Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ambari UI via Knox - Limited accessibility

Labels:
avatar
author-rank luka_vranjkovic
Contributor

Created ‎01-08-2018 08:08 AM

I have followed this guide to enable Knox for the Ambari cluster:

https://community.hortonworks.com/articles/78361/configure-knox-to-access-ambari-ui.html

While I am able to log into the Ambari UI via Knox. I cannot view the hosts nor am I able to access the preconfigured 'Views':

- Hive View

- Files View

- Smartsense View

- Tez View etc..

I have also noticed that alerts and warnings do not show either.

Why am I a limited user despite logging in with an admin account?

Thanks in advance

8,311 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎02-26-2018 10:30 AM

@L V

Are you sure that you have added role "AMBARI" and "AMBARIUI" both the blocks inside your knox topology file and then restarted the knox? 

<topology>
    <gateway>
        <provider>
            <role>authentication</role>
            <name>Anonymous</name>
            <enabled>true</enabled>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>false</enabled>
        </provider>
    </gateway>
    <service>
        <role>AMBARI</role>
        <url>http://$AMBARI_HOST:8080</url>
    </service>
    <service>
        <role>AMBARIUI</role>
        <url>http://$AMBARI_HOST:8080</url>
    </service>
</topology>

.

Please add both the service blocks, as most of the Amabri Views uses ambari APIs to get the configuration details so we should add both the blocks.

View solution in original post

7,018 Views
0 Kudos
19 REPLIES 19

avatar
author-rank luka_vranjkovic
Contributor

Created ‎02-27-2018 01:26 AM

@Jay Kumar SenSharma

Snippet:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
        ... 76 more

Its strange because originally it was working. I will give that guide a go now.

Thanks!

EDIT: This was from the Knox Gateway log /var/log/knox/gateway.log

4,303 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎02-27-2018 01:30 AM

@L V

The above Snippet is also not complete. We need to see the complete error from where it begin ... till end of this stack trace to understand which API is causing this error.

Also please let us know if you have configured truststore in ambari server?

Is this snippet appearing in the "ambari-server.log" ?

When exactly are we getting this error? While Accessing any specific view (Like Capacity Scheduler View)? Or while accessing ambari UI ?

Is your ambari server listening on SSL port ?

4,303 Views
0 Kudos

avatar
author-rank luka_vranjkovic
Contributor

Created ‎02-27-2018 02:17 AM

Hi @Jay Kumar SenSharma

I have configured the truststore and enabled SSL for Ambari. It is currently listening on port 8443 and I am able to access Ambari UI normally (now via HTTPS). I am still receiving the same error when trying to access it via Knox.

The log is from /var/log/knox/ (Not located on the ambari host server)

Full Log: gateway.txt

Preview file
192 KB
4,303 Views
0 Kudos

avatar
author-rank luka_vranjkovic
Contributor

Created ‎02-27-2018 02:26 AM

@Jay Kumar SenSharma I am unable to access Ambari UI at all when trying through Knox. I'm met with a HTTP 500 error

4,303 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎02-27-2018 02:39 AM

@L V

By any chance are you specifying the HTTPS protocol in the Knox topology for the Ambari Server URL (like. https://$AMBARI_HOST:8080)

.

Please check if you are running your ambari server on HTTPS ? If yes then please import the Ambari Server's certificate to the Knox keystore.

4,303 Views
0 Kudos

avatar
author-rank luka_vranjkovic
Contributor

Created ‎02-27-2018 03:20 AM

@Jay Kumar SenSharma

I have set the Ambari Server URL as follows:

https://$AMBARI_HOST:8443

I am unable to import any certificates into the Knox keystore.

Using the following command:

keytool -importcert -file test.csr -keystore gateway.jks -alias "gateway-identity"

along with the Knox Master Secret password although I get the error:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect.

Note I have created the alias with this command:

knoxcli.sh create-alias gateway-identity-passphrase --value {value}

I have even removed and re-installed Knox and reset the Master Secret password, again same error.

4,303 Views
0 Kudos

avatar
author-rank dsharma author-rank
Guru

Created ‎02-27-2018 04:34 AM

L V I think you need to import the ambari certificate to the java cacert of knox , and make sure you have hostname of ambari as CN in the ambari certificate

4,303 Views

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎02-27-2018 04:59 AM

@L V

As you got message like "Keystore was tampered with, or password was incorrect." which indicates that you might have entered incorrect storepassword while importing the ambari server keystore to knox keystore.

You can verify the "gatewar.jks" by listing the certificates present in it. Please try "-list" command to see if ambari server certificate is imported to the knox truststore or not?

# /usr/jdk64/jdk1.8.0_112/bin/keytool -list -v -keystore /var/lib/knox/data-2.6.4.0-91/security/keystores/gateway.jks
Enter keystore password:  admin

.

4,303 Views

avatar
author-rank luka_vranjkovic
Contributor

Created ‎03-01-2018 06:10 AM

Hi @Jay Kumar SenSharma

That worked, although when I go and access other services and try view their UI's it just diverts back to their original IP address.

Lets take YARN as an example, this is the configuration I have currently entered into the topology:

            <service>
                  <role>YARN</role>
                  <url>http://192.168.XXX.XXX:8088</url>
             </service>
             <service>
                   <role>YARNUI</role>
                   <url>http://192.168.XXX.XXX:8088</url>
            </service>
4,303 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎03-01-2018 06:35 AM

@L V

Ambari provides the quicklink.json feature the alter the Quicklinks as we want.

In case of knox enabled cluster we might need to alter the quicklinks a bit like described in the following link:

1. https://community.hortonworks.com/questions/88500/how-to-make-ambari-quick-links-to-point-to-knox-ga...

2. https://cwiki.apache.org/confluence/display/AMBARI/Quick+Links


4,303 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements