Knox的安装与部署（五）

说明：Knox组件在安装HDP时已通过Ambari自动安装了，如下步骤主是为Ambari与Ranger配置Knox的SSO

5.1 为Ambari设置Knox SSO

• 本节描述如何配置Ambari来使用Knox SSO(单点登录)来验证用户。通过这种配置，试图访问Ambari的未经身份验证的用户将被重定向到Knox SSO登录页面进行身份验证。

1、ambari-server setup-sso

     When prompted, enter y

2、For the provider URL, enter:

https://hdp05.data.com.cn:8443/gateway/knoxsso/api/v1/websso

3、在安装knox的主机上操作，export the Knox certificate （先在主机创建目录 /opt/key）

[root@hdp05 ~]# $JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file /opt/key/cert.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks

Enter keystore password:xxxxxxxx

4、Public Certificate pem (empty) (empty line to finish input):

Public Certificate pem (empty) (empty line to finish input):
注：这步将上一步中生成的/opt/key/cert.pem文件内容输入便可，复制时不包含头部与尾部。

Do you want to configure advanced properties [y/n] (n) ?n
Ambari Server 'setup-sso' completed successfully.

5、ambari-server restart

---

6、如果需要将knox停用,则如下操作便可
[root@nn01 ~]# ambari-server setup-sso
Using python /usr/bin/python
Setting up SSO authentication properties…
Do you want to disable SSO authentication [y/n] (n)?y
Ambari Server ‘setup-sso’ completed successfully.

再重启
ambari-server restart

---

6.2 为Ranger设置 Knox SSO

1、设置登录的白名单

The Knox SSO topology settings are preconfigured in Knox > Configs > Advanced knoxsso-topology.

2、Select Ranger > Configs > Advanced > Knox SSO Settings

注：SSO public key 复制/opt/key/cert.pem 不能包含其头部与尾部。

3、Restart Ranger. Select Actions > Restart All Required to restart

4、验证配置成果，通过Ranger登录时会重定向到Knox登录界面便Ok了。

5、Knox logo替换

/var/lib/knox/data-2.5.3.0-37/deployments/knoxsso.topo.15d2f461788/%2Fknoxauth/images/knox-logo.gif 

参考官方文档：
Setting up Knox SSO for Ambari：
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/setting_up_knox_sso_for_ambari.html

Setting up Knox SSO for Ranger：
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/setting_up_knox_sso_for_ranger.html