Support Questions

Thanks guys. I got the whitelist filter as mentioned by @Phil Zampino and updated it as my need. Then knox allowed my requests.

@Lian Jiang Can you explain why the default whitelist was not working for your deployment?

The domain name used by hadoop hosts and the one used by the load balancer are different. DEFAULT setting will use the load balancer's domain to construct whitelist filter. I need to update the whitelist filter to use hadoop hosts' domain name instead. Hope this helps.

Thank you for following up. That's what I suspected, and it's good to document it here for future reference.

I have fill that property with

gateway.dispatch.whitelist --> ^https?:\/\/(my.domain.com|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$

But i have all the time the same error

ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to http://my.domain.com:50070/webhdfs/v1/ was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.

Thanks

I ran into a similar issue to this as well. It looks like when it derives the RegEX based off the DEFAULT. We found that it used the URL from the Provider we used setting up the SSO client we had typed in just the Hostname for the Knox Server. It then resulted in the following Default white list:

INFO  knox.gateway (WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://ambari30l:[0-9]+/?.*$

After redoing the SSO setup with the FQDN for the host it resolved the "DEFAULT" Lookup and was able to find the hosts properly.

INFO  knox.gateway (WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://ambari30l.mydomain.com:[0-9]+/?.*$

Hopefully this help others in troubleshooting this issue in the future.

Ssumers,

Can you please share the value you added in gateway.dispatch.whitelist?