[jira] [Commented] (KNOX-1577) Knox automatically derived dispatch whitelist doesn't seem to actually match the knox domain

Thu, 08 Nov 2018 19:09:01 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-1577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16680775#comment-16680775
 ] 

Vipin Rathor commented on KNOX-1577:
------------------------------------

Can anyone please assign this to me? I'm verifying a patch for this issue. 
Thanks.

> Knox automatically derived dispatch whitelist doesn't seem to actually match 
> the knox domain
> --------------------------------------------------------------------------------------------
>
>                 Key: KNOX-1577
>                 URL: https://issues.apache.org/jira/browse/KNOX-1577
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 1.1.0
>            Reporter: Kat Petre
>            Priority: Critical
>         Attachments: CDC05871-10A2-43CE-8190-E6AAC51AC3D9.png
>
>
> When the dispatch whitelist is not explicitly configured, Knox attempts to 
> derive this whitelist based on the domain of the knox host. We can see this 
> in the logs as follows:
> {code:java}
> 2018-11-08 20:57:34,173 INFO knox.gateway 
> (WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch 
> whitelist because none is configured in gateway-site: 
> ^/.*$;^https?://(.+\.honeypot\.hortonworks\.site):[0-9]+/?.*$
> {code}
> However, login via knox sso with this configuration is not possible. Upon 
> closer inspection (with a regex editor) we see there are 4 unescaped forward 
> slashes which cause the knox hostname (or hostname of another host on the 
> same domain as knox) to not match the auto-configured whitelist. 
> !CDC05871-10A2-43CE-8190-E6AAC51AC3D9.png!
> (Thanks [~vrathor-hw] helping find this)
> Escaping the forward slashes and explicitly configuring the whitelist with 
> following example values seems to solve the problem, and allow login via knox 
> sso. 
> {code:java}
>  <param>
>  <name>knoxsso.redirect.whitelist.regex</name>
>  
> <value>^https?:\/\/(.*\.honeypot\.hortonworks\.site|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
>  </param>
> {code}
> If escaping the / as I did above is the correct workaround for this solution, 
> should we configure the automatically derived whitelists to do this also?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to