Authentication with Apache Knox Gateway
The Apache Knox Gateway is a REST API gateway that authenticates users and acts as a single access point for a Hadoop cluster.
Knox creates a perimeter around a Hadoop cluster. Without Knox, users and applications must connect directly to a resource in the cluster, which requires configuration on the client machines. A direct connection to resources exposes host names and ports to all users and applications and decreases the security of the cluster.
If the cluster uses Knox, applications use REST APIs and JDBC/ODBC over HTTP to connect to Knox. Knox authenticates the user and connects to a resource.
Configuring Apache Knox for Cloudera CDP Public Cloud
To use Apache Knox authentication with Cloudera CDP Public Cloud clusters, you must configure the Knox IDBroker service.
Add the proxy entries for the keytab user to the Knox IDBroker service that runs on the Data Lake cluster.
For example, add the following entries to the configuration page for idbroker_kerberos_dt_proxyuser_block:
“hadoop.proxyuser.csso_<keytab user>.groups": "*"
"hadoop.proxyuser.csso_<keytab user>.hosts": "*"
"hadoop.proxyuser.csso_<keytab user>.users": "spn_user"