Knox SSO原理、启用及在自定义topology配置使用

  1. 参考
    • https://knox.apache.org/books/knox-1-0-0/user-guide.html#KnoxSSO+Setup+and+Configuration
    • https://knox.apache.org/books/knox-1-0-0/user-guide.html#KnoxSSO+Setup+and+Configuration
    • https://svn.apache.org/repos/asf/knox/site/books/knox-1-1-0/knoxsso_integration.html
  2. 配置 knoxsso-topology启用Knox SSO


   https://bigdata-master:8443/gateway/knoxsso
   knoxsso
   1553153609000
   true
   
      
         webappsec
         WebAppSec
         true
         
            xframe.options.enabled
            true
         
      
      
         authentication
         ShiroProvider
         true
         
            sessionTimeout
            30
         
         
            redirectToUrl
            /gateway/knoxsso/knoxauth/login.html
         
         
            restrictedCookies
            rememberme,WWW-Authenticate
         
         
            main.ldapRealm
            org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm
         
         
            main.ldapContextFactory
            org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory
         
         
            main.ldapRealm.contextFactory
            $ldapContextFactory
         
         
            main.ldapRealm.userDnTemplate
            uid={0},ou=people,dc=example,dc=com
         
         
            main.ldapRealm.contextFactory.url
            ldap://bigdata-common:389
         
         
            main.ldapRealm.authenticationCachingEnabled
            false
         
         
            main.ldapRealm.contextFactory.authenticationMechanism
            simple
         
         
            urls./**
            authcBasic
         
      
      
         identity-assertion
         Default
         true
      
   
   
      KNOXSSO
      
         knoxsso.cookie.secure.only
         false
      
      
         knoxsso.token.ttl
         300000
      
   
   
      knoxauth
   

  1. 在自定义topology配置SSOCookieProvider使用Knox SSO认证


   https://bigdata-master:8443/gateway/hdp_ui
   hdp_ui
   1553222547000
   true
   
      
         identity-assertion
         Default
         true
      
      
         federation
         SSOCookieProvider
         true
         
            sso.authentication.provider.url
            https://bigdata-master:8443/gateway/knoxsso/api/v1/websso
         
      
   
   
      OOZIE
      http://bigdata-master:11000/oozie
   
   
      WEBHDFS
      http://bigdata-master:50070/webhdfs
   

  1. Knox SSO对于http请求的处理流程
    以在浏览器中请求https://bigdata-master:8443/gateway/hdp_ui/webhdfs/v1/tmp?op=LISTSTATUS为例
    • SSOCookieProvider负责从http请求的cookie中读取hadoop-jwt,如果cookie中不存在hadoop-jwt,会重定向http请求至sso.authentication.provider.url(即https://bigdata-master:8443/gateway/knoxsso/api/v1/websso,将匹配到knoxsso-topology中的KNOXSSO服务)
    • 执行knoxsso-topology的shiro认证,如果http请求中没有提供有效的认证信息(例如Basic Auth的username/password),会将浏览器也重定向页面至redirectToUrl(即gateway/knoxsso/knoxauth/login.html)
    • 输入username和password将使用shiro配置的ldap服务进行认证,如果认证通过将在cookie中生成hadoop-jwt
    • 将http请求重定向至最初请求的地址,此时cookie中已经存在hadoop-jwt,此后所有的操作不在需要认证

你可能感兴趣的:(Knox SSO原理、启用及在自定义topology配置使用)