Cloudera Docs

Fixed Issues in Apache Knox

Review the list of Knox issues that are resolved in Cloudera Runtime 7.3.1, its service packs and cumulative hotfixes.

Cloudera Runtime 7.3.1.400 SP2

CDPD-8148: Knox UI session timeout is not working with SAML authentication
This issue is resolved by the pac4j.cookie.max.age parameter introduced for the pac4j provider, which Knox uses for SAML authentication. This parameter enforces cookie timeout for the cookies created by the pac4j provider.
To set the pac4j.cookie.max.age parameter, go to Cloudera Manager > Knox > Configuration, and add the following value to the Knox Simplified Topology Management - SSO Authentication Provider field: federation.param.pac4j.cookie.max.age={value}
Apache JIRA: KNOX-3077

Cloudera Runtime 7.3.1.300 SP1 CHF 1

CDPD-27801: Knox is missing HSTS header for HTTP 404 responses
7.3.1.300, 7.2.18.1000
Resolved an issue where Knox was missing the HTTP Strict-Transport-Security response header (HSTS) in HTTP 404 responses. The global HSTS header can now be configured to be included in all HTTP responses.
To configure the HSTS header, go to Cloudera Manager > Knox > Configuration, search for the Knox Service Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml property, and set the following parameters to true:
  • gateway.strict.transport.enabled
  • gateway.strict.transport.option: (Optional) Use this parameter to specify a timeout value for the HTTS header. This parameter is applicable only if gateway.strict.transport.enabled is set to true.
Apache JIRA: KNOX-3111
CDPD-73368: Knox token management is not working if Cookie Management is enabled
7.3.1.300
Users can now access the Token Management page from the Knox Gateway UI by using KnoxSSO even if Cookie Management is enabled.
Apache JIRA: KNOX-3060
CDPD-74843: Logs missing in third-party libraries
7.3.1.300
Resolved an issue where third-party libraries had missing logs due to a missing log4j library, which affected the ability to diagnose and troubleshoot issues.
CDPD-78656: Health test for Knox fails if the gateway.client.auth.needed = true is set
7.1.9 CHF7, 7.3.1.300

Resolved an issue where the health test for Knox Gateway failed if the gateway.client.auth.needed parameter was set to true.

For the TLS Mutual Authentication to work, you must exclude the health topology. To do this, go to Cloudera Manager > Knox > Configuration, locate the Knox Service Advanced Configuration Snippet (Safety Valve) for conf/gateway-site.xml field, and add a new entry with the following parameters:
Name = gateway.client.auth.exclude
Value = health

For more information on excluding the topology, see the Apache Knox Documentation.

Cloudera Runtime 7.3.1.200 SP1

CDPD-77233: Knox Token TTL value of -1 set to never expire
7.3.1.200
Fixed an issue where the Knox Token API raised an UnknownTokenException error if the lifespan value of Knox Token TTL was set to -1.
Apache JIRA: KNOX-3075
CDPD-79963: Knox service might fail due to JARs picked up from the /usr/share/java folder
7.3.1.200
Knox service might fail due to Java Archive (JAR) files picked up from the /usr/share/java folder.
This issue is now fixed.
Apache JIRA: KNOX-3108
CDPD-76104: Unable to update the log level for Knox from Cloudera Manager
7.3.1.200
Users were not able to change the log level for Knox from Cloudera Manager. This impacted debugging in case of errors.
This issue is now fixed.

Cloudera Runtime 7.3.1.100 CHF 1

CDPD-74114: Proxyuser groups are not included in POST and PATCH requests
7.3.1.100
Fixed an issue where group headers were not added to POST and PUT requests.
Apache Jira: KNOX-3062

Cloudera Runtime 7.3.1

CDPD-73275: HTTP 404 responses while Knox is redeploying topologies
7.3.1

While you were redeploying topologies, Knox returned HTTP 404 responses.

Knox no longer returns HTTP 404 responses during topology redeployment, but returns HTTP 503 instead.

CDPD-70313: KNOX did not send Authentication header on FIPS configuration
7.3.1
KNOX neither sent the authentication header nor hadoop.auth cookie that was why the SMM UI sent back the HTTP 401 response and set the "www-authenticate": "Negotiate" header. Because of this, the SMM UI was inaccessible through Knox.
This issue is fixed now.
CDPD-69305: /plugins/policies/importPoliciesFromFile API returns 500 service connectivity error through Knox Proxy
7.3.1
The fix imports large policy files using the Ranger importPoliciesFromFile API through Knox.

Apache patch information

  • KNOX-3073
  • KNOX-3058
  • KNOX-3055
  • KNOX-3054
  • KNOX-3053
  • KNOX-3052
  • KNOX-3050
  • KNOX-3049
  • KNOX-3045
  • KNOX-3040
  • KNOX-3038
  • KNOX-3037
  • KNOX-3036
  • KNOX-3029
  • KNOX-3028
  • KNOX-3026
  • KNOX-3024
  • KNOX-3023
  • KNOX-3022
  • KNOX-3020
  • KNOX-3019
  • KNOX-3018
  • KNOX-3017
  • KNOX-3016
  • KNOX-3012
  • KNOX-3007
  • KNOX-3006
  • KNOX-3005
  • KNOX-3002
  • KNOX-3001
  • KNOX-3000
  • KNOX-2994
  • KNOX-2985
  • KNOX-2983
  • KNOX-2980
  • KNOX-2979
  • KNOX-2978
  • KNOX-2976
  • KNOX-2975
  • KNOX-2974
  • KNOX-2973
  • KNOX-2972
  • KNOX-2971
  • KNOX-2970
  • KNOX-2969
  • KNOX-2968
  • KNOX-2966
  • KNOX-2963
  • KNOX-2961
  • KNOX-2960
  • KNOX-2959
  • KNOX-2958
  • KNOX-2955
  • KNOX-2951
  • KNOX-2949
  • KNOX-2948
  • KNOX-2947
  • KNOX-2946
  • KNOX-2929
  • KNOX-2896
  • KNOX-2881