All Products
Search
Document Center

E-MapReduce:Knox

Last Updated:Jan 17, 2024

This topic describes how to configure Knox in the E-MapReduce (EMR) console and how to use a Knox account to access the web UIs of open source components such as Hadoop Distributed File System (HDFS), YARN, Spark, and Ganglia over the Internet.

Prerequisites

An EMR cluster is created. For more information, see Create a cluster.

Preparations

  • Configure a security group rule

    1. Obtain the public IP address of your on-premises machine.

      For security purposes, we recommend that you allow access only from the current public IP address when you configure a security group rule. To view your current public IP address, visit myip.ipip.net.

    2. Add a port.

      In this example, port 8443 is added.

      1. Go to the Basic Information page of your EMR cluster in the EMR console. In the Security section, click the link next to Cluster Security Group.

      2. On the Security Group Rules page, click Add Rule.

      3. Set the Port Range parameter to 8443/8443 and the Authorization Object parameter to the public IP address that you obtain in the previous step.

      4. Click Save in the Actions column.

    Important
    • To prevent attacks from external users, you are not allowed to set the Authorization Object parameter to 0.0.0.0/0.

    • If no public IP address is assigned to the cluster when you create the cluster, you can add a public IP address to the cluster in the Elastic Compute Service (ECS) console.

  • Configure a Knox account

    When you access Knox, you must enter your username and password. The authentication is based on Lightweight Directory Access Protocol (LDAP). You can use the LDAP service of Apache Directory Server in the cluster or your own LDAP service.

    • Method 1 (recommended):

      On the Users page of the cluster, add a Knox account. For more information, see Manage user accounts.

    • Method 2:

      1. Log on to your cluster in SSH mode. For more information, see Log on to a cluster.

      2. Prepare your username, such as Tom.

        Run the following commands to open the users.ldif file:

        su knox
        vim /opt/apps/KNOX/knox-current/templates/users.ldif

        In the file, replace emr-guest and EMR GUEST with Tom, and set the userPassword parameter to the password of your username.

      3. Run the following commands to import user data to LDAP:

        cd /opt/apps/KNOX/knox-current/templates
        sh ldap-sample-users.sh

Access web UIs

You can use your Knox account to access the web UIs of components. For more information, see Access the web UIs of open source components.

FAQ

  • Q: Why do the components of Knox stop working and the error message Failed to start gateway: org.apache.hadoop.gateway.services.ServiceLifecycleException: Gateway SSL Certificate is Expired appear when I start Knox? ERROR

  • A: Perform the following steps:

    1. Log on to your cluster in SSH mode. For more information, see Log on to a cluster.

    2. Run the following command to rename the SSL certificate that expires:

      sudo mv /opt/apps/KNOX/knox-current/data/security/keystores/gateway.jks /opt/apps/KNOX/knox-current/data/security/keystores/bak_gateway.jks
      Note

      You can also move the SSL certificate to another directory.

    3. Restart Knox.

      1. Go to the Services page of your cluster in the EMR console. In the Knox section, move the pointer over the more icon and select Start.

      2. In the dialog box that appears, enter a reason in the Execution Reason field and click OK.

      3. In the Confirm message, click OK.