Knox SSO redirects contain the EC2 host's private IP (obviously not working in browser) #10
Description
@abajwa-hw this issue is about your fork (latest master from today), which does not allow to create issues
In short: Unless we missed something in the Setup Doc, we assume this might be a/the bug, that the
(SSOCookieProvider) sso.authentication.provider.url setting is using the Knox host's private IP.
We deployed the hortoniabank demo on AWS, trying 2 different strategies:
- "Option 1" (today) using 'setup.sh' on an official AWS centos-7.5 ami
- "Option 2" (yesterday) using the "HDP 3.0 without NiFi or Knox SSO" AMI
Both setups worked well..
by following the steps as documented (the latest version, recently updated! ):
https://community.hortonworks.com/articles/151939/hdp-securitygovernance-demo-kit.html
- For Knox SSO, you will need to create a entry for demo.hortonworks.com (pointing to the Public IP from above) in your local laptop's hosts file.
- After 5-10 minutes, open the below URL in your browser to access Ambari’s console:
If you selected an AMI that has Knox SSO, use either Firefox or Incognito Chome window to navigate to http://demo.hortonworks.com:8080 where you will be shown the Knox sign-on login page. Enter user:admin password:BadPass#1
-
We did that (adding the entry to /etc/hosts)
-
Then going to http://demo.hortonworks.com:8080 in Google Chrome (Incognito Mode), it redirects too (I masked the IPs with xxx strings):
https://ip-172-31-xxx-xxx.us-west-1.compute.internal:8443/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fdemo.hortonworks.com%3A8080%2F%23%2Flogin?redirected=true -
After manually replacing the internal IP, it works:
https://demo.hortonworks.com:8443/gateway/knoxsso/api/v1/websso?originalUrl=http%3A%2F%2Fdemo.hortonworks.com%3A8080%2F%23%2Flogin?redirected=true -
The same issue, entering the Zeppelin UI: https://demo.hortonworks.com:8443/gateway/ui/zeppelin/
that redirects again too https://ip-172-31-xxx-xxx.us-west-1.compute.internal:8443/... -
and again, here's a manually fixed working URL to Knox'ed Zeppelin:
https://demo.hortonworks.com:8443/gateway/knoxsso/api/v1/webssogateway/knoxsso/knoxauth/login.html?originalUrl=https://demo.hortonworks.com:8443/gateway/ui/zeppelin/
Still new to this demo, and also Knox in general, I'm wondering if it's good idea to use the hostname cmd� (which indeed returns the private network IP) to set the "knox_sso_url" in:
https://github.com/abajwa-hw/masterclass/blob/master/ranger-atlas/HortoniaMunichSetup/10-SSOSetup.sh#L82
hostname=$(hostname -f)
knox_sso_url="https://$hostname:8443/gateway/knoxsso/api/v1/websso"
Finally in the Knox UI I found following setting, which AFAIU is used to generate the redirect URLs,
but trying to change it to use the public IP did not succeed
(when hitting save button, I get redirected to the Knox login, and after login in the config is still the old one. It seems the 'save' request was redirected, and so did not complete)
- knox UI URL: https://demo.hortonworks.com:8443/gateway/manager/admin-ui
In Knox UI, Menu "Provider Configs"/cookieprovider/federation/params
Try changing "sso.authentication.provider.url"
FROM: https://ip-172-31-xxx-xxx.us-west-1.compute.internal:8443/gateway/knoxsso/api/v1/websso
TO: https://ec2-54-x-x-x.us-west-1.compute.amazonaws.com:8443/gateway/knoxsso/api/v1/websso
We really want to understand if we missed something, or the Doc. is incomplete
or if this is even expected .. but then you would also need the browser to be able to handle the private (AWS) IP, for ex. by using Socks Proxy tricks etc