Fixed Issues in Apache Knox

Cloudera Runtime 7.3.1.500 SP3

OPSAPS-73038: False-positive port conflict error message displayed in Cloudera Manager

This issue is fixed now. A new health port has been added as a configuration to the Knox configuration. The health topology port can be set with topology port mapping. By setting the new configuration, the checkDeployment script will use the new health port.

CDPD-81958: Improve cookie security in Knox-proxied web UIs with Secure and HttpOnly attributes

The pac4jCsrfToken cookie has now both Secure and HttpOnly flags in Knox proxied applications, improving the security provided by Knox.

Apache JIRA: KNOX-3134

Cloudera Runtime 7.3.1.400 SP2

CDPD-8148: Knox UI session timeout is not working with SAML authentication

This issue is resolved by the pac4j.cookie.max.age parameter introduced for the pac4j provider, which Knox uses for SAML authentication. This parameter enforces cookie timeout for the cookies created by the pac4j provider.

To set the pac4j.cookie.max.age parameter, go to Cloudera Manager > Knox > Configuration, and add the following value to the Knox Simplified Topology Management - SSO Authentication Provider field: federation.param.pac4j.cookie.max.age={value}

Apache JIRA: KNOX-3077

Cloudera Runtime 7.3.1.300 SP1 CHF 1

CDPD-27801: Knox is missing HSTS header for HTTP 404 responses

7.3.1.300, 7.1.9 CHF8

Resolved an issue where Knox was missing the HTTP Strict-Transport-Security response header (HSTS) in HTTP 404 responses. The global HSTS header can now be configured to be included in all HTTP responses.

To configure the HSTS header, go to Cloudera Manager > Knox > Configuration, search for the Knox Service Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml property, and set the following parameters to true:

• gateway.strict.transport.enabled
• gateway.strict.transport.option: (Optional) Use this parameter to specify a timeout value for the HTTS header. This parameter is applicable only if gateway.strict.transport.enabled is set to true.

Apache JIRA: KNOX-3111

CDPD-73368: Knox token management is not working if Cookie Management is enabled

7.3.1.300

Users can now access the Token Management page from the Knox Gateway UI by using KnoxSSO even if Cookie Management is enabled.

Apache JIRA: KNOX-3060

CDPD-74843: Logs missing in third-party libraries

7.3.1.300

Resolved an issue where third-party libraries had missing logs due to a missing log4j library, which affected the ability to diagnose and troubleshoot issues.

CDPD-78656: Health test for Knox fails if the gateway.client.auth.needed = true is set

7.1.9 CHF7, 7.3.1.300

Resolved an issue where the health test for Knox Gateway failed if the gateway.client.auth.needed parameter was set to true.

For the TLS Mutual Authentication to work, you must exclude the health topology. To do this, go to Cloudera Manager > Knox > Configuration, locate the Knox Service Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml field, and add a new entry with the following parameters:

Name = gateway.client.auth.exclude
Value = health

For more information on excluding the topology, see the Apache Knox Documentation.

Cloudera Runtime 7.3.1.200 SP1

CDPD-77233: Knox Token TTL value of -1 set to never expire

7.3.1.200

Fixed an issue where the Knox Token API raised an UnknownTokenException error if the lifespan value of Knox Token TTL was set to -1.

Apache JIRA: KNOX-3075

CDPD-79963: Knox service might fail due to JARs picked up from the /usr/share/java folder

7.3.1.200

Knox service might fail due to Java Archive (JAR) files picked up from the /usr/share/java folder.

This issue is now fixed.

Apache JIRA: KNOX-3108

CDPD-76104: Unable to update the log level for Knox from Cloudera Manager

7.3.1.200

Users were not able to change the log level for Knox from Cloudera Manager. This impacted debugging in case of errors.

This issue is now fixed.

Cloudera Runtime 7.3.1.100 CHF 1

CDPD-74114: Proxyuser groups are not included in POST and PATCH requests

7.3.1.100

Fixed an issue where group headers were not added to POST and PUT requests.

Apache Jira: KNOX-3062

Cloudera Runtime 7.3.1

CDPD-73275: HTTP 404 responses while Knox is redeploying topologies

7.3.1

While you were redeploying topologies, Knox returned HTTP 404 responses.

Knox no longer returns HTTP 404 responses during topology redeployment, but returns HTTP 503 instead.

CDPD-70313: KNOX did not send Authentication header on FIPS configuration

7.3.1

KNOX neither sent the authentication header nor hadoop.auth cookie that was why the SMM UI sent back the HTTP 401 response and set the "www-authenticate": "Negotiate" header. Because of this, the SMM UI was inaccessible through Knox.

This issue is fixed now.

CDPD-67478: Custom topologies cannot be deleted

7.3.1

You cannot delete custom topologies that were created.

This issue is fixed.

OPSAPS-67480: Default Ranger policy in Cloudera Base on premises 7.1.9 includes cdp-proxy-token topology for new installations, but upgrades do not add cdp-proxy-token to cm_knox policies automatically.

7.3.1

This issue is fixed now.

CDPD-69305: /plugins/policies/importPoliciesFromFile API returns 500 service connectivity error through Knox Proxy

7.3.1

The fix imports large policy files using the Ranger importPoliciesFromFile API through Knox.

Apache patch information