Review the list of Knox issues that are resolved in Cloudera Runtime 7.3.1, its service packs and
cumulative hotfixes.
Cloudera Runtime 7.3.1.400 SP2🔗
- CDPD-8148: Knox UI session timeout is not working with
SAML authentication
- This issue is resolved by the
pac4j.cookie.max.age
parameter introduced for the pac4j
provider, which Knox uses for SAML authentication. This parameter enforces
cookie timeout for the cookies created by the pac4j provider.
- To set the
pac4j.cookie.max.age
parameter, go to , and add the following value to the Knox Simplified
Topology Management - SSO Authentication Provider
field:
federation.param.pac4j.cookie.max.age={value}
- Apache JIRA: KNOX-3077
Cloudera Runtime 7.3.1.300 SP1 CHF 1🔗
- CDPD-27801: Knox is missing HSTS header for HTTP 404
responses
- 7.3.1.300, 7.2.18.1000
- Resolved an issue where Knox was missing the HTTP
Strict-Transport-Security
response header (HSTS) in
HTTP 404 responses. The global HSTS header can now be configured to be
included in all HTTP responses.
- To configure the HSTS header, go to , search for the Knox Service Advanced Configuration
Snippet (Safety Valve) for conf/gateway-site.xml property,
and set the following parameters to true:
- gateway.strict.transport.enabled
- gateway.strict.transport.option: (Optional) Use
this parameter to specify a timeout value for the HTTS header. This
parameter is applicable only if
gateway.strict.transport.enabled is set to
true.
- Apache JIRA: KNOX-3111
- CDPD-73368: Knox token management is not working if
Cookie Management is enabled
- 7.3.1.300
- Users can now access the Token Management page from
the Knox Gateway UI by using KnoxSSO even if Cookie Management is
enabled.
- Apache JIRA: KNOX-3060
- CDPD-74843: Logs missing in third-party libraries
- 7.3.1.300
- Resolved an issue where third-party libraries had
missing logs due to a missing log4j library, which
affected the ability to diagnose and troubleshoot issues.
- CDPD-78656: Health test for Knox fails if the
gateway.client.auth.needed = true is set
- 7.1.9 CHF7, 7.3.1.300
-
Resolved an issue where the health test for Knox Gateway failed if the
gateway.client.auth.needed
parameter was set to
true.
For the TLS Mutual Authentication to work, you must exclude the health
topology. To do this, go to , locate the
Knox Service Advanced
Configuration Snippet (Safety Valve) for
conf/gateway-site.xml field, and add a new entry with
the following
parameters:
Name = gateway.client.auth.exclude
Value = health
For more information on excluding the topology, see the Apache Knox Documentation.
Cloudera Runtime 7.3.1.200 SP1🔗
- CDPD-77233: Knox Token TTL value of -1 set to never
expire
- 7.3.1.200
- Fixed an issue where the Knox Token API raised an
UnknownTokenException error if the lifespan value of Knox
Token TTL was set to -1.
- Apache JIRA: KNOX-3075
- CDPD-79963: Knox service might fail due to JARs picked
up from the /usr/share/java folder
- 7.3.1.200
- Knox service might fail due to Java Archive (JAR)
files picked up from the /usr/share/java folder.
- This issue is now fixed.
- Apache JIRA: KNOX-3108
- CDPD-76104: Unable to update the log level for Knox
from Cloudera Manager
- 7.3.1.200
- Users were not able to change the log level for Knox
from Cloudera Manager. This impacted debugging in case of errors.
- This issue is now fixed.
Cloudera Runtime 7.3.1.100 CHF 1🔗
- CDPD-74114: Proxyuser groups are not included in POST
and PATCH requests
- 7.3.1.100
- Fixed an issue where group headers were not added to POST and PUT
requests.
-
Apache Jira:
KNOX-3062
Cloudera Runtime 7.3.1🔗
- CDPD-73275: HTTP 404 responses while Knox is
redeploying topologies
- 7.3.1
-
While you were redeploying topologies, Knox returned HTTP 404
responses.
Knox no longer returns HTTP 404 responses during topology redeployment,
but returns HTTP 503 instead.
- CDPD-70313: KNOX did not send Authentication header on
FIPS configuration
- 7.3.1
- KNOX neither sent the authentication header nor hadoop.auth cookie that was
why the SMM UI sent back the HTTP 401 response and set the
"www-authenticate": "Negotiate" header. Because of this, the SMM UI was
inaccessible through Knox.
- This issue is fixed now.
- CDPD-69305: /plugins/policies/importPoliciesFromFile
API returns 500 service connectivity error through Knox Proxy
- 7.3.1
- The fix imports large policy files using the Ranger importPoliciesFromFile
API through Knox.
Apache patch information🔗
- KNOX-3073
- KNOX-3058
- KNOX-3055
- KNOX-3054
- KNOX-3053
- KNOX-3052
- KNOX-3050
- KNOX-3049
- KNOX-3045
- KNOX-3040
- KNOX-3038
- KNOX-3037
- KNOX-3036
- KNOX-3029
- KNOX-3028
- KNOX-3026
- KNOX-3024
- KNOX-3023
- KNOX-3022
- KNOX-3020
- KNOX-3019
- KNOX-3018
- KNOX-3017
- KNOX-3016
- KNOX-3012
- KNOX-3007
- KNOX-3006
- KNOX-3005
- KNOX-3002
- KNOX-3001
- KNOX-3000
- KNOX-2994
- KNOX-2985
- KNOX-2983
- KNOX-2980
- KNOX-2979
- KNOX-2978
- KNOX-2976
- KNOX-2975
- KNOX-2974
- KNOX-2973
- KNOX-2972
- KNOX-2971
- KNOX-2970
- KNOX-2969
- KNOX-2968
- KNOX-2966
- KNOX-2963
- KNOX-2961
- KNOX-2960
- KNOX-2959
- KNOX-2958
- KNOX-2955
- KNOX-2951
- KNOX-2949
- KNOX-2948
- KNOX-2947
- KNOX-2946
- KNOX-2929
- KNOX-2896
- KNOX-2881