Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

HDP3.0: knox fails to dispatch webhdfs request due to whitelist validation

avatar
author-rank jiangok2006
Rising Star

Created ‎08-21-2018 07:36 PM

Hi,

I am using HDP3.0 and ambari 2.7 blueprint. webhdfs via knox failed due to:

2018-08-21 19:26:33,035 ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to http://myhost.com:50070/webhdfs/v1/user was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.

I have verified webhdfs without knox works:

curl -vvv http://myhost.com:50070/webhdfs/v1/user/?op=LISTSTATUS

Also, ambari, zeppelin and ranger UI work fine via knox.

The knox settings are:

gateway.dispatch.whitelist: DEFAULT

gateway.dispatch.whitelist.services: DATANODE,HBASEUI,HDFSUI,JOBHISTORYUI,NODEUI,RESOURCEMANAGER,WEBHBASE,WEBHDFS,YARNUI

webhdfs via knox worked for me on HDP2.6. Any idea? Appreciate any help.

9,443 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank pzampino author-rank
Rising Star

Created ‎08-22-2018 10:42 PM

None of Ambari, Zeppelin, or RangerUI are affected by this whitelisting.

Can you see the default whitelist in gateway.log?

It should say something like

Applying a derived dispatch whitelist because none is configured in gateway-site: xxxxxxx

View solution in original post

8,690 Views
0 Kudos
0
12 REPLIES 12

avatar
author-rank gorkazar7
Explorer

Created ‎05-20-2019 03:58 PM

I have fill that property with


gateway.dispatch.whitelist --> ^https?:\/\/(my.domain.com|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$


But i have all the time the same error


ERROR knox.gateway (GatewayDispatchFilter.java:isDispatchAllowed(155)) - The dispatch to http://my.domain.com:50070/webhdfs/v1/ was disallowed because it fails the dispatch whitelist validation. See documentation for dispatch whitelisting.


Thanks

3,504 Views
0 Kudos

avatar
author-rank ssummers author-rank
Contributor

Created ‎06-13-2019 02:25 PM

I ran into a similar issue to this as well. It looks like when it derives the RegEX based off the DEFAULT. We found that it used the URL from the Provider we used setting up the SSO client we had typed in just the Hostname for the Knox Server. It then resulted in the following Default white list:

INFO  knox.gateway (WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://ambari30l:[0-9]+/?.*$

After redoing the SSO setup with the FQDN for the host it resolved the "DEFAULT" Lookup and was able to find the hosts properly.

INFO  knox.gateway (WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://ambari30l.mydomain.com:[0-9]+/?.*$

Hopefully this help others in troubleshooting this issue in the future.

3,504 Views
0 Kudos

avatar
author-rank khannanitish00
New Contributor

Created ‎01-03-2023 12:07 PM

Ssumers,

Can you please share the value you added in gateway.dispatch.whitelist?

1,745 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements