- 参考
- 配置 knoxsso-topology启用Knox SSO
<?xml version="1.0" encoding="UTF-8"?>
<topology>
<uri>https://bigdata-master:8443/gateway/knoxsso</uri>
<name>knoxsso</name>
<timestamp>1553153609000</timestamp>
<generated>true</generated>
<gateway>
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>xframe.options.enabled</name>
<value>true</value>
</param>
</provider>
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>redirectToUrl</name>
<value>/gateway/knoxsso/knoxauth/login.html</value>
</param>
<param>
<name>restrictedCookies</name>
<value>rememberme,WWW-Authenticate</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapContextFactory</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.contextFactory</name>
<value>$ldapContextFactory</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=example,dc=com</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://bigdata-common:389</value>
</param>
<param>
<name>main.ldapRealm.authenticationCachingEnabled</name>
<value>false</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>300000</value>
</param>
</service>
<application>
<name>knoxauth</name>
</application>
</topology>
- 在自定义topology配置SSOCookieProvider使用Knox SSO认证
<?xml version="1.0" encoding="UTF-8"?>
<topology>
<uri>https://bigdata-master:8443/gateway/hdp_ui</uri>
<name>hdp_ui</name>
<timestamp>1553222547000</timestamp>
<generated>true</generated>
<gateway>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>federation</role>
<name>SSOCookieProvider</name>
<enabled>true</enabled>
<param>
<name>sso.authentication.provider.url</name>
<value>https://bigdata-master:8443/gateway/knoxsso/api/v1/websso</value>
</param>
</provider>
</gateway>
<service>
<role>OOZIE</role>
<url>http://bigdata-master:11000/oozie</url>
</service>
<service>
<role>WEBHDFS</role>
<url>http://bigdata-master:50070/webhdfs</url>
</service>
</topology>
- Knox SSO对于http请求的处理流程
以在浏览器中请求https://bigdata-master:8443/gateway/hdp_ui/webhdfs/v1/tmp?op=LISTSTATUS为例
- SSOCookieProvider负责从http请求的cookie中读取hadoop-jwt,如果cookie中不存在hadoop-jwt,会重定向http请求至sso.authentication.provider.url(即https://bigdata-master:8443/gateway/knoxsso/api/v1/websso,将匹配到knoxsso-topology中的KNOXSSO服务)
- 执行knoxsso-topology的shiro认证,如果http请求中没有提供有效的认证信息(例如Basic Auth的username/password),会将浏览器也重定向页面至redirectToUrl(即gateway/knoxsso/knoxauth/login.html)
- 输入username和password将使用shiro配置的ldap服务进行认证,如果认证通过将在cookie中生成hadoop-jwt
- 将http请求重定向至最初请求的地址,此时cookie中已经存在hadoop-jwt,此后所有的操作不在需要认证
