[
https://issues.apache.org/jira/browse/KNOX-911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15936284#comment-15936284
]
Attila Kanto commented on KNOX-911:
-----------------------------------
Hi [~lmccay],
The depicted two Knox instances are not connected through SSO, they are
completely independent, therefore I think the scoping of cookies to Path (and
not just to domain) might help.
In case of SSO you are right, it works, but if and only if you have 1 shared
cluster that acts as SSO Provider. But have a reverse proxy and if you have
multiple shared clusters behind of that reverse proxy e.g. shared1 and shared2
and ephemeral-a, ephemeral-b clusters are pointing to shared1 and ephemeral-c,
ephemeral-d are pointing to shared2 then we have a problem again since the
shared1 and shared2 clusters do not have the same signing key.
Therefore if I am switching between ephemeral-a and ephemeral-b in my browser
then everything will be fine until I try to connect to ephemeral-c (or
ephemeral-d), since in that case my cookie is overwritten and I am logged out
automatically from ephemeral-a and ephemeral-b.
Please note that shared1 and shared2 clusters are completely independent they
might use a different LDAP, therefore they cannot share the same signing key,
and you can imagine the reverse proxy as a single point of access to every
Hadoop clusters of a company.
I admit this is a very special use case :).
Kind regards,
Attila
> Ability to scope cookies to a given Path
> ----------------------------------------
>
> Key: KNOX-911
> URL: https://issues.apache.org/jira/browse/KNOX-911
> Project: Apache Knox
> Issue Type: Wish
> Reporter: Attila Kanto
>
> If there are multiple individual Knox instances behind of a reverse proxy,
> then it would be very useful if the Cookies could be scoped to a given Path.
> If a reverse proxy is put at the font of multiple Knox instances then scoping
> the Cookies to domain is not sufficient since the /gateway1/... and
> /gateway2/... cookies will overwrite each other.
> {code}
> +---------------------------------+
> | |
> | Reverse Proxy |
> | |
> +---------------------------------+
> | |
> /gateway1/topology | | /gateway2/topology
> | |
> +----------------------------v----+
> +--v------------------------------+
> | | |
> |
> | Knox 1 (/gateway1/topology) | | Knox 2 (/gateway2/topology)
> |
> | | |
> |
> +---------------------------------+
> +---------------------------------+
> {code}
> Proposal:
> Cookies can be scoped with Set-Cookie: Path=/somepath header field.
> It would be very convenient if this scope path could be set in
> gateway-site.xml and Knox would return it in Set-Cookie header field to
> clients.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
