hadoop - Knox Redirecting to Ambari UI issue

Question

I am using Ambari V 2.7.3, I have installed Knox. I have tried to implement SSO for Ambari.I have followed the Below Url to implement the same.

https://docs.cloudera.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/setting_up_knox_sso_for_ambari.html

Below are the Knox configs:

Advanced admin-topology :

<topology>
    <gateway>
         <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
                <name>sessionTimeout</name>
                <value>30</value>
            </param>
            <param>
                <name>main.ldapRealm</name>
                <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
                <name>main.ldapRealm.userDnTemplate</name>
                <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.url</name>
                <value>ldap://DtIoTBDMaster01:33389</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                <value>simple</value>
            </param>
            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>
        </provider>
        <provider>
            <role>authorization</role>
            <name>AclsAuthz</name>
            <enabled>true</enabled>
            <param>
               <name>knox.acl.mode</name>
               <value>OR</value>
               </param>
            <param>
                <name>knox.acl</name>
                <value>KNOX_ADMIN_USERS;KNOX_ADMIN_GROUPS;*</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>HadoopGroupProvider</name>
            <enabled>true</enabled>
            <param>
                <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
                <value>gateway.group.config.</value>
            </param>
        </provider>
    </gateway>
    <service>
        <role>KNOX</role>
    </service>
</topology>

gateway.dispatch.whitelist : https?://(HOSTNAME|0.0.0.0|0:0:0:0:0:0:0:1|::1):[0-9].*$

Advanced knoxsso-topology :

    <topology>
            <gateway>
            <provider>
            <role>webappsec</role>
            <name>WebAppSec</name>
            <enabled>true</enabled>
            <param><name>xframe.options.enabled</name><value>true</value></param>
            </provider>
            <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
            <name>sessionTimeout</name>
            <value>30</value>
            </param>
            <param>
            <name>redirectToUrl</name>
            <value>/gateway/knoxsso/knoxauth/login.html</value>
            </param>
            <param>
            <name>restrictedCookies</name>
            <value>rememberme,WWW-Authenticate</value>
            </param>
            <param>
            <name>main.ldapRealm</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
            <name>main.ldapContextFactory</name>
            <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory</name>
            <value>$ldapContextFactory</value>
            </param>
            <param>
            <name>main.ldapRealm.userDnTemplate</name>
            <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory.url</name>
            <value>ldap://x.x.x.x:33389</value>
            </param>
            <param>
            <name>main.ldapRealm.authenticationCachingEnabled</name>
            <value>false</value>
            </param>
            <param>
            <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
            <value>simple</value>
            </param>
            <param>
            <name>urls./**</name>
            <value>authcBasic</value>
            </param>
            </provider>
            <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
            </provider>
            </gateway>
            <application>
            <name>knoxauth</name>
            </application>
            <service>
            <role>KNOXSSO</role>
            <param>
            <name>knoxsso.cookie.secure.only</name>
            <value>true</value>
            </param>
            <param>
            <name>knoxsso.token.ttl</name>
            <value>30000</value>
            </param>
            </service>
<service>
        <role>AMBARI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
            </topology>

Advanced topology :

<topology>
        <gateway>
            <provider>
                <role>authentication</role>
                <name>ShiroProvider</name>
                <enabled>true</enabled>
                <param>
                    <name>sessionTimeout</name>
                    <value>30</value>
                </param>
                <param>
                    <name>main.ldapRealm</name>
                    <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
                </param>
                <param>
                    <name>main.ldapRealm.userDnTemplate</name>
                    <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.url</name>
                    <value>ldap://{{knox_host_name}}:33389</value>
                </param>
                <param>
                    <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                    <value>simple</value>
                </param>
                <param>
                    <name>urls./**</name>
                    <value>authcBasic</value>
                </param>
            </provider>
            <provider>
                <role>identity-assertion</role>
                <name>Default</name>
                <enabled>true</enabled>
            </provider>
            <provider>
                <role>authorization</role>
                <name>AclsAuthz</name>
                <enabled>true</enabled>
            </provider>
        </gateway>
        <service>
            <role>NAMENODE</role>
            <url>{{namenode_address}}</url>
        </service>
        <service>
            <role>JOBTRACKER</role>
            <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
        </service>
        <service>
            <role>WEBHDFS</role>
            {{webhdfs_service_urls}}
        </service>
        <service>
            <role>WEBHCAT</role>
            <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
        </service>
        <service>
            <role>OOZIE</role>
            <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
        </service>

        <service>
            <role>OOZIEUI</role>
            <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie/</url>
        </service>
        <service>
            <role>WEBHBASE</role>
            <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
        </service>
        <service>
            <role>HIVE</role>
            <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
        </service>
        <service>
            <role>RESOURCEMANAGER</role>
            <url>http://{{rm_host}}:{{rm_port}}/ws</url>
        </service>
        <service>
            <role>DRUID-COORDINATOR-UI</role>
            {{druid_coordinator_urls}}
        </service>
        <service>
            <role>DRUID-COORDINATOR</role>
            {{druid_coordinator_urls}}
        </service>

        <service>
            <role>DRUID-OVERLORD-UI</role>
            {{druid_overlord_urls}}
        </service>
        <service>
            <role>DRUID-OVERLORD</role>
            {{druid_overlord_urls}}
        </service>
        <service>
            <role>DRUID-ROUTER</role>
            {{druid_router_urls}}
        </service>
        <service>
            <role>DRUID-BROKER</role>
            {{druid_broker_urls}}
        </service>
        <service>
            <role>ZEPPELINUI</role>
            {{zeppelin_ui_urls}}
        </service>
        <service>
            <role>ZEPPELINWS</role>
            {{zeppelin_ws_urls}}
        </service>
    </topology>

The moment While login into AMBARI UI, it's redirecting into Knox UI, the moment I entered the default creds of Knox Then it's redirecting to AMBARI UI, and again it's opening Knox UI Below ie the error i got from Knox gateway

2021-01-11 10:43:17,080 INFO  knox.gateway (KnoxLdapRealm.java:getUserDn(692)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for pr
incipal: admin
2021-01-11 10:43:17,090 INFO  servic

Answer 1

You have few issues with knosso topology, Knoxsso should be used for authentication you do need to mention following config in it:-

<service>
        <role>AMBARI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://x.x.x.x:8080</url>
    </service>
            </topology>

Try adding whitelist regex in knoxsso and no it admin topology.

<param>
 <name>knoxsso.redirect.whitelist.regex</name>
 <value>^https?://(c64dd.ambari.apache.org|localhost|
127.0.0.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
 </param>

Remove gateway.dispatch.whitelist from admin topology.

Note:- You need to make regex value, * would not work.