Kat Petre created KNOX-1577:
-------------------------------
Summary: Knox automatically derived dispatch whitelist doesn't
seem to actually match the knox domain
Key: KNOX-1577
URL: https://issues.apache.org/jira/browse/KNOX-1577
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 1.1.0
Reporter: Kat Petre
Attachments: CDC05871-10A2-43CE-8190-E6AAC51AC3D9.png
When the dispatch whitelist is not explicitly configured, Knox attempts to
derive this whitelist based on the domain of the knox host. We can see this in
the logs as follows:
{code:java}
2018-11-08 20:57:34,173 INFO knox.gateway
(WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch
whitelist because none is configured in gateway-site:
^/.*$;^https?://(.+\.honeypot\.hortonworks\.site):[0-9]+/?.*$
{code}
However, login via knox sso with this configuration is not possible. Upon
closer inspection (with a regex editor) we see there are 4 unescaped forward
slashes which cause the knox hostname (or hostname of another host on the same
domain as knox) to not match the auto-configured whitelist.
!CDC05871-10A2-43CE-8190-E6AAC51AC3D9.png!
(Thanks [~vrathor-hw] helping find this)
Escaping the forward slashes and explicitly configuring the whitelist with
following example values seems to solve the problem, and allow login via knox
sso.
{code:java}
<param>
<name>knoxsso.redirect.whitelist.regex</name>
<value>^https?:\/\/(.*\.honeypot\.hortonworks\.site|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
</param>
{code}
If escaping the / as I did above is the correct workaround for this solution,
should we configure the automatically derived whitelists to do this also?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
