Cloudera Docs

Known Issues in Knox

Learn about the known issues in Knox, the impact or changes to the functionality, and the workaround.

CDPD-67478: Custom topologies cannot be deleted
You cannot delete custom topologies that were created.
  • Edit the custom topology in Cloudera Manager, removing all service declarations and leaving only the providerConfigRef configuration.
  • Refresh the Knox configuration.
Knox Issue with JDK version
jdk-1.8.0_391 is not supported.
Cloudera recommends using Cloudera supported JDKs.
CDPD-61088: When downgrade is performed from CDP 7.1.9 to CDP 7.1.7 SP2, Knox may fail to start
When you downgrade from CDP 7.1.9 to CDP 7.1.7 SP2, Knox might fail to start with the following error message:
Failed to start gateway: org.apache.knox.gateway.services.ServiceLifecycleException: Keystore was not loaded properly - the provided password may not match the password for the keystore. org.apache.knox.gateway.services.ServiceLifecycleException: Keystore was not loaded properly - the provided password may not match the password for the keystore.
Remove the faulty credential store and restart Knox.
CDPD-60996: When downgrade is performed from CDP 7.1.9 to CDP 7.1.7 SP2, Knox is unable to connect to Cloudera Manager.
Restart Knox service after the downgrade process completes.
CDPD-28431: Intermittent errors can be potentially encountered when Impala UI is accessed from multiple Knox nodes.
You must use a single Knox node to access Impala UI.
CDPD-3125: Logging out of Atlas does not manage the external authentication
At this time, Atlas does not communicate a log-out event with the external authentication management, Apache Knox. When you log out of Atlas, you can still open the instance of Atlas from the same web browser without re-authentication.
To prevent additional access to Atlas, close all browser windows and exit the browser.
CDPD-22785: Improvements and issues needs to be addressed in convert-topology Knox CLI command
None
OPSAPS-67480: In CDP 7.1.9, default Ranger policy is added from the cdp-proxy-token topology, so that after a new installation of CDP 7.1.9, the knox-ranger policy includes cdp-proxy-token. However, upgrades do not add cdp-proxy-token to cm_knox policies automatically.
Manually add cdp-proxy-token to the Knox policy, using Ranger Admin Web UI.
  1. Log in to Cloudera Manager > Ranger > Ranger Admin Web UI, as a Ranger administrator.
  2. On Ranger Admin Web UI > Service Manager > Resource > Knox, click cm_knox.
  3. In Knox Policies, open the CDP Proxy UI, API and Token policy.
  4. In Knox Topology*, add cdp-proxy-token.
  5. Click Save.
  6. Restart Ranger.
CDPD-70313: KNOX does not send Authentication header on FIPS configuration
KNOX does not send neither the Authentication header nor the hadoop.auth cookie. Because of this, the SMM UI returns an HTTP 401 response and sets the www-authenticate: Negotiate header. After this, KNOX still does not send the Authentication header. This results in the SMM UI being inaccessible through Knox.
You can access the SMM UI directly in Cloudera Manager at Clusters > SMM > Streams Messaging Manager Web UI and log in using the Kerberos username and password.