smolnar82 commented on pull request #397: URL: https://github.com/apache/knox/pull/397#issuecomment-767448085
@lmccay - I tested it with different topologies come with different signature algorithms (HS256 and RS 256) and it was working as expected. Could you please give me another review and let me know if I can merge this PR? HS256 test ---------- Created a 256 bit HMAC secret: `bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value 6w9zAB-E_H-McQfTjWnZr4u7x_A7D8F-` ``` curl -iku admin:admin-password https://localhost:8443/gateway/tokenhs256/knoxtoken/api/v1/token {"access_token":"eyJhbG...RI2hKM",...,"token_type":"Bearer","expires_in":1611689480150} ``` gateway.log: `2021-01-26 10:35:24,158 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(407)) - Knox Token service (tokenhs256) issued token eyJhbG...RI2hKM (7794004b-c3e8-4aea-9d69-226786948ace)` Testing the acquired token: `curl -ik -H "Authorization: Bearer eyJhbG...RI2hKM" https://localhost:8443/gateway/tokenbased/hdfs` gateway-audit.log: ``` 21/01/26 10:37:27 ||8e4bcfe0-4a26-4f0c-a74b-857217ffeae7|audit|[0:0:0:0:0:0:0:1]|HDFSUI||||access|uri|/gateway/tokenbased/hdfs|unavailable|Request method: GET 21/01/26 10:37:27 ||8e4bcfe0-4a26-4f0c-a74b-857217ffeae7|audit|[0:0:0:0:0:0:0:1]|HDFSUI|admin|||authentication|uri|/gateway/tokenbased/hdfs|success| ``` RS256 test ---------- `curl -iku admin:admin-password https://localhost:8443/gateway/tokenrs256/knoxtoken/api/v1/token` `{"access_token":"eyJhbG...xukCHw",...,"token_type":"Bearer","expires_in":1611690064630}` gateway.log: `2021-01-26 10:41:04,638 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(407)) - Knox Token service (tokenrs256) issued token eyJhbG...xukCHw (fffd212d-dba7-40c5-8325-3512203ffde2)` Testing the acquired token: `curl -ik -H "Authorization: Bearer eyJhbG...xukCHw" https://localhost:8443/gateway/tokenbased/hdfs` gateway-audit.log: ``` 21/01/26 10:44:35 ||1bac63c9-1c15-4673-a592-2072f9235d53|audit|[0:0:0:0:0:0:0:1]|HDFSUI||||access|uri|/gateway/tokenbased/hdfs|unavailable|Request method: GET 21/01/26 10:44:45 ||1bac63c9-1c15-4673-a592-2072f9235d53|audit|[0:0:0:0:0:0:0:1]|HDFSUI|admin|||authentication|uri|/gateway/tokenbased/hdfs|success| ``` The only difference between the `tokenhs256` and tokenrs256` topologies is the configured signature algorithm: ``` <service> <role>KNOXTOKEN</role> <param> <name>knox.token.ttl</name> <value>36000000</value> </param> <param> <name>knox.token.audiences</name> <value>tokenbased</value> </param> <param> <name>knox.token.target.url</name> <value>https://localhost:8443/gateway/tokenbased</value> </param> <param> <name>knox.token.sigalg</name> <value>HS256</value> </param> </service> ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
