Known Issues in Apache Knox

Learn about the known issues in Knox, the impact or changes to the functionality, and the workaround.

Known Issues identified in Cloudera Runtime 7.3.1.400 SP2

CDPD-84236: Token generated by one Knox host fails with Unknown token error on another Knox host in Data Engineering High Availability clusters: 7.3.1.400; In Data Engineering High Availability clusters, a token generated by one Knox host may fail with an Unknown token error when accessed through another Knox host. This issue occurs due to a race condition in the PostgreSQL database, which prevents one of the Knox instances from properly initializing its configured token state service.; Restart Knox on all hosts.

Known Issues identified in Cloudera Runtime 7.3.1.300 SP1 CHF1

OPSAPS-73038: False-positive port conflict error message appears in Cloudera Manager: 7.3.1.300, 7.3.1.400; Cloudera Manager may display a false-positive error message Port conflict detected: 8443 (Gateway Health HTTP Port) is also used by: Knox Gateway during cluster installation. The warning does not cause actual installation failures.; None.

Known Issues identified in Cloudera Runtime 7.3.1.200 SP1

There are no new known issues identified for Knox in this release.

Known Issues identified in Cloudera Runtime 7.3.1.100 CHF1

There are no new known issues identified for Knox in this release.

Known Issues in Cloudera Runtime 7.3.1

CDPD-76294: Knox service can not be started in a large size Private Cloud Base Cloudera Manager cluster: 7.3.1.100, 7.3.1.200, 7.3.1.300; For a large size Private Cloud Base Cloudera Manager cluster installed with Cloudera Runtime 7.3.1.0, you might face the problem that Knox can not be started with the following error message:
Wait Until Knox Gateway Can Serve Requests failed on Knox Gateway; Increase the Knox configuration parameter Knox Gateway Initial/Max Heapsize from 1 GiB to 2 GiB or 4 GiB, depending on the cluster size. Then save changes and run Restart Stale Services. After these steps, the Knox service can be started.
CDPD-71751: Creation of alias from the Cloudera Manager UI fails on FIPS: 7.1.9, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300; Users trying to create aliases through the Cloudera Manager UI face issues in FIPS.; The alias(es) can be created using the Knox CLI:

ssh to Knox host.

export KNOX_GATEWAY_DATA_DIR="/var/lib/knox/gateway/data"; export KNOX_GATEWAY_CONF_DIR="/var/lib/knox/gateway/conf"

/opt/cloudera/parcels/CDH/lib/knox/bin/knoxcli.sh create-alias <ALIAS_NAME> <ALIAS_VALUE>

Verify the addition using /opt/cloudera/parcels/CDH/lib/knox/bin/knoxcli.sh list-alias.

For HA deployments, users must do it on every Knox host (whereas the Save Alias command applies the change to all hosts automatically).
CDPD-71305: Concurrent impala shell connection failure: 7.1.9 SP1 and its CHFs, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300; If a user makes a concurrent impala-shell connection through Knox, then the connection fails.; Use only one Knox role.
CDPD-73368: Knox token management is not working if Cookie Management is enabled: 7.3.1, 7.3.1.100, 7.3.1.200; 7.3.1.300; If Cookie Management is enabled, users are unable to access the Token Management page from the Knox Gateway UI by using KnoxSSO.; None.; Apache JIRA: KNOX-3060
CDPD-68146: Unable to update the log level for Knox from Cloudera Manager: 7.1.9, 7.2.17, 7.2.18, 7.3.1, 7.3.1.100; 7.3.1.200; Users are not able to change the log level for Knox from Cloudera Manager. Hence, it impacts debugging in case of any issue.; Change the level for the org.apache.knox.gateway logger in /var/lib/knox/gateway/conf/gateway-log4j2.xml file and restart Knox.
CDPD-60379: During rolling upgrade of Knox service, access fails with 503/500/404/403 error code: 7.1.9, 7.2.18, 7.3.1; 7.3.1; The user operation which is performed during the rolling upgrade of knox might fail with 503/500/404/403 error code.; Retry the user operation.
CDPD-3125: Logging out of Atlas does not manage the external authentication: 7.2.16, 7.2.17, 7.2.18, 7.1.7, 7.1.9, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300; At this time, Atlas does not communicate a log-out event with the external authentication management, Apache Knox. When you log out of Atlas, you can still open the instance of Atlas from the same web browser without re-authentication.; To prevent additional access to Atlas, close all browser windows and exit the browser.
CDPD-28431: Intermittent errors could be potentially encountered when Impala UI is accessed from multiple Knox nodes: 7.1.7, 7.1.9, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300; You must use a single Knox node to access Impala UI.
CDPD-22785: Improvements and issues needs to be addressed in convert-topology knox cli command: 7.1.7, 7.1.9, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300; None.
Knox issue with JDK version: jdk-1.8.0_391 is not supported.; Cloudera recommends using Cloudera supported JDKs.
CDPD-74843: Logs missing in third-party libraries: 7.3.1; 7.3.1.300; Some third-party libraries have missing logs due to a missing log4j library, which affects the ability to diagnose and troubleshoot issues. Knox is unable to modify the ROOT logger's level due to the missing log4j-slf4j-impl dependency.