[
https://issues.apache.org/jira/browse/KNOX-730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15395604#comment-15395604
]
jeff commented on KNOX-730:
---------------------------
knoxsso.xml
<topology>
<gateway>
<provider>
<role>federation</role>
<name>pac4j</name>
<enabled>true</enabled>
<param>
<name>pac4j.callbackUrl</name>
<value>https://tchdpm01.lmig.com:8445/gateway/knoxsso2/api/v1/websso</value>
</param>
<param>
<name>clientName</name>
<value>SAML2Client</value>
</param>
<param>
<name>saml.identityProviderMetadataPath</name>
<value>file:///root/cifidm-dev.xml</value>
</param>
<param>
<name>saml.serviceProviderEntityId</name>
<value>https://tchdpm01.lmig.com:8445/gateway/knoxsso2/api/v1/websso?pac4jCallback=true&client_name=SAML2Client</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>principal.mapping</name>
<value>[email protected]=guest;</value>
</param>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>knoxsso.cookie.secure.only</name>
<value>false</value>
</param>
<param>
<name>knoxsso.token.ttl</name>
<value>100000</value>
</param>
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(tchdpm01\.lmig\.com\|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9999].*$</value>
</param>
</service>
<service>
<role>NAMENODE</role>
<url>hdfs://10.18.176.56:8020</url>
<url>hdfs://10.18.176.57:8020</url>
<url>hdfs://10.18.176.58:8020</url>
</service>
<service>
<role>JOBTRACKER</role>
<url>rpc://tchdpm03.lmig.com:8050</url>
</service>
<service>
<role>WEBHDFS</role>
<url>http://tchdpm01.lmig.com:50070/webhdfs</url>
<url>http://10.18.176.57:50070/webhdfs</url>
<url>http://10.18.176.58:50070/webhdfs</url>
</service>
<service>
<role>WEBHCAT</role>
<url>http://tchdpm01.lmig.com:50111/templeton</url>
</service>
<service>
<role>OOZIE</role>
<url>http://tchdpm01.lmig.com:11000/oozie</url>
</service>
<service>
<role>WEBHBASE</role>
<url>http://tchdpm01.lmig.com:8080</url>
</service>
<service>
<role>HIVE</role>
<url>http://tchdpm01.lmig.com:10001/cliservice</url>
</service>
<service>
<role>RESOURCEMANAGER</role>
<url>http://tchdpm03.lmig.com:8088/ws</url>
</service>
</topology>
> pac4jRequestedUrl = null after saml2 assertion is parsed
> --------------------------------------------------------
>
> Key: KNOX-730
> URL: https://issues.apache.org/jira/browse/KNOX-730
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.9.0
> Environment: rhel
> Reporter: jeff
> Labels: idp, security
>
> We are working with a hadoop system and trying to get the knox saml2 support
> working with our IDP. (note, this is not Okta but another IDP we use with
> many of our commercial clients internal and external.)
> We have successfully configured knox 0.9.0 to handle the redirection to idp,
> we clearly see the assertion being passed back and being parsed by the pc4j
> component and the requestedurl being stored.
> HOWEVER, it seems that when knox goes to retrieve this info, it finds a null.
> (from last line of log snippet below) 2016-07-22 13:16:27,818 DEBUG
> session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session:
> pac4jRequestedUrl = null
> and therefore the final redirect seems to default to '/' instead of the
> actual requestedurl (in this case
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS)
> 2016-07-22 13:13:03,911 INFO hadoop.gateway
> (GatewayServer.java:startGateway(294)) - Started gateway on port 8,445.
> 2016-07-22 13:15:58,995 DEBUG hadoop.gateway
> (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/
> 2016-07-22 13:15:59,736 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jUserProfile = null
> 2016-07-22 13:15:59,737 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jRequestedUrl =
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS
> 2016-07-22 13:15:59,833 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session:
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:15:59,927 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: samlRelayState = null
> 2016-07-22 13:15:59,927 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: samlRelayState =
> 2016-07-22 13:16:16,179 DEBUG hadoop.gateway
> (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/
> 2016-07-22 13:16:16,180 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jUserProfile = null
> 2016-07-22 13:16:16,180 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jRequestedUrl =
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS
> 2016-07-22 13:16:16,182 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session:
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:16:16,268 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: samlRelayState =
> 2016-07-22 13:16:16,268 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: samlRelayState =
> 2016-07-22 13:16:27,641 DEBUG hadoop.gateway
> (GatewayFilter.java:doFilter(116)) - Received request: POST /api/v1/websso
> 2016-07-22 13:16:27,813 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session:
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:16:27,814 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jUserProfile =
> <SAML2Profile> | id: n0251132 | attributes: {Products=[],
> Groups=[cn=ram_am_im_infc_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_am_im_infc_AllUsers,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=lram_portal_claims,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=lram_portal_billing,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=kev_test_grp1,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=cp_planit,cn=products,ou=groups,o=Liberty,o=Intranet^cn=cp_is_users,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=sec_it_only,cn=products,ou=groups,o=Liberty,o=Intranet^cn=cm_SSL_Remote_Access,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=sec_twofactor_population,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_dashboard_standard,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_AM_IM_Hyp_Admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sasa_scheduling,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sas,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sas_adm_99,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=am_wasadmin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_WASAdmin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_pwrcntr_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ets_libertyforge_git,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_ats_datatools_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_capsmlinsecureconnect,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_data_innov_developer,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_SS_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=pm_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_HadoopPOC,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_Hadoop_RangerPOC,cn=Products,ou=Groups,o=Liberty,o=intranet],
> FirstName=[XXXXXX], PhoneNumber=[], LastName=[XXXXXXXXX], CustomerId=[],
> EmailAddress=[[email protected]]} | roles: [] | permissions: [] |
> isRemembered: false |
> 2016-07-22 13:16:27,818 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jRequestedUrl = null
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
