Created 08-21-2018 07:36 PM
Hi,
I am using HDP3.0 and ambari 2.7 blueprint. webhdfs via knox failed due to:
2018-08-21 19:26:33,035 ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to http://myhost.com:50070/webhdfs/v1/user was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.
I have verified webhdfs without knox works:
curl -vvv http://myhost.com:50070/webhdfs/v1/user/?op=LISTSTATUS
Also, ambari, zeppelin and ranger UI work fine via knox.
The knox settings are:
gateway.dispatch.whitelist: DEFAULT gateway.dispatch.whitelist.services: DATANODE,HBASEUI,HDFSUI,JOBHISTORYUI,NODEUI,RESOURCEMANAGER,WEBHBASE,WEBHDFS,YARNUI
webhdfs via knox worked for me on HDP2.6. Any idea? Appreciate any help.
Created 08-22-2018 10:42 PM
None of Ambari, Zeppelin, or RangerUI are affected by this whitelisting.
Can you see the default whitelist in gateway.log?
It should say something like
Applying a derived dispatch whitelist because none is configured in gateway-site: xxxxxxx
Created 08-22-2018 10:33 PM
Looking at the documentation (https://knox.apache.org/books/knox-1-1-0/user-guide.html#Gateway+Server+Configuration), try removing
gateway.dispatch.whitelist: DEFAULT
property.
Created 08-22-2018 10:42 PM
None of Ambari, Zeppelin, or RangerUI are affected by this whitelisting.
Can you see the default whitelist in gateway.log?
It should say something like
Applying a derived dispatch whitelist because none is configured in gateway-site: xxxxxxx
Created 08-23-2018 11:51 PM
Thanks guys. I got the whitelist filter as mentioned by @Phil Zampino and updated it as my need. Then knox allowed my requests.
Created 05-20-2019 08:49 AM
what did you write in
gateway.dispatch.whitelist
???
Created 08-24-2018 02:26 AM
@Lian Jiang Can you explain why the default whitelist was not working for your deployment?
Created 08-24-2018 08:58 PM
The domain name used by hadoop hosts and the one used by the load balancer are different. DEFAULT setting will use the load balancer's domain to construct whitelist filter. I need to update the whitelist filter to use hadoop hosts' domain name instead. Hope this helps.
Created 08-24-2018 09:00 PM
Thank you for following up. That's what I suspected, and it's good to document it here for future reference.
Created 01-30-2019 08:44 AM
i have similar problem. finally what do you change ?
Created 01-30-2019 05:41 PM