The Apache Knox Gateway is a REST API gateway for interacting with Apache Hadoop clusters. The gateway provides a single access point for all REST interactions with Hadoop clusters.

module.exports = ->
  'install': [

Knox Installation and configuration

Configure LDAP

There is two ways to configure Knox for LDAP authorization. Final user give a MD5 digest login:password to Knox. Knox checks this user in an LDAP. There is two different case

  1. the digest is sufficient to contact LDAP
  2. LDAP is readable through a specific user

LDAP is readable by any user

To check if LDAP is readable by any user please execute on Knox client

ldapsearch -h $ldap_host -p $ldap_port -D "$user_dn" -w password -b "$user_dn" "objectclass=*"

If the result is OK then in knox topology shiro provider please set main.ldapRealm.userDnTemplate.

This value is used to construct user_dn with the user provided by the MD5-digest.

for example :

if main.ldapRealm.userDnTemplate = cn={0},ou=users,dc=ryba then this request:

curl -iku hdfs:test123 https://$knox_host:$knox_port/gateway/$cluster/$service

will result in this equivalent ldap check (it is not what Knox exactly do, but is equivalent)

ldapsearch -h $ldap_host -p $ldap_port -D "cn=hdfs,ou=users,dc=ryba" -w test123 -b "cn=hdfs,ou=users,dc=ryba" "objectclass=*"

LDAP search

If LDAP is not readable, or user_dn cannot be assessed with username (users are located in more than one branch in the LDAP tree), you need to use the knox ldap search functionality

Please specify:

    <!-- filter from this base -->
    <!-- filter: uid={0} -->
    <!-- granted ldap user if needed -->

which is equivalent to

ldapsearch -h $ldap_host -p $ldap_port -D "$systemUsername" -w $systemPassword -b "$searchBase" -Z "$attr={0}" "objectclass=$userObjectClass"


Hortonworks documentation is uncorrect (last checked documentation: hdp-2.3.2). Hence please refer to the official Apache documentation