</name>
                    <value>30</value>
                </param>
                <param>
                    <name>main.ldapRealm</name>
                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                </param>
                <param>
                    <name>main.ldapRealm.userDnTemplate</name>
                    <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.url</name>
                    <value>ldap://{{knox_host_name}}:33389</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                    <value>simple</value>
                </param>
                <param>
                    <name>urls./**</name>
                    <value>authcBasic</value>
                </param>
            </provider>
            <provider>
                <role>identity-assertion</role>
                <name>Default</name>
                <enabled>true</enabled>
            </provider>
            <provider>
                <role>authorization</role>
                <name>AclsAuthz</name>
                <enabled>true</enabled>
            </provider>
        </gateway>
        <service>
            <role>NAMENODE</role>
            <url>{{namenode_address}}</url>
        </service>
        <service>
            <role>JOBTRACKER</role>
            <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
        </service>
        <service>
            <role>WEBHDFS</role>
            {{webhdfs_service_urls}}
        </service>
        <service>
            <role>WEBHCAT</role>
            <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
        </service>
        <service>
            <role>OOZIE</role>
            <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
        </service>

        <service>
            <role>OOZIEUI</role>
            <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie/</url>
        </service>
        <service>
            <role>WEBHBASE</role>
            <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
        </service>
        <service>
            <role>HIVE</role>
            <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
        </service>
        <service>
            <role>RESOURCEMANAGER</role>
            <url>http://{{rm_host}}:{{rm_port}}/ws</url>
        </service>
        <service>
            <role>DRUID-COORDINATOR-UI</role>
            {{druid_coordinator_urls}}
        </service>
        <service>
            <role>DRUID-COORDINATOR</role>
            {{druid_coordinator_urls}}
        </service>

        <service>
            <role>DRUID-OVERLORD-UI</role>
            {{druid_overlord_urls}}
        </service>
        <service>
            <role>DRUID-OVERLORD</role>
            {{druid_overlord_urls}}
        </service>
        <service>
            <role>DRUID-ROUTER</role>
            {{druid_router_urls}}
        </service>
        <service>
            <role>DRUID-BROKER</role>
            {{druid_broker_urls}}
        </service>
        <service>
            <role>ZEPPELINUI</role>
            {{zeppelin_ui_urls}}
        </service>
        <service>
            <role>ZEPPELINWS</role>
            {{zeppelin_ws_urls}}
        </service>
    </topology>

登录到 AMBARI UI 的那一刻,它重定向到 Knox UI,当我输入 Knox 的默认凭据时,它重定向到 AMBARI UI,再次打开 Knox UI 下面即我从 Knox 网关得到的错误

2021-01-11 10:43:17,080 INFO  knox.gateway (KnoxLdapRealm.java:getUserDn(692)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for pr
incipal: admin
2021-01-11 10:43:17,090 INFO  service.knoxsso (WebSSOResource.java:getCookieValue(365)) - Unable to find cookie with name: original-url
2021-01-11 10:43:17,092 INFO  service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(339)) - JWT cookie successfully added.
2021-01-11 10:43:17,093 INFO  service.knoxsso (WebSSOResource.java:getAuthenticationToken(240)) - About to redirect to original URL: http://dtiotbdmaster01:8080/
4

2 回答 2

1

您对 knosso 拓扑几乎没有问题,应该使用 Knoxsso 进行身份验证,您确实需要在其中提及以下配置:-

<service>
        <role>AMBARI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
            </topology>

尝试在 knoxsso 中添加白名单正则表达式,而不是它的管理拓扑。

<param>
 <name>knoxsso.redirect.whitelist.regex</name>
 <value>^https?:\/\/(c64\d\d\.ambari\.apache\.org|localhost|
127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
 </param>

gateway.dispatch.whitelist从管理拓扑中删除。

注意:- 你需要使正则表达式值,*不会工作。

于 2021-01-12T19:00:14.357 回答
0

我怀疑您在这里遇到的问题只是一个典型的 cookie 相关问题。似乎该 cookie 可能已设置 - 因为它正在尝试重定向到 originalUrl 后身份验证。

注意 originalUrl 和相关重定向将转到 http://dtiotbdmaster01:8080/ 这看起来可能会出现 cookie 的域问题。由于这是一个主机名而不是一个域,它可能没有在您的浏览器上正确设置,并且可能不会显示给 originalUrl。

另外,我注意到 http://dtiotbdmaster01:8080/ 没有 ssl/https。由于您对 KnoxSSO 服务进行了以下配置,因此如果确实在浏览器上成功设置了安全标志,则会在 cookie 上设置安全标志。这意味着浏览器不会在不超过 tls/https 时将 cookie 呈现给目标 url。

        <service>
        <role>KNOXSSO</role>
        <param>
        <name>knoxsso.cookie.secure.only</name>
        <value>true</value>
        </param>
        <param>
        <name>knoxsso.token.ttl</name>
        <value>30000</value>
        </param>
        </service>

就像我说的,这些是一般的 cookie 类型问题,很可能是您的问题的根本原因。

于 2021-01-22T22:10:53.197 回答