Support Questions
Find answers, ask questions, and share your expertise

Ambari UI via Knox - Limited accessibility

I have followed this guide to enable Knox for the Ambari cluster:

https://community.hortonworks.com/articles/78361/configure-knox-to-access-ambari-ui.html

While I am able to log into the Ambari UI via Knox. I cannot view the hosts nor am I able to access the preconfigured 'Views':

- Hive View

- Files View

- Smartsense View

- Tez View etc..

I have also noticed that alerts and warnings do not show either.

Why am I a limited user despite logging in with an admin account?

Thanks in advance

1 ACCEPTED SOLUTION

Super Mentor
@L V

Are you sure that you have added role "AMBARI" and "AMBARIUI" both the blocks inside your knox topology file and then restarted the knox?

<topology>
    <gateway>
        <provider>
            <role>authentication</role>
            <name>Anonymous</name>
            <enabled>true</enabled>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>false</enabled>
        </provider>
    </gateway>
    <service>
        <role>AMBARI</role>
        <url>http://$AMBARI_HOST:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://$AMBARI_HOST:8080</url>
    </service>
</topology>

.

Please add both the service blocks, as most of the Amabri Views uses ambari APIs to get the configuration details so we should add both the blocks.

View solution in original post

19 REPLIES 19

can you please which hdp release is this?

and what is the user you used for login ?

HDP: 2.6.2.14-5

I used the default admin account - verified that it is still an admin with the correct priveleges

Hi @Deepak Sharma did you have any advice regarding this issue?

Super Mentor
@L V

Are you sure that you have added role "AMBARI" and "AMBARIUI" both the blocks inside your knox topology file and then restarted the knox?

<topology>
    <gateway>
        <provider>
            <role>authentication</role>
            <name>Anonymous</name>
            <enabled>true</enabled>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>false</enabled>
        </provider>
    </gateway>
    <service>
        <role>AMBARI</role>
        <url>http://$AMBARI_HOST:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://$AMBARI_HOST:8080</url>
    </service>
</topology>

.

Please add both the service blocks, as most of the Amabri Views uses ambari APIs to get the configuration details so we should add both the blocks.

L V want to confirm are you able to view ambari home page or that also not visible ?

there were issues with accessing views via knox proxy but they are already fixed:

please make sure following:

1) entries are added in ui.xml as follows:

    <service>
        <role>AMBARI</role>
        <url>http://hostname:port</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://hostname:port</url>
    </service>

2) you should have .com appended in /etc/hosts file on the client and the cluster both as follows:

10.10.1.1 ab.test.site abc.test.site.com

3) while invoking the ambari ui through knox proxy also you should append .com the url eg:

https://abc.test.site.com:8443/gateway/ui/ranger

let Me know if you have all of the above and issue still presist.

@Jay Kumar SenSharma - I did not have AMBARI added, only AMBARIUI. I have added that in now although I am now getting this error:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

@Deepak Sharma

I was able to view the ambari homepage, there were just little things missing as I mentioned earlier.

Super Mentor

@L V

In which log do you see this error now? Can you please share the complete log snippet so that we will know what's wrong? When are you getting this error ?

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In general this error indicates that the truststore is not configured and it does not have the imported certificate.

If you notice the above error on ambari server log then please check if you have configured truststore for ambari?

https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.3/bk_ambari-security/content/set_up_truststor...

.

Super Mentor

@L V

Good to know that your current issue is resolved.

Keeping different issues to different threads helps improving the HCC better. So if this thread is answered then please mark the correct answer as "Answered" (by clicking the "Accept" link).

.

Your new query seems to be slightly different. So i will suggest you to please open a Separate HCC thread for the following issue:

When I go and access other services and try view their UI's it just diverts back to their original IP address.

@Jay Kumar SenSharma

Snippet:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
        ... 76 more

Its strange because originally it was working. I will give that guide a go now.

Thanks!

EDIT: This was from the Knox Gateway log /var/log/knox/gateway.log

Super Mentor

@L V

The above Snippet is also not complete. We need to see the complete error from where it begin ... till end of this stack trace to understand which API is causing this error.

Also please let us know if you have configured truststore in ambari server?

Is this snippet appearing in the "ambari-server.log" ?

When exactly are we getting this error? While Accessing any specific view (Like Capacity Scheduler View)? Or while accessing ambari UI ?

Is your ambari server listening on SSL port ?

Hi @Jay Kumar SenSharma

I have configured the truststore and enabled SSL for Ambari. It is currently listening on port 8443 and I am able to access Ambari UI normally (now via HTTPS). I am still receiving the same error when trying to access it via Knox.

The log is from /var/log/knox/ (Not located on the ambari host server)

Full Log: gateway.txt

@Jay Kumar SenSharma I am unable to access Ambari UI at all when trying through Knox. I'm met with a HTTP 500 error

Super Mentor

@L V

By any chance are you specifying the HTTPS protocol in the Knox topology for the Ambari Server URL (like. https://$AMBARI_HOST:8080)

.

Please check if you are running your ambari server on HTTPS ? If yes then please import the Ambari Server's certificate to the Knox keystore.

@Jay Kumar SenSharma

I have set the Ambari Server URL as follows:

https://$AMBARI_HOST:8443

I am unable to import any certificates into the Knox keystore.

Using the following command:

keytool -importcert -file test.csr -keystore gateway.jks -alias "gateway-identity" 

along with the Knox Master Secret password although I get the error:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect.

Note I have created the alias with this command:

knoxcli.sh create-alias gateway-identity-passphrase --value {value}

I have even removed and re-installed Knox and reset the Master Secret password, again same error.

L V I think you need to import the ambari certificate to the java cacert of knox , and make sure you have hostname of ambari as CN in the ambari certificate

Super Mentor

@L V

As you got message like "Keystore was tampered with, or password was incorrect." which indicates that you might have entered incorrect storepassword while importing the ambari server keystore to knox keystore.

You can verify the "gatewar.jks" by listing the certificates present in it. Please try "-list" command to see if ambari server certificate is imported to the knox truststore or not?

# /usr/jdk64/jdk1.8.0_112/bin/keytool -list -v -keystore /var/lib/knox/data-2.6.4.0-91/security/keystores/gateway.jks
Enter keystore password:  admin

.

Hi @Jay Kumar SenSharma

That worked, although when I go and access other services and try view their UI's it just diverts back to their original IP address.

Lets take YARN as an example, this is the configuration I have currently entered into the topology:

            <service>
                  <role>YARN</role>
                  <url>http://192.168.XXX.XXX:8088</url>
             </service>
             <service>
                   <role>YARNUI</role>
                   <url>http://192.168.XXX.XXX:8088</url>
            </service>

Super Mentor

@L V

Ambari provides the quicklink.json feature the alter the Quicklinks as we want.

In case of knox enabled cluster we might need to alter the quicklinks a bit like described in the following link:

1. https://community.hortonworks.com/questions/88500/how-to-make-ambari-quick-links-to-point-to-knox-ga...

2. https://cwiki.apache.org/confluence/display/AMBARI/Quick+Links


; ;