Cloudera Docs

Known Issues in Apache Knox

Learn about the known issues in Knox, the impact or changes to the functionality, and the workaround.

CDPD-61088: When downgrade is performed from CDP 7.1.9 to CDP 7.1.7 SP2, Knox may fail to start.
Failed to start gateway: org.apache.knox.gateway.services.ServiceLifecycleException: Keystore was not loaded properly - the provided password may not match the password for the keystore. org.apache.knox.gateway.services.ServiceLifecycleException: Keystore was not loaded properly - the provided password may not match the password for the keystore.
Workaround: Remove the faulty credential store and restart Knox.
CDPD-60996: When downgrade is performed from CDP 7.1.9 to CDP 7.1.7 SP2, Knox is unable to connect to Cloudera Manager.
Restart Knox service after downgrade.
CDPD-28431: Intermittent errors could be potentially encountered when Impala UI is accessed from multiple Knox nodes.
You must use a single Knox node to access Impala UI.
CDPD-3125: Logging out of Atlas does not manage the external authentication
At this time, Atlas does not communicate a log-out event with the external authentication management, Apache Knox. When you log out of Atlas, you can still open the instance of Atlas from the same web browser without re-authentication.
To prevent additional access to Atlas, close all browser windows and exit the browser.
OPSAPS-58179: HIVE endpoint url is updated on only one knox host topolgies. While on other knox host, the Cloudera Manager configuraiton monitoring change is not identified and topologies are not updated with the Hive URL.
None
CDPD-22785: Improvements and issues needs to be addressed in convert-topology knox cli command
None
CDPD-43069: For HA HDFS deployments, WebHDFS failover isn’t configured in the Knox topology, so requests directed to stand-by HDFS nodes will fail instead of failing-over to an active node.
Add the fail-over configuration for WebHDFS to the HaProvider in the affected Knox topology. <param> <name>WEBHDFS</name> <value>enabled=true;maxFailoverAttempts=3;failoverSleep=1000</value> </param>
OPSAPS-67480: In 7.1.9, default Ranger policy is added from the cdp-proxy-token topology, so that after a new installation of CDP-7.1.9, the knox-ranger policy includes cdp-proxy-token. However, upgrades do not add cdp-proxy-token to cm_knox policies automatically.
Manually add cdp-proxy-token to the knox policy, using Ranger Admin Web UI.
  1. Log in to Cloudera Manager > Ranger > Ranger Admin Web UI, as a Ranger administrator.
  2. On Ranger Admin Web UI > Service Manager > Resource > Knox, click cm_knox.
  3. In Knox Policies, open the CDP Proxy UI, API and Token policy.
  4. In Knox Topology*, add cdp-proxy-token.
  5. Click Save.
  6. Restart Ranger.