Known Issues in Knox

Learn about the known issues in Knox, the impact or changes to the functionality, and the workaround.

CDPD-79963: Knox service might fail due to JARs picked up from the /usr/share/java folder

Knox service might fail due to Java Archive (JAR) files picked up from the /usr/share/java folder.

None.

CDPD-67478: Custom topologies cannot be deleted

You cannot delete custom topologies that were created.

• Edit the custom topology in Cloudera Manager, removing all service declarations and leaving only the providerConfigRef configuration.
• Refresh the Knox configuration.

Knox Issue with JDK version

jdk-1.8.0_391 is not supported.

Cloudera recommends using Cloudera supported JDKs.

CDPD-61088: When downgrade is performed from CDP 7.1.9 to CDP 7.1.7 SP2, Knox may fail to start

When you downgrade from CDP 7.1.9 to CDP 7.1.7 SP2, Knox might fail to start with the following error message:

Failed to start gateway: org.apache.knox.gateway.services.ServiceLifecycleException: Keystore was not loaded properly - the provided password may not match the password for the keystore. org.apache.knox.gateway.services.ServiceLifecycleException: Keystore was not loaded properly - the provided password may not match the password for the keystore.

Remove the faulty credential store and restart Knox.

CDPD-60996: When downgrade is performed from CDP 7.1.9 to CDP 7.1.7 SP2, Knox is unable to connect to Cloudera Manager.

Restart Knox service after the downgrade process completes.

CDPD-28431: Intermittent errors can be potentially encountered when Impala UI is accessed from multiple Knox nodes.

You must use a single Knox node to access Impala UI.

CDPD-3125: Logging out of Atlas does not manage the external authentication

At this time, Atlas does not communicate a log-out event with the external authentication management, Apache Knox. When you log out of Atlas, you can still open the instance of Atlas from the same web browser without re-authentication.

To prevent additional access to Atlas, close all browser windows and exit the browser.

CDPD-22785: Improvements and issues needs to be addressed in convert-topology Knox CLI command

None

OPSAPS-67480: In CDP 7.1.9, default Ranger policy is added from the cdp-proxy-token topology, so that after a new installation of CDP 7.1.9, the knox-ranger policy includes cdp-proxy-token. However, upgrades do not add cdp-proxy-token to cm_knox policies automatically.

Manually add cdp-proxy-token to the Knox policy, using Ranger Admin Web UI.

1. Log in to Cloudera Manager > Ranger > Ranger Admin Web UI, as a Ranger administrator.
2. On Ranger Admin Web UI > Service Manager > Resource > Knox, click cm_knox.
3. In Knox Policies, open the CDP Proxy UI, API and Token policy.
4. In Knox Topology*, add cdp-proxy-token.
5. Click Save.
6. Restart Ranger.

CDPD-70313: KNOX does not send Authentication header on FIPS configuration

KNOX does not send neither the Authentication header nor the hadoop.auth cookie. Because of this, the SMM UI returns an HTTP 401 response and sets the www-authenticate: Negotiate header. After this, KNOX still does not send the Authentication header. This results in the SMM UI being inaccessible through Knox.

You can access the SMM UI directly in Cloudera Manager at Clusters > SMM > Streams Messaging Manager Web UI and log in using the Kerberos username and password.

On FIPS cluster, Knox-Impala connection is failing with SSL error code 5

The Knox-Impala connection is failing with SSL error code 5 on FIPS clusters. This prevents accessing Impala through Knox.

CDPD-78656: Health test for Knox fails if the gateway.client.auth.needed = true is set

The health test for Knox Gateway fails if the gateway.client.auth.needed parameter is set to true. Environments using the "curl" call are impacted. The curl call from CM is not specifying any certificate (store) while Knox is configured to require one.

To avoid the startup failure, use gateway.client.auth.wanted = true.