The following section provides an overview of how to use Knox in a E-MapReduce cluster.


E-MapReduce supports Apache Knox. If you select a Knox-supported image to create a cluster, you can access the Web UI from the public network to use services such as YARN, HDFS, and SparkHistory.


  • Enable Knox access using a public IP address
    1. The service port of Knox on E-MapReduce is 8443. In the cluster details, find the ECS security group in which the cluster is located.
    2. Change the corresponding security group in the ECS console and add a rule in Internet inbound to enable port 8443.
    • For security reasons, the authorization object must be your limited IP address range. is forbidden.
    • After port 8443 of the security group is enabled, all nodes (including non-E-MapReduce ECS nodes) in the security group enable port 8443 at the ingress of the public network.
  • Set a Knox user

    Accessing Knox requires a username and password for authentication. The authentication is based on LDAP. You can use your own LDAP service or the LDAP service of Apache Directory Server in the cluster.

    • Use the LDAP service in the cluster

      Method one(recommended):

      Add a Knox account in the User Management page.

      Method two:
      1. Log on to the cluster through SSH. For more information, see Connect to clusters using SSH.
      2. Prepare your user data. Here,Tom is used as the user name. In the file, replace all emr-guest with Tom and cn:EMR GUEST with cn:Tom, and set userPassword to your password.
        su knox
        cd /usr/lib/knox-current/templates  
        vi users.ldif
        Notice For security reasons, before you export your user data to LDAP, change the password of users.ldif by changing userPassword to your password.
      3. Export to LDAP.
        su knox
        cd /usr/lib/knox-current/templates
    • Use your own LDAP service
      1. Enter the cluster configuration management page. In the cluster-topo configuration, set main.ldapRealm.userDnTemplate to your user DN template and main.ldapRealm.contextFactory.url to your LDAP server domain name and port. Then, save the settings and restart Knox.
      2. Your LDAP service does not typically run in the cluster. You must enable the Knox port to access the LDAP service in the public network, such as port 10389. For more information, see the preceding steps for enabling port 8443. Then, select Internet outbound.
        Notice For security reasons, the authorization object must be the public IP address of your Knox cluster.** is forbidden.

Access Knox

  • Access using theE-MapReduce shortcut link
    1. Log on to the E-MapReduce console.
    2. Click the ID link of the target cluster.
    3. In the navigation pane on the left, click Clusters and Services.
    4. Click the relevant services on the E-MapReduceservicespage, such as HDFS and YARN.
    5. In the upper-right corner, click Quick Link.
  • Access using the public IP address of the cluster
    1. Check the public IP address in the cluster details.
    2. Access the URLs of the relevant services in the browser.
      • HDFS UI: https://{cluster_access_ip}:8443/gateway/cluster-topo/hdfs/.
      • YARN UI: https://{cluster_access_ip}:8443/gateway/cluster-topo/yarn/.
      • SparkHistory UI: https://{cluster_access_ip}:8443/gateway/cluster-topo/sparkhistory/.
      • Ganglia UI: https://{cluster_access_ip}:8443/gateway/cluster-topo/ganglia/.
      • Storm UI: https://{cluster_access_ip}:8443/gateway/cluster-topo/storm/.
      • Oozie UI: https://{cluster_access_ip}:8443/gateway/cluster-topo/oozie/.
    3. website is not security is displayed in your browser because the Knox service uses a self-signed certificate. Confirm that the accessed IP address is the same as that of your cluster and the port is 8443. Click advance > continue.
    4. Enter the username and password set in LDAP in the logon dialog box.

Access control lists

Knox provides service-level permission management to limit service access to specific users, user groups, or IP addresses. See Apache Knox Authorization.

  • Example
    • Scenario: The YARN UI only allows access by user Tom.
    • Steps: Enter the cluster configuration management page. In the cluster-topo configuration, add access control list (ACL) code between the<gateway>...</gateway> labels.
  • Notes

    Knox provides RESTful APIs for operating a range of services, including adding or deleting HDFS files. For security reasons, make sure that when you enable port 8443 of the security group in the ECS console, the authorization object is your limited IP address range. is forbidden. Do not use the LDAP username and password in the Knox installation directory to access Knox.