Member since
08-16-2019
38
Posts
8
Kudos Received
4
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
922 | 05-21-2018 06:32 PM | |
2670 | 01-18-2018 06:51 PM | |
1585 | 10-25-2017 06:28 PM | |
2502 | 08-25-2017 07:09 PM |
01-14-2021
08:42 AM
Starting CDP 7.2.7, Knox can be configured to load-balance backend service instances as well as support sticky sessions in HA mode. Prior to this when HA was configured for Knox (using the HaProvider in Knox topology) Knox would route requests to a specific backend service, except in case of failover where Knox would pick the next backend service from the configured list. This approach had some limitations, Knox would only serve one backend, even when there were multiple backends available. This especially was a problem for stateless services that needed even load distribution. Knox also had no support for sticky sessions. With this release, Knox can be configured to load-balance requests for multiple backend service instances configured with HaProvider. Currently, load-balancing is done in a simple round-robin fashion. Following is an example of how to configure only load-balancing for an example HA service WHOAMI <provider>
<role>ha</role>
<name>HaProvider</name>
<enabled>true</enabled>
<param>
<name>WHOAMI</name>
<value>enabled=true;maxFailoverAttempts=3;failoverSleep=1000;enableLoadBalancing=true</value>
</param>
</provider>
...
<service>
<role>WHOAMI</role>
<url>http://localhost:50070</url>
<url>http://localhost:50071</url>
</service> Sticky sessions can be used for services such as Hive where session state matters. Sticky sessions can be turned on by using the property enableStickySession. When sticky sessions are on, Knox uses a cookie to match the client requests with the backend host, and as a result, cookies are required for this feature. Cookie name used for sticky session is KNOX_BACKEND-{service-name}. Sticky session cookie name can be changed by using the property stickySessionCookieName. With sticky session turned on, loadbalancing is turned on automatically. If sticky session is turned on and there is a failover, Knox will choose a new backend and route the request to it. This can be undesirable in cases where session state is critical. Knox can be configured to not failover when sticky sessions are used by using the flag noFallback. When this flag (noFallback=true) is set, Knox will return a 502 (Bad Gateway) if a request comes with a cookie and the corresponding backend is unavailable. Example of sticky session configuration: <provider>
<role>ha</role>
<name>HaProvider</name>
<enabled>true</enabled>
<param>
<name>WHOAMI</name>
<value>enabled=true;maxFailoverAttempts=3;failoverSleep=1000;enableStickySession=true;noFallback=true</value>
</param>
</provider> Summary of HaProvider properties discussed above: enableStickySession - Enables sticky sessions stickySessionCookieName - Customize sticky session cookie name, default is KNOX_BACKEND-{serviceName} noFallback - When this flag is set, Knox will return a 502 (Bad Gateway) if a request comes with a cookie and the corresponding backend is unavailable enableLoadBalancing - Enable loadbalancing, roundrobin requests to backend HA urls
... View more
Labels:
01-21-2019
01:54 AM
Hello Doug, Try setting message size using the following properties gateway.websocket.max.text.size
gateway.websocket.max.binary.size
gateway.websocket.max.text.buffer.size
gateway.websocket.max.binary.buffer.size
gateway.websocket.input.buffer.size
... View more
08-22-2018
10:33 PM
Looking at the documentation (https://knox.apache.org/books/knox-1-1-0/user-guide.html#Gateway+Server+Configuration), try removing gateway.dispatch.whitelist: DEFAULT property.
... View more
07-26-2018
01:29 PM
If you are using kerberos then you do not need LDAP, this looks like an issue with your configuration. This is an example https://community.hortonworks.com/articles/192759/knox-with-kerberos-authentication-to-proxy-to-hive.html The topology file is not formatted properly but you can compare it with yours and add the necessary configuration.
... View more
07-25-2018
08:49 PM
What do you see in gateway.log ? Also, is your sandbox is kerberized ? if not check whether demo ldap is running, sandbox might be using demo ldap.
... View more
05-21-2018
06:32 PM
2 Kudos
Hello @Dominique De Vito Yes, Knox does work with unsecure Hadoop custer and yes you can use KnoxSSO with unsecure cluster as well.
... View more
02-15-2018
02:00 PM
@Nisha that is by design, try passing cookies through Curl with the CookieProvider, I think this should work !
... View more
02-12-2018
07:07 PM
ah, I see, I have had issues with using localhost, to get around this in my etc/host file I add an entry for www.local.com -> 127.0.0.1 and in your topology add it to the whitelist <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(www\.local\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> </param> Then try to access it using https://www.local.com:8443/. This should help, let me know if this does not help. Best, Sandeep
... View more
02-09-2018
06:33 PM
Hello @Nisha It is difficult to say anything without seeing your topology, but I am assuming you are using "SSOCookieProvider" in your topology. Try using "JWTProvider" https://knox.apache.org/books/knox-1-0-0/user-guide.html#JWT+Provider Also check this out https://knox.apache.org/books/knox-1-0-0/user-guide.html#KnoxToken+Configuration Best, Sandeep
... View more