大家好,又见面了,我是你们的朋友全栈君。
knox错误总结
windows browser 有时候打不开Knox UI
hosts文件添加 Knox 的{ {GATE_WAY}}ip的映射 就可以打开界面了
打开Knox admin_UI后显示不完全
需要 下载特定的js,私信我即可解决
Knox 配置yarn service报错
2020-03-17 17:07:13,311 ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to http://10.1.236.56:8088/cluster was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.需要修改一下gateway.dispatch.whitelist.services属性,内容里删掉YARNUI,如果不删除,则会报错:
修改完重新调用 ERROR knox.gateway (GatewayFilter.java:doFilter(173)) – Gateway processing failed: java.io.IOException: Service connectivity error.
发现是地址写错了 地址修改后没问题
Knox跳yarn时账号密码输入后跳转不进去
2020-03-17 18:08:12,147 ERROR knox.gateway (KnoxLdapRealm.java:doGetAuthenticationInfo(206)) - Shiro unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 Cannot authenticate user ou=people,dc=hadoop,dc=apache,dc=org]https://cwiki.apache.org/confluence/display/KNOX/2017/03/01/Apache Knox using multiple LDAP Realms 发现realm配置错误
要把这个Uid加上就可以了
KnoxSSO登陆后,一会就退出
修改timeout参数,30–>60,不行 百度
整个人沉默了 看gateway.log日志
代码语言:javascript复制2020-03-17 14:59:34,277 INFO federation.jwt (AbstractJWTFilter.java:validateToken(295)) - Access token has expired; a new one must be acquired.看文档 https://cwiki.apache.org/confluence/display/KNOX/KnoxToken Sessions with KnoxShell in Apache Knox 0.12.0
param | descriptor | value |
|---|---|---|
knox.token.ttl | This indicates the lifespan of the token. Once it expires a new token must be acquired from KnoxToken service. This is in milliseconds. The 36000000 in the topology above gives you 10 hrs | 30000 That is 30 seconds |
knox.token.audiences | This is a comma separated list of audiences to add to the JWT token. This is used to ensure that a token received by a participating application knows that the token was intended for use with that application. It is optional. In the event that an endpoint has expected audiences and they are not present the token must be rejected. In the event where the token has audiences and the endpoint has none expected then the token is accepted. | empty |
knox.token.target.url | This is an optional configuration parameter to indicate the intended endpoint for which the token may be used. The KnoxShell token credential collector can pull this URL from a knoxtokencache file to be used in scripts. This eliminates the need to prompt for or hardcode endpoints in your scripts. | n/a |
knox.token.ttl参数修改下就好了
登陆账号密码后继续让登陆52集群
高版本1.0.x的knox 跳转Hdfs,HbaseUI ssl报错
代码语言:javascript复制2020-04-13 11:53:03,401 WARN knox.gateway (DefaultDispatch.java:executeOutboundRequest(147)) - Connection exception dispatching request: https://host-10-1-236-145:8443/gateway/ocdp/hdfs
?user.name=admin javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: un
able to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target正在解决中…
输入admin/admin-password点击sign in报错
因为ambari 2.6版本没有KNOX的quick links 所以访问knox admin ui需要手动输入,url如下 https://10.1.236.84:8443/gateway/knoxsso/knoxauth/login.html
输入admin/admin-password点击sign in报错 查看gateway.log发现报错日志如下
代码语言:javascript复制ERROR service.knoxsso (WebSSOResource.java:getAuthenticationToken(172)) - The original URL: undefined for redirecting back after authentication is not valid according to the configured whitelist: . See documentation for KnoxSSO Whitelisting.在ambari2.6版本中没有quick link的跳转,所以没有cookie带进来,正在解决
Knox跳转HDFS页面js加载不出来
在/usr/hdp/2.6.0.3-8/knox/data/services/hdfsui/2.7.0/rewrite.xml添加如下配置
并删除/usr/hdp/2.6.0.3-8/knox/data/deployments/中的cluster.topo文件,重启集群knox
<rule dir="OUT" name="HDFSUI/hdfs/outbound/jquery-1.10.2.min.js" pattern="/static/jquery-1.10.2.min.js">
<rewrite template="{$frontend[url]}/hdfs/static/jquery-1.10.2.min.js"/>
</rule>
<rule dir="OUT" name="HDFSUI/hdfs/outbound/jquery.dataTables.min.js" pattern="/static/jquery.dataTables.min.js">
<rewrite template="{$frontend[url]}/hdfs/static/jquery.dataTables.min.js"/>nginx跳转knox跳转ranger报错400
nginx代理knox报错,但是knox直接跳转正常
解决方案
在/usr/hdp/2.6.0.3-8/knox/data/services/rangerui/2.7.0/rewrite.xml添加如下配置
并删除/usr/hdp/2.6.0.3-8/knox/data/deployments/中的cluster.topo文件,重启集群knox
<match pattern="*://*:*/login.jsp"/>0.12版本knox无法在ambari操作组件启停
前台报错
gateway.log如下
代码语言:javascript复制2020-04-13 15:54:15,600 WARN hadoop.gateway (DefaultDispatch.java:executeOutboundRequest(146)) - Connection exception dispatching request: http://10.1.236.84:8080/api/v1/stacks/HDP/versions/2.6/recommendations java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - For input string: "d{"F12
代码语言:javascript复制message: "Invalid Request: Malformed Request Body. An exception occurred parsing the request body: Unexpected character ('%' (code 37)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')↵ at [Source: java.io.StringReader@699524d0; line: 1, column: 3]"解决方案
在ocdp.xml中添加配置
<service>
<role>AMBARI</role>
<url>http://10.1.236.84:8080</url>
</service>加了这个配置后就可以进行ambari操作组件,包括配置参数修改、组件启停
knox访问组件UI报错
代码语言:javascript复制2020-04-13 16:21:03,961 ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to https://10.1.236.84:8443/gateway/ocdp/hdfs was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.将gateway.site.xml参数进行修改
代码语言:javascript复制gateway.dispatch.whitelist=DEFAULTKnox访问ambari,后台不停报错
代码语言:javascript复制2020-04-13 17:07:41,990 ERROR hadoop.gateway (JsonFilterReader.java:filterStreamValue(531)) - Failed to filter value http://ocdp_host-10-1-236-84/api/v1/clusters/ocdp/requests/377, rule AMBARI/ambari/href/outbound: java.lang.NullPointerException
2020-04-13 17:07:41,990 ERROR hadoop.gateway (UrlRewriteProcessor.java:rewrite(169)) - Failed to rewrite URL: http://ocdp_host-10-1-236-84/api/v1/clusters/ocdp/requests/378, direction: OUT via rule: AMBARI/ambari/href/outbound, status: FAILURE解决方案
删除底下文件的配置
/usr/hdp/2.6.0.3-8/knox/data/services/ambari/2.2.0/rewrite.xml
<match pattern="*://*:*/api/{**}?{**}"/>Knox跳转yarn界面中其他节点日志8042报错
代码语言:javascript复制2020-03-17 17:07:13,311 ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to http://10.1.236.56:8042/cluster was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.gateway-site.xml修改参数
gateway.dispatch.whitelist.services=DEFAULTknox 修改了create-master密码启动失败
代码语言:javascript复制ERROR hadoop.gateway (DefaultAliasService.java:getPasswordFromAliasForCluster(100)) - Failed to get credential for cluster __gateway: org.apache.hadoop.gateway.se
rvices.security.KeystoreServiceException: java.io.IOException: Keystore was tampered with, or password was incorrect
FATAL hadoop.gateway (GatewayServer.java:main(155)) - Failed to start gateway: org.apache.hadoop.gateway.services.ServiceLifecycleException: Provisioned signing k
ey passphrase cannot be acquired.修改了knox gateway的create-master ,启动报错 解决方案:rm -rf {GATE_WAY}/data/security/* 然后再 su knox; {GATE_WAY}/bin/create-master; {GATE_WAY}/bin/gateway.sh start 即可
报错Gateway SSL Certificate is Expired. Server will not start
代码语言:javascript复制2021-08-24 10:18:43,689 FATAL knox.gateway (GatewayServer.java:main(167)) - Failed to start gateway: org.apache.knox.gateway.services.ServiceLifecycleException: Gateway SSL Certificate is Expired. Server will not start.解决
代码语言:javascript复制证书过期了,重新生成试试
mv /home/ocdc/knox/data/security/keystores/gateway.jks /home/ocdc/knox/data/security/keystores/bak_gateway.jksKnox 代理ambari等页面后输入密码报错
后台日志如下
ERROR service.knoxsso (WebSSOResource.java:getAuthenticationToken(214)) - The original URL: http://10.1.236.92:8080/ for redirecting back after authentication is not valid according to the configured whitelist: ^/.*$;^https?://(. .asiainfo.com):[0-9] /?.*$. See documentation for KnoxSSO Whitelisting.
试试1.4版本吧 结果依旧是这个错 但是发现正则不匹配 正则匹配上了就可以了 但是输入knox的账号密码后进去ambari又跳转出来了,又到了knox登陆界面 后台日志报错如下
代码语言:javascript复制2020-09-01 17:34:18,928 INFO knox.gateway (KnoxLdapRealm.java:getUserDn(688)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for principal: admin
2020-09-01 17:34:18,945 ERROR knox.gateway (WhitelistUtils.java:deriveDefaultDispatchWhitelist(92)) - Unable to reliably determine the Knox domain for the default whitelist. Defaulting to allow requests only to testdp01. Please consider explicitly configuring the whitelist via the gateway.dispatch.whitelist property in gateway-site
2020-09-01 17:34:18,945 INFO knox.gateway (WhitelistUtils.java:getDispatchWhitelist(61)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://testdp01:[0-9] /?.*$
2020-09-01 17:34:18,946 INFO knox.gateway (CookieUtils.java:getCookiesForName(46)) - Unable to find cookie with name: original-url
2020-09-01 17:34:18,959 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(368)) - JWT cookie successfully added.
2020-09-01 17:34:18,960 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(270)) - About to redirect to original URL: http://testdp01:8080/
2020-09-01 17:34:19,235 ERROR knox.gateway (WhitelistUtils.java:deriveDefaultDispatchWhitelist(92)) - Unable to reliably determine the Knox domain for the default whitelist. Defaulting to allow requests only to testdp01. Please consider explicitly configuring the whitelist via the gateway.dispatch.whitelist property in gateway-site
2020-09-01 17:34:19,235 INFO knox.gateway (WhitelistUtils.java:getDispatchWhitelist(61)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://testdp01:[0-9] /?.*$然后我又吧gateway-site.xml中配置修改如下
代码语言:javascript复制 <property>
<name>gateway.dispatch.whitelist</name>
<value>^.*$</value>
<description>The whitelist to be applied for dispatches associated with the service roles specified by gateway.dispatch.whitelist.services.
If the value is DEFAULT, a domain-based whitelist will be derived from the Knox host.</description>
</property>发现还是一样,输入knox的账号密码后进去ambari又跳转出来了,又到了knox登陆界面。 但是这一次日志没有报错了
跟同事讨论发现可能要对knox中自带的ldap用户导入到ambari user中去
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
