[
https://issues.apache.org/jira/browse/KNOX-730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15870840#comment-15870840
]
Larry McCay commented on KNOX-730:
----------------------------------
Okay, [~sametkaradag] - I think that I finally have a bead on this.
The cookies are being set by pac4j to compute-1.amazonaws.com or to
amazonaws.com which happen to be considered TLD's that are not allowed to be
used for cookie domains.
We are going to have to figure out how to force the default domain - which is
the fully qualified hostname. As long as all the resources you plan to access
are proxied through Knox as well as using SSOCookieProvider then this will
work. Unfortunately, this will likely require a code change to get the domain
to be default but I will look and see if there is any config in the pac4j
provider.
> pac4jRequestedUrl = null after saml2 assertion is parsed
> --------------------------------------------------------
>
> Key: KNOX-730
> URL: https://issues.apache.org/jira/browse/KNOX-730
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.9.0
> Environment: rhel
> Reporter: jeff
> Labels: idp, security
> Fix For: 0.12.0
>
> Attachments: hadoop_dev.cer, hadoop_post_request_good.saz
>
>
> We are working with a hadoop system and trying to get the knox saml2 support
> working with our IDP. (note, this is not Okta but another IDP we use with
> many of our commercial clients internal and external.)
> We have successfully configured knox 0.9.0 to handle the redirection to idp,
> we clearly see the assertion being passed back and being parsed by the pc4j
> component and the requestedurl being stored.
> HOWEVER, it seems that when knox goes to retrieve this info, it finds a null.
> (from last line of log snippet below) 2016-07-22 13:16:27,818 DEBUG
> session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session:
> pac4jRequestedUrl = null
> and therefore the final redirect seems to default to '/' instead of the
> actual requestedurl (in this case
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS)
> 2016-07-22 13:13:03,911 INFO hadoop.gateway
> (GatewayServer.java:startGateway(294)) - Started gateway on port 8,445.
> 2016-07-22 13:15:58,995 DEBUG hadoop.gateway
> (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/
> 2016-07-22 13:15:59,736 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jUserProfile = null
> 2016-07-22 13:15:59,737 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jRequestedUrl =
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS
> 2016-07-22 13:15:59,833 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session:
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:15:59,927 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: samlRelayState = null
> 2016-07-22 13:15:59,927 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: samlRelayState =
> 2016-07-22 13:16:16,179 DEBUG hadoop.gateway
> (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/
> 2016-07-22 13:16:16,180 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jUserProfile = null
> 2016-07-22 13:16:16,180 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jRequestedUrl =
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS
> 2016-07-22 13:16:16,182 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session:
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:16:16,268 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: samlRelayState =
> 2016-07-22 13:16:16,268 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: samlRelayState =
> 2016-07-22 13:16:27,641 DEBUG hadoop.gateway
> (GatewayFilter.java:doFilter(116)) - Received request: POST /api/v1/websso
> 2016-07-22 13:16:27,813 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session:
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:16:27,814 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jUserProfile =
> <SAML2Profile> | id: n0251132 | attributes: {Products=[],
> Groups=[cn=ram_am_im_infc_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_am_im_infc_AllUsers,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=lram_portal_claims,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=lram_portal_billing,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=kev_test_grp1,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=cp_planit,cn=products,ou=groups,o=Liberty,o=Intranet^cn=cp_is_users,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=sec_it_only,cn=products,ou=groups,o=Liberty,o=Intranet^cn=cm_SSL_Remote_Access,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=sec_twofactor_population,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_dashboard_standard,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_AM_IM_Hyp_Admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sasa_scheduling,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sas,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sas_adm_99,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=am_wasadmin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_WASAdmin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_pwrcntr_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ets_libertyforge_git,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_ats_datatools_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_capsmlinsecureconnect,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_data_innov_developer,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_SS_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=pm_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_HadoopPOC,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_Hadoop_RangerPOC,cn=Products,ou=Groups,o=Liberty,o=intranet],
> FirstName=[XXXXXX], PhoneNumber=[], LastName=[XXXXXXXXX], CustomerId=[],
> EmailAddress=[[email protected]]} | roles: [] | permissions: [] |
> isRemembered: false |
> 2016-07-22 13:16:27,818 DEBUG session.KnoxSessionStore
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jRequestedUrl = null
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
