Use Knox to access Hortonworks
Apache Knox is a gateway security tool that provides perimeter security for the Hortonworks Distribution (HDP) of Hadoop services. Knox provides secure access to the Hadoop components on a cluster. Connecting to a cluster using Knox provides you with a single point of access to connect to Hadoop services, eliminating the need to map to each service separately. If your system administrator has implemented Apache Ranger on the cluster, Pentaho will respect the policies your system administrator has set up.
Here is an example of a Knox deployment:
The PDI client connects to Knox using a user ID and password that is registered in LDAP. Knox then authenticates to the Kerberos Key Distribution Center (KDC) with the PDI client user ID and password. Lastly, Knox authorizes with Ranger and submits the request to the Hadoop cluster.
Before you begin
Before you begin, you will need to obtain the following items from your system administrator:
Credentials
Includes the cluster name, gateway URL, username, and password.
SSL certificate
The SSL certificate must be installed by your system administrator. The Knox URL is a secure URL, so an SSL certificate is needed to successfully perform operations using a Knox gateway. See Configure SSL (HTTPS) in the Pentaho User Console and Server for information on SSL.
LDAP directory server
Authentication with Knox is provided by an LDAP directory server, so you must be able to authenticate to an LDAP server. For more information, review the articles Switch to LDAP and LDAP Properties.
Setup
Complete the following processes to set up the Knox server for use with Pentaho:
- Display the Knox Gateway option
- Register a Hadoop Cluster
- Access Cluster Resources using a Knox Gateway URL.
Display the Knox gateway option
You must modify the KETTLE_HADOOP_CLUSTER_GATEWAY_CONNECTION environment variable in the kettle.properties file to display the Use gateway to connect to the cluster option. This option must be selected to set up the gateway connection to the cluster.
Perform the following steps to set the environment variable:
Procedure
In the PDI client, choose Kettle properties dialog box.
to open theLocate the KETTLE_HADOOP_CLUSTER_GATEWAY_CONNECTION variable.
Change the KETTLE_HADOOP_CLUSTER_GATEWAY_CONNECTION value to true, and click OK.
Results
Register a Hadoop cluster
Procedure
In the PDI client, double-click your cluster name to open the Hadoop Cluster dialog box.
Select the Use gateway to connect to the cluster option in the Hadoop Cluster dialog box. The dialog box will change to display the gateway connection options.
Enter the gateway URL, username, and password in the Gateway area, then click OK.
NoteZookeeper is not supported with Knox.
Access cluster resources using a Knox gateway URL
Complete the following steps to create the URL to connect to the resources on the cluster:
Procedure
In the PDI client, click
The .Open File dialog box displays.Click the Location drop-down menu and select Hadoop Cluster from the list.
Click the Hadoop Cluster drop-down menu and select your cluster name.
In the Open from Folder text box, the gateway URL for the cluster displays in the format hc://<cluster name>.
Results
Hive configuration with Knox
Procedure
Open the connection to your Hive database, or review the article Set Up a Database Connection for instructions on setting up a connection.
In the Database Connection dialog box, select Options in the page panel on the left to display the Parameters panel.
Enter the following parameters and values in the Options section and click OK.
Parameter Definition Value httpPath Path to database gateway/MyHDPCluster/hive knox Option to use Knox true transportMode Connection protocol to use http ssl Option to use SSL true
Results