knox错误总结
windows browser 有时候打不开Knox UI
hosts文件添加 Knox 的{{GATE_WAY}}ip的映射
就可以打开界面了
打开Knox admin_UI后显示不完全
需要 下载特定的js,私信我即可解决
Knox 配置yarn service报错
2020-03-17 17:07:13,311 ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to http://10.1.236.56:8088/cluster was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.
需要修改一下gateway.dispatch.whitelist.services
属性,内容里删掉YARNUI,如果不删除,则会报错:
修改完重新调用
ERROR knox.gateway (GatewayFilter.java:doFilter(173)) - Gateway processing failed: java.io.IOException: Service connectivity error.
发现是地址写错了
地址修改后没问题
Knox跳yarn时账号密码输入后跳转不进去
2020-03-17 18:08:12,147 ERROR knox.gateway (KnoxLdapRealm.java:doGetAuthenticationInfo(206)) - Shiro unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user ou=people,dc=hadoop,dc=apache,dc=org]
https://cwiki.apache.org/confluence/display/KNOX/2017/03/01/Apache+Knox+using+multiple+LDAP+Realms
发现realm配置错误
要把这个Uid加上就可以了
KnoxSSO登陆后,一会就退出
修改timeout参数,30–>60,不行
百度
整个人沉默了
看gateway.log日志
2020-03-17 14:59:34,277 INFO federation.jwt (AbstractJWTFilter.java:validateToken(295)) - Access token has expired; a new one must be acquired.
param | descriptor | value |
---|---|---|
knox.token.ttl | This indicates the lifespan of the token. Once it expires a new token must be acquired from KnoxToken service. This is in milliseconds. The 36000000 in the topology above gives you 10 hrs | 30000 That is 30 seconds |
knox.token.audiences | This is a comma separated list of audiences to add to the JWT token. This is used to ensure that a token received by a participating application knows that the token was intended for use with that application. It is optional. In the event that an endpoint has expected audiences and they are not present the token must be rejected. In the event where the token has audiences and the endpoint has none expected then the token is accepted. | empty |
knox.token.target.url | This is an optional configuration parameter to indicate the intended endpoint for which the token may be used. The KnoxShell token credential collector can pull this URL from a knoxtokencache file to be used in scripts. This eliminates the need to prompt for or hardcode endpoints in your scripts. | n/a |
knox.token.ttl参数修改下就好了
登陆账号密码后继续让登陆52集群
高版本1.0.x的knox 跳转Hdfs,HbaseUI ssl报错
2020-04-13 11:53:03,401 WARN knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) - Connection exception dispatching request: https://host-10-1-236-145:8443/gateway/ocdp/hdfs
?user.name=admin javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: un
able to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
正在解决中…
输入admin/admin-password点击sign in报错
因为ambari 2.6版本没有KNOX的quick links
所以访问knox admin ui需要手动输入,url如下
https://10.1.236.84:8443/gateway/knoxsso/knoxauth/login.html
输入admin/admin-password点击sign in报错
查看gateway.log发现报错日志如下
ERROR service.knoxsso (WebSSOResource.java:getAuthenticationToken(172)) - The original URL: undefined for redirecting back after authentication is not valid according to the configured whitelist: . See documentation for KnoxSSO Whitelisting.
在ambari2.6版本中没有quick link的跳转,所以没有cookie带进来,正在解决
Knox跳转HDFS页面js加载不出来
在/usr/hdp/2.6.0.3-8/knox/data/services/hdfsui/2.7.0/rewrite.xml
添加如下配置
并删除/usr/hdp/2.6.0.3-8/knox/data/deployments/
中的cluster.topo文件,重启集群knox
<rule dir="OUT" name="HDFSUI/hdfs/outbound/jquery-1.10.2.min.js" pattern="/static/jquery-1.10.2.min.js">
<rewrite template="{$frontend[url]}/hdfs/static/jquery-1.10.2.min.js"/>
</rule>
<rule dir="OUT" name="HDFSUI/hdfs/outbound/jquery.dataTables.min.js" pattern="/static/jquery.dataTables.min.js">
<rewrite template="{$frontend[url]}/hdfs/static/jquery.dataTables.min.js"/>
nginx跳转knox跳转ranger报错400
nginx代理knox报错,但是knox直接跳转正常
解决方案
在/usr/hdp/2.6.0.3-8/knox/data/services/rangerui/2.7.0/rewrite.xml
添加如下配置
并删除/usr/hdp/2.6.0.3-8/knox/data/deployments/
中的cluster.topo文件,重启集群knox
<match pattern="*://*:*/login.jsp"/>
0.12版本knox无法在ambari操作组件启停
前台报错
gateway.log如下
2020-04-13 15:54:15,600 WARN hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(146)) - Connection exception dispatching request: http://10.1.236.84:8080/api/v1/stacks/HDP/versions/2.6/recommendations java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - For input string: "d{"
F12
message: "Invalid Request: Malformed Request Body. An exception occurred parsing the request body: Unexpected character ('%' (code 37)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')↵ at [Source: java.io.StringReader@699524d0; line: 1, column: 3]"
解决方案
在ocdp.xml
中添加配置
<service>
<role>AMBARI</role>
<url>http://10.1.236.84:8080</url>
</service>
加了这个配置后就可以进行ambari操作组件,包括配置参数修改、组件启停
knox访问组件UI报错
2020-04-13 16:21:03,961 ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to https://10.1.236.84:8443/gateway/ocdp/hdfs was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.
将gateway.site.xml参数进行修改
gateway.dispatch.whitelist=DEFAULT
Knox访问ambari,后台不停报错
2020-04-13 17:07:41,990 ERROR hadoop.gateway (JsonFilterReader.java:filterStreamValue(531)) - Failed to filter value http://ocdp_host-10-1-236-84/api/v1/clusters/ocdp/requests/377, rule AMBARI/ambari/href/outbound: java.lang.NullPointerException
2020-04-13 17:07:41,990 ERROR hadoop.gateway (UrlRewriteProcessor.java:rewrite(169)) - Failed to rewrite URL: http://ocdp_host-10-1-236-84/api/v1/clusters/ocdp/requests/378, direction: OUT via rule: AMBARI/ambari/href/outbound, status: FAILURE
解决方案
删除底下文件的配置
/usr/hdp/2.6.0.3-8/knox/data/services/ambari/2.2.0/rewrite.xml
<match pattern="*://*:*/api/{**}?{**}"/>
Knox跳转yarn界面中其他节点日志8042报错
2020-03-17 17:07:13,311 ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to http://10.1.236.56:8042/cluster was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.
gateway-site.xml
修改参数
gateway.dispatch.whitelist.services=DEFAULT
持续更新中。。。有问题随时私信留言可以探讨共同学习