Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Access KNOX Admin UI from AMBARI (HDP 3.1)

New Contributor


Created a cluster via cloudbreak from the blueprint. Trying to access Knox Admin UI from Ambari with no luck. URI points to https://<master_public_ip>:8443/<cluster_name>/manager/admin-ui, so I got 404. Investigated topologies and there is no topology named `manager`, only `admin.xml`, `default.xml`, `dp-proxy.xml` and `knoxsso.xml`. I'd like to secure Apache Livy Server with Knox. I Can successfully auth to YARNUIV2 or to WEBHDFS with curl, for example:



curl -iku admin:password -X GET 'https://<master_public_ip>:8443/<cluster_name>/dp-proxy/webhdfs/v1/?op=LISTSTATUS'



forks fine. How I could access Knox Admin UI or secure Livy Server with Knox?


I'm using:

Cloudbreak: 2.9.1



Blueprint: HDP 3.1 - Data Science: Apache Spark 2, Apache Zeppelin


New Contributor

For internet searchers:


Livy can be accessed via 

https://<master_public_ip>:8443/<cluster_name>/dp-proxy/livy/v1, for example


curl -iku admin:password -X GET 'https://<master_public_ip>:8443/<cluster_name>/dp-proxy/livy/v1/sessions'


Username, password and cluster_name are set when cluster is created by cloudbreak. Master_public_ip is ip of ther VM which serves as ambari


Here is a python snippet to test it working:


import json, pprint, requests, textwrap
session_url = "https://<master_public_ip>:8443/<cluster_name>/dp-proxy/livy/v1/sessions"
headers = { 'X-Requested-By': 'livy'}
data = {'kind': 'spark'}
basic_auth = ('admin', 'password')
response =, headers=headers, auth=basic_auth, data=json.dumps(data), verify=False)


New Contributor

I will answer to myself and for those who will search.


Start Demo LDAP from Ambari UI as manual said.


It looks like admin-ui doesn't enabled by default. So I created manager.xml in 

/etc/knox/conf/topologies/manager.xml with content (got it from knox github):




<?xml version="1.0" encoding="UTF-8"?>
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements.  See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License.  You may obtain a copy of the License at
    <a href="<a href="<a href="<a href="" target="_blank"></a>" target="_blank"><a href="</a" target="_blank"></a</a>>" target="_blank"><a href="<a href="</a" target="_blank"></a</a>" target="_blank"><a href="</a</a" target="_blank"></a</a</a>>>" target="_blank"><a href="<a href="<a href="</a" target="_blank"></a</a>" target="_blank"><a href="</a</a" target="_blank"></a</a</a>>" target="_blank"><a href="<a href="</a</a" target="_blank"></a</a</a>" target="_blank"><a href="</a</a</a" target="_blank"></a</a</a</a>>>>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.




Don't forget to change the owner: 




chown knox:knox /etc/knox/conf/topologies/manager.xml




Check existing of /etc/knox/conf/topologies/knoxsso.xml
Check `redirectToUrl` in `Advanced knoxsso-topology` in Ambrai Knox Configs. It should contain cluster name (mine was configured to /default/)
Check topologies for LDAP configuration, they should be configured to query `ou=people,dc=hadoop,dc=apache,dc=org` (Demo LDAP), in my case some of them were configured to `ou=Users,dc=hadoop,dc=apache,dc=org`
Restart ldap
Restart Knox




curl -iku admin:admin-password -X GET 'https://<master_public_ip>:8443/<clustername>/dp-proxy/livy/v1/sessions'




Test admin UI:









PS. Somehow if I query LDAP with ldapseach at master node and localhost:33389 it returns me users with randomly generated passwords. But users.ldif file has simple passwords as it configured in Ambari. And simple passwords work, so what's wrong with ldap at localhost:33389 and which LDAP queried by Knox?

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.