-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Knox SSO redirects contain the EC2 host's private IP (obviously not working in browser) #10
Comments
@lhoss thanks for your detailed note. This is the first time we've added Knox SSO feature so am sure there are improvements we can make (esp when deploying on public cloud). Could we discuss over webex? Would you mind emailing me at [email protected] with some open slots this week? Am based in Pacific timezone |
thx @abajwa-hw for your quick reply (and I will soon contact you by mail, also about other ideas we have, like if it's possible to better separate the demo setup from the pure HDP/HDF installation, which we prefer todo using ansible and the great role https://github.com/hortonworks/ansible-hortonworks !) About the issue here: |
We started adding a static hostmap provider (we did several trials, adding to multiple topologies including topologies ui, admin) but it still did not work as expected:
|
We got it working, incl. following gateway'ed URLs: after having applied following patches: https://github.com/jnowakowski/masterclass/commits/patch-1 |
@abajwa-hw this issue is about your fork (latest master from today), which does not allow to create issues
In short: Unless we missed something in the Setup Doc, we assume this might be a/the bug, that the
(SSOCookieProvider) sso.authentication.provider.url setting is using the Knox host's private IP.
We deployed the hortoniabank demo on AWS, trying 2 different strategies:
Both setups worked well..
by following the steps as documented (the latest version, recently updated! ):
https://community.hortonworks.com/articles/151939/hdp-securitygovernance-demo-kit.html
We did that (adding the entry to /etc/hosts)
Then going to http://demo.hortonworks.com:8080 in Google Chrome (Incognito Mode), it redirects too (I masked the IPs with xxx strings):
https://ip-172-31-xxx-xxx.us-west-1.compute.internal:8443/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fdemo.hortonworks.com%3A8080%2F%23%2Flogin?redirected=true
After manually replacing the internal IP, it works:
https://demo.hortonworks.com:8443/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fdemo.hortonworks.com%3A8080%2F%23%2Flogin?redirected=true
The same issue, entering the Zeppelin UI: https://demo.hortonworks.com:8443/gateway/ui/zeppelin/
that redirects again too https://ip-172-31-xxx-xxx.us-west-1.compute.internal:8443/...
and again, here's a manually fixed working URL to Knox'ed Zeppelin:
https://demo.hortonworks.com:8443/gateway/knoxsso/api/v1/webssogateway/knoxsso/knoxauth/login.html?originalUrl=https://demo.hortonworks.com:8443/gateway/ui/zeppelin/
Still new to this demo, and also Knox in general, I'm wondering if it's good idea to use the
hostname
cmd� (which indeed returns the private network IP) to set the "knox_sso_url" in:https://github.com/abajwa-hw/masterclass/blob/master/ranger-atlas/HortoniaMunichSetup/10-SSOSetup.sh#L82
Finally in the Knox UI I found following setting, which AFAIU is used to generate the redirect URLs,
but trying to change it to use the public IP did not succeed
(when hitting save button, I get redirected to the Knox login, and after login in the config is still the old one. It seems the 'save' request was redirected, and so did not complete)
In Knox UI, Menu "Provider Configs"/cookieprovider/federation/params
Try changing "sso.authentication.provider.url"
FROM: https://ip-172-31-xxx-xxx.us-west-1.compute.internal:8443/gateway/knoxsso/api/v1/websso
TO: https://ec2-54-x-x-x.us-west-1.compute.amazonaws.com:8443/gateway/knoxsso/api/v1/websso
We really want to understand if we missed something, or the Doc. is incomplete
or if this is even expected .. but then you would also need the browser to be able to handle the private (AWS) IP, for ex. by using Socks Proxy tricks etc
The text was updated successfully, but these errors were encountered: