Fixed Issues in Apache Knox

Review the list of Knox issues that are resolved in Cloudera Runtime 7.2.10.

CDPD-25489: Token State Service Passcode Protection.
Knox stores the generated passcode tokens securely in the configured relational database. This issue is now resolved.
CDPD-25255: Token generation lifespan invalidates configured token TTL.
Generated tokens will have their TTLs set to the minimum of:
  • The submitted lifespan (selected on the UI)
  • The configured token TTL in the homepage topology.
This issue is now resolved.
CDPD-26452: Able to make connection to hive with invalid knox passcode/JWT token after one successful connection.
Caching the entire serialized JWT upon successful signature verification so that Knox will not try to reverify the signature again in case the supplied JWT matches. This issue is now resolved.
CDPD-25489: Implement JDBC TokenStateService.
From now on, Knox is able to store generated tokens in a relational database (only PostgreSQL is supported for now). This issue is now resolved.
CDPD-25826: Improve JDBC token management.
From now on, Knox is able to store generated tokens in a relational database (only PostgreSQL is supported for now). This issue is now resolved.
CDPD-22677: Fetching cloud token failed with 400.
This fix ensures that IDbroker (Azure) will retry when there is a 400 failure from Azure backend. This issue is now resolved.
CDPD-23016: JSESSIONID cookie missing when Zeppelin UI proxied via Knox.
This fix ensures that set-cookie header attribute order is preserved. This issue is now resolved.
CDPD-5541: Load balancing mode for HS2 and other services.
This feature enables services that use Knox HA provider to loadbalance between backend services with an ability to turn on sticky sessions. This issue is now resolved.
CDPD-19999: Incorrect URLs are produced for failover when you access the NiFi UI in data hub.
This issue is now resolved.
CDPD-20187: Knox HA Dispatch is unable to mark a host as failed without retry.
The services can be configured to failover without a retry. This issue is now resolved.
CDPD-20188: When accessing the Cloudera Manager UI through a Knox proxy, the add Service Wizard fails at the Assign Roles step with message that "A server error has occurred; affects CDH 7.1.5, all Cloucera Manager versions.
This issue is now resolved.
CDPD-20684: Knox loadbalancing for Ranger component is not supported as expected.
Knox loadbalancing for Ranger component now supports the Knox HA Provider parameters enableStickySession and enableLoadBalancing. This issue is now resolved.
CDPD-19110: Prevent knox from passing hadoop.auth cookie to browser.
This issue is now resolved.
OPSAPS-57448: IDBroker does not export correct RDC configuration in HA.
The RDC configs is now correctly exported when IDBroker is in HA mode. This issue is now resolved.

Apache patch information

Apache patches in this release. These patches do not have an associated Cloudera bug ID.

  • KNOX-2511
  • KNOX-2406 Use dependency bom for dependency management
  • KNOX-2392 Simple file-based TokenStateService implementation
  • KNOX-2389 AliasBasedTokenStateService stops processing persisted journal entries if one is malformed
  • KNOX-2377 Address potential loss of token state
  • KNOX-2384 Token Service should return expiration from token when renewal disabled
  • KNOX-2381 racking UI of flink session is broken in YARNUIV2
  • KNOX-2378 AliasBasedTokenStateService log message is misleading
  • KNOX-2376 Ensure all HBASEJARS IN rules are for /hbase/jars and not /hbase/maven
  • KNOX-2368 CM Cluster Configuration Monitor Does Not Support Rolling Restart Events
  • KNOX-2351 Catching any errors while monitoring CM configuration changes
  • KNOX-2367 Fix rewrite rules for HDFS UI fonts and bootstrap.min.css.map
  • KNOX-2348 Fix knoxcli when kerberos auth is used
  • KNOX-2357 Descriptor handler should not default discovery type to Ambari unless there is discovery configuration
  • ODX-107 KNOX-2354 An HBASEJARS service which can proxy HBase jars hosted by t…
  • KNOX-1998 WebHDFS rewrite.xml does not have rewrite rule for Location field in json
  • KNOX-2352 Knox Token State Eviction Should Be Based on Expiration and Extended Default Grace Period
  • KNOX-2355:Update Atlas rewrite.xml for new UI changes
  • KNOX-2304 CM discovery cluster config monitor needs to be aware of …
  • KNOX-2316 Knox Token State Eviction Must Consider Maximum Token Lifetime
  • KNOX-2314 NPE from topology Service equals implementation when no URLs
  • KNOX-2301 and KNOX-2302 Trigger discovery for descriptors at gateway start time
  • KNOX-2287 KnoxCLI convert topology to provider and descriptor
  • KNOX-2298 ClouderaManager cluster config monitor should stop monitoring unreferenced clusters
  • KNOX-2266 Tokens Should Include a Unique Identifier
  • KNOX-2212 Token permissiveness validation
  • KNOX-2230 Token State Service should throw UnknownTokenException instead of IllegalArgumentException
  • KNOX-2237 CM service discovery should default the http path of Hive URLs when the associated property is not set
  • KNOX-2233 DefaultKeystoreService getCredentialForCluster uses cache without synchronization
  • KNOX-2214 Reaping of expired Knox tokens
  • KNOX-2228 JWTFilter should handle unknown token exception from token state service
  • KNOX-2210 Gateway-level configuration for server-managed Knox token state
  • KNOX-2215 Token service should return a 403 response when the renewer is not white-listed
  • KNOX-2209 Improve logging for Knox token handling
  • KNOX-2153 CM discovery – Monitor Cloudera Manager
  • KNOX-2156 CM discovery – KUDUUI discovery
  • KNOX-2152 Disable Ambari cluster configuration monitoring by default
  • KNOX-2151 HIVE_ON_TEZ HS2 Discovery doesn't work
  • KNOX-1970 CM discovery – Add Impala HS2 to auto discovery
  • KNOX-1932 CM discovery – WEBHCAT URLs not discovered
  • KNOX-1921 CM discovery – Hue Load balancer HTTP/HTTPS scheme
  • KNOX-1935 CM discovery – Hue should not have both LB and non LB
  • KNOX-1962 CM discovery – Avoid reading krb5 login config multiple t…
  • KNOX-2144 Alias API KnoxShell support should provide response types better than raw JSON
  • KNOX-1410 Knox Shell support for remote Alias management
  • KNOX-2127 ZooKeeperAliasService mishandles mixed-case alias keys properly
  • KNOX-2105 KnoxShell support for token renewal and revocation
  • KNOX-2071 Configurable maximum token lifetime for TokenStateService
  • KNOX-2066 Composite Authz Provider
  • KNOX-2067 KnoxToken service support for renewal and revocation
  • KNOX-843 - Add support for load balancing multiple clients across backend service instances
  • KNOX-2456 SHS links sometimes broken on FINISHED jobs page (#375) Change-Id: I9d269cd3ed0369d0dc13d0eba8b53bd2da8b1e34
  • KNOX-2533 - Qualifying service params for discovery improvements (#401)
  • KNOX-2530 - Support qualifying service params for CM discovery control (#398)
  • KNOX-2406 - Use dependency bom for dependency management (#363)
  • KNOX-2392 - Simple file-based TokenStateService implementation (#350)
  • KNOX-2389 - AliasBasedTokenStateService stops processing persisted journal entries if one is malformed (#346)
  • KNOX-2377 - Address potential loss of token state (#345)
  • KNOX-2384 - Token Service should return expiration from token when renewal disabled (#342)
  • KNOX-2381 racking UI of flink session is broken in YARNUIV2 (#340)
  • KNOX-2378 - AliasBasedTokenStateService log message is misleading (#339)
  • KNOX-2376 Ensure all HBASEJARS IN rules are for /hbase/jars and not /hbase/maven (#338)
  • KNOX-2368 - CM Cluster Configuration Monitor Does Not Support Rolling Restart Events
  • KNOX-2351 - Catching any errors while monitoring CM configuration changes (#324)
  • KNOX-2367 - Fix rewrite rules for HDFS UI fonts and bootstrap.min.css.map (#332)
  • KNOX-2348 - Fix knoxcli when kerberos auth is used (#331)
  • KNOX-2357 - Descriptor handler should not default discovery type to Ambari unless there is discovery configuration (#326)
  • KNOX-1998 - WebHDFS rewrite.xml does not have rewrite rule for Location field in json (#138)
  • KNOX-2352 - Knox Token State Eviction Should Be Based on Expiration and Extended Default Grace Period (#321)
  • KNOX-2355:Update Atlas rewrite.xml for new UI changes
  • KNOX-2304 - CM discovery cluster config monitor needs to be aware of … (#307)
  • KNOX-2316 - Knox Token State Eviction Must Consider Maximum Token Lifetime (#306)
  • KNOX-2314 - NPE from topology Service equals implementation when no URLs (#303)
  • KNOX-2301 and KNOX-2302 (#297)
  • KNOX-2287 KnoxCLI convert topology to provider and descriptor
  • KNOX-2298 - ClouderaManager cluster config monitor should stop monitoring unreferenced clusters (#291)
  • KNOX-2266 - Tokens Should Include a Unique Identifier (#284)
  • KNOX-2212 - Token permissiveness validation
  • KNOX-2230 - Token State Service should throw UnknownTokenException instead of IllegalArgumentException (#268)
  • KNOX-2237 - CM service discovery should default the http path of Hive URLs when the associated property is not set (#266)
  • KNOX-2233 - DefaultKeystoreService getCredentialForCluster uses cache without synchronization (#264)
  • KNOX-2214 - Reaping of expired Knox tokens
  • KNOX-2228 - JWTFilter should handle unknown token exception from token state service (#260)
  • KNOX-2210 - Gateway-level configuration for server-managed Knox token state (#259)
  • KNOX-2215 - Token service should return a 403 response when the renewer is not white-listed (#251)
  • KNOX-2209 - Improve logging for Knox token handling (#250)
  • KNOX-2153 - CM discovery - Monitor Cloudera Manager (#239)
  • KNOX-2156 - CM discovery - KUDUUI discovery (#228)
  • KNOX-2152 - Disable Ambari cluster configuration monitoring by default (#225)
  • KNOX-2151 - HIVE_ON_TEZ HS2 Discovery doesn't work (#224)
  • KNOX-1970 - CM discovery - Add Impala HS2 to auto discovery (#223)
  • KNOX-1932 - CM discovery - WEBHCAT URLs not discovered (#222)
  • KNOX-1921 - CM discovery - Hue Load balancer HTTP/HTTPS scheme (#221)
  • KNOX-1935 - CM discovery - Hue should not have both LB and non LB (#220)
  • KNOX-1962 - CM discovery - Avoid reading krb5 login config multiple t… (#215)
  • KNOX-2144 - Alias API KnoxShell support should provide response types better than raw JSON (#211)
  • KNOX-1410 - Knox Shell support for remote Alias management (#210)
  • KNOX-2127 - ZooKeeperAliasService mishandles mixed-case alias keys properly (#202)
  • KNOX-2105 - KnoxShell support for token renewal and revocation (#180)
  • KNOX-2071 - Configurable maximum token lifetime for TokenStateService (#178)
  • KNOX-2066 - Composite Authz Provider
  • KNOX-2067 - KnoxToken service support for renewal and revocation
  • KNOX-2575
  • KNOX-2571
  • KNOX-2553
  • KNOX-2555
  • KNOX-2557
  • KNOX-2545
  • KNOX-2538
  • KNOX-2554
  • KNOX-2571
  • KNOX-2581
  • KNOX-2554