[
https://issues.apache.org/jira/browse/KNOX-2527?focusedWorklogId=542108&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-542108
]
ASF GitHub Bot logged work on KNOX-2527:
----------------------------------------
Author: ASF GitHub Bot
Created on: 26/Jan/21 10:23
Start Date: 26/Jan/21 10:23
Worklog Time Spent: 10m
Work Description: smolnar82 commented on pull request #397:
URL: https://github.com/apache/knox/pull/397#issuecomment-767448085
@lmccay - I tested it with different topologies come with different
signature algorithms (HS256 and RS 256) and it was working as expected. Could
you please give me another review and let me know if I can merge this PR?
HS256 test
----------
Created a 256 bit HMAC secret:
`bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value
6w9zAB-E_H-McQfTjWnZr4u7x_A7D8F-`
```
curl -iku admin:admin-password
https://localhost:8443/gateway/tokenhs256/knoxtoken/api/v1/token
{"access_token":"eyJhbG...RI2hKM",...,"token_type":"Bearer","expires_in":1611689480150}
```
gateway.log:
`2021-01-26 10:35:24,158 INFO service.knoxtoken
(TokenResource.java:getAuthenticationToken(407)) - Knox Token service
(tokenhs256) issued token eyJhbG...RI2hKM
(7794004b-c3e8-4aea-9d69-226786948ace)`
Testing the acquired token: `curl -ik -H "Authorization: Bearer
eyJhbG...RI2hKM" https://localhost:8443/gateway/tokenbased/hdfs`
gateway-audit.log:
```
21/01/26 10:37:27
||8e4bcfe0-4a26-4f0c-a74b-857217ffeae7|audit|[0:0:0:0:0:0:0:1]|HDFSUI||||access|uri|/gateway/tokenbased/hdfs|unavailable|Request
method: GET
21/01/26 10:37:27
||8e4bcfe0-4a26-4f0c-a74b-857217ffeae7|audit|[0:0:0:0:0:0:0:1]|HDFSUI|admin|||authentication|uri|/gateway/tokenbased/hdfs|success|
```
RS256 test
----------
`curl -iku admin:admin-password
https://localhost:8443/gateway/tokenrs256/knoxtoken/api/v1/token`
`{"access_token":"eyJhbG...xukCHw",...,"token_type":"Bearer","expires_in":1611690064630}`
gateway.log:
`2021-01-26 10:41:04,638 INFO service.knoxtoken
(TokenResource.java:getAuthenticationToken(407)) - Knox Token service
(tokenrs256) issued token eyJhbG...xukCHw
(fffd212d-dba7-40c5-8325-3512203ffde2)`
Testing the acquired token: `curl -ik -H "Authorization: Bearer
eyJhbG...xukCHw" https://localhost:8443/gateway/tokenbased/hdfs`
gateway-audit.log:
```
21/01/26 10:44:35
||1bac63c9-1c15-4673-a592-2072f9235d53|audit|[0:0:0:0:0:0:0:1]|HDFSUI||||access|uri|/gateway/tokenbased/hdfs|unavailable|Request
method: GET
21/01/26 10:44:45
||1bac63c9-1c15-4673-a592-2072f9235d53|audit|[0:0:0:0:0:0:0:1]|HDFSUI|admin|||authentication|uri|/gateway/tokenbased/hdfs|success|
```
The only difference between the `tokenhs256` and tokenrs256` topologies is
the configured signature algorithm:
```
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.token.ttl</name>
<value>36000000</value>
</param>
<param>
<name>knox.token.audiences</name>
<value>tokenbased</value>
</param>
<param>
<name>knox.token.target.url</name>
<value>https://localhost:8443/gateway/tokenbased</value>
</param>
<param>
<name>knox.token.sigalg</name>
<value>HS256</value>
</param>
</service>
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 542108)
Time Spent: 1h 40m (was: 1.5h)
> Support HMAC signature/verification in JWT token authority
> ----------------------------------------------------------
>
> Key: KNOX-2527
> URL: https://issues.apache.org/jira/browse/KNOX-2527
> Project: Apache Knox
> Issue Type: New Feature
> Components: KnoxSSO, Server
> Affects Versions: 1.5.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 1.6.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> As of now, in {{DefaultTokenAuthorityService}}, the generated JWT token is
> signed by RSA (PKI). It would be beneficial to add support for HMAC as well
> so that token signature/verification would not require a keystore being set
> but using a secret stored via Knox's alias service. The recommended alias
> name is {{gateway.signing.hmac.secret}}
> To support backward compatibility, the implementation should use HMAC
> signature/verification only if:
> - the HMAC secret is configured via the alias service for the gateway, and
> - there is no previously pre-configured {{gateway.signing.keystore.name}}
> which is a clear indication of end-user preference of using PKI signatures.
> The default HMAC signing algorithm should be {{HS256}} (HMAC using SHA-256
> hash algorithm) and clients should be able to change it by already existing
> request parameters called {{knoxsso.token.sigalg}} or {{knox.token.sigalg}}.
> Other valid values are:
> - {{HS384}} (HMAC using SHA-384 hash algorithm)
> - {{HS512}} (HMAC using SHA-512 hash algorithm)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
