Known Issues in Apache Knox

Known Issues identified in Cloudera Runtime 7.3.1.400 SP2

CDPD-84236: Token generated by one Knox host fails with Unknown token error on another Knox host in Data Engineering High Availability clusters

7.3.1.400

In Data Engineering High Availability clusters, a token generated by one Knox host may fail with an Unknown token error when accessed through another Knox host. This issue occurs due to a race condition in the PostgreSQL database, which prevents one of the Knox instances from properly initializing its configured token state service.

Restart Knox on all hosts.

Known Issues identified in Cloudera Runtime 7.3.1.300 SP1 CHF1

OPSAPS-73038: False-positive port conflict error message appears in Cloudera Manager

7.3.1.300, 7.3.1.400

Cloudera Manager may display a false-positive error message Port conflict detected: 8443 (Gateway Health HTTP Port) is also used by: Knox Gateway during cluster installation. The warning does not cause actual installation failures.

None.

Known Issues identified in Cloudera Runtime 7.3.1.200 SP1

There are no new known issues identified for Knox in this release.

Known Issues identified in Cloudera Runtime 7.3.1.100 CHF1

There are no new known issues identified for Knox in this release.

Known Issues in Cloudera Runtime 7.3.1

CDPD-71305: Concurrent impala shell connection failure

7.1.9 SP1 and its CHFs, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300

If a user makes a concurrent impala-shell connection through Knox, then the connection fails.

Use only one Knox role.

CDPD-73368: Knox token management is not working if Cookie Management is enabled

7.3.1, 7.3.1.100, 7.3.1.200

7.3.1.300

If Cookie Management is enabled, users are unable to access the Token Management page from the Knox Gateway UI by using KnoxSSO.

None.

Apache JIRA: KNOX-3060

CDPD-68146: Unable to update the log level for Knox from Cloudera Manager

7.1.9, 7.2.17, 7.2.18, 7.3.1, 7.3.1.100

7.3.1.200

Users are not able to change the log level for Knox from Cloudera Manager. Hence, it impacts debugging in case of any issue.

Change the level for the org.apache.knox.gateway logger in /var/lib/knox/gateway/conf/gateway-log4j2.xml file and restart Knox.

CDPD-64652: During CDH + OS rolling upgrade knox admin api access fails with 403 ACL authorization failures

7.2.18, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300

During OS upgrades, attempts to access Knox on the host being upgraded may produce occasional 403 HTTP responses.

Since the cause is the unavailability of underlying OS service(s), wait and retry the failed request(s).

CDPD-60379: During rolling upgrade of Knox service, access fails with 503/500/404/403 error code

7.1.9, 7.2.18, 7.3.1

7.3.1

The user operation which is performed during the rolling upgrade of knox might fail with 503/500/404/403 error code.

Retry the user operation.

CDPD-60376: Cloud loadbalancer takes 20-30 secs to failover to the next available knox host

7.2.17, 7.2.18, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300

If Knox is in HA and one of the Knox server is down, then accessing of service via Control plane endpoint url(i.e. via cloud loadbalancer) will take ~ 30secs to failover the request to available knox instance.

Retry the request after 30 seconds.

CDPD-3125: Logging out of Atlas does not manage the external authentication

7.2.16, 7.2.17, 7.2.18, 7.1.7, 7.1.9, 7.3.1, 7.3.1.100, 7.3.1.200, 7.3.1.300

At this time, Atlas does not communicate a log-out event with the external authentication management, Apache Knox. When you log out of Atlas, you can still open the instance of Atlas from the same web browser without re-authentication.

To prevent additional access to Atlas, close all browser windows and exit the browser.

CDPD-74843: Logs missing in third-party libraries

7.3.1

7.3.1.300

Some third-party libraries have missing logs due to a missing log4j library, which affects the ability to diagnose and troubleshoot issues. Knox is unable to modify the ROOT logger's level due to the missing log4j-slf4j-impl dependency.