Fixed Issues in Knox

Review the list of Knox issues that are resolved in Cloudera Runtime 7.1.9 SP1.

CDPD-68193: Exclude services/roles from being discovered

New gateway-site.xml properties were added to exclude certain services and roles from being discovered during CM service discovery. The property names are gateway.cloudera.manager.service.discovery.excluded.service.types and gateway.cloudera.manager.service.discovery.excluded.role.types.

CDPD-68084: [7.1.x] KnoxCLI command for generating descriptor for a role type from a list of hosts

Adding a command to knoxcli that can generate a topology descriptor from a list of URLs. The command usage/parameters are described in https://github.com/apache/knox/pull/835.

CDPD-68065: [7.1.x] - Add configurable socket / read timeout parameter to discovery client

The following gateway-site.xml properties were added for better control over CM service discovery timeouts in Knox: - gateway.cloudera.manager.service.discovery.connect.timeout.ms - gateway.cloudera.manager.service.discovery.connect.read.ms - gateway.cloudera.manager.service.discovery.connect.write.ms

CDPD-67816: [Analyze] [Knox] [ST] Multiple tests fail on fips due one of the Knox instance restart fail

The Knox Gateway may not start due to a NullPointerException in the ClouderaManagerClusterConfigurationMonitor class. This could happen when the previously persisted CM cluster config file is empty. This ticket addresses that issue. There is an easy workaround: remove the content of the $KNOX_DATA_DIR/cm_clusters folder by running the 'rm -f /var/lib/knox/gateway/data/cm-clusters/*' command.

CDPD-67600: Knox - Upgrade postgresql to 42.5.5/42.6.1/42.7.2 due to CVE-2024-1597

Upgraded postgresql to 42.5.5/42.6.1/42.7.2 due to CVE-2024-1597.

CDPD-67568: Intermittent HTTP 401 error codes in Oozie tests due to Shiro unable to login: null

Switched back to org.kushuke.libpam4j dependency because the one from org.glassfish.main.libpam4j produced unforeseen errors.

CDPD-65490: The Knox topology did not update within 600 seconds

There was an issue while Knox compared the generated XML topology with the one that is currently deployed, in highly concurrent environments. The fix was to make the code, that parses the new topology, threadsafe.

CDPD-60630: Knox was redirecting YARN Node Manager URLs to HTTP instead of HTTPs

The YARN service definition was modified such that it no longer hard-codes the HTTP scheme in any of its URL rewrite rules, making it applicable to proxying YARN deployed with and without TLS.