Sandeep More created KNOX-2574:
----------------------------------
Summary: Missing proper logging when hmac secret is short
(misconfigured)
Key: KNOX-2574
URL: https://issues.apache.org/jira/browse/KNOX-2574
Project: Apache Knox
Issue Type: New Feature
Components: Server
Reporter: Sandeep More
I was testing out creating tokens with HMAC and created a secret which was less
than 256 bits. When I tried to create tokens the operation failed with no
meaningful message, even the gateway logs were not logging the error. If this
happens in prod it would be extremely painful to track down.
This is what I get when I try to create tokens
{code}
(base) ➜ ~ curl -iku admin:admin-password
'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token'
HTTP/1.1 200 OK
Date: Wed, 07 Apr 2021 19:27:42 GMT
Set-Cookie: KNOXSESSIONID=node01hfs7ly3arqcelcoiofnz3de0.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Tue,
06-Apr-2021 19:27:42 GMT; SameSite=lax
Content-Type: application/json
Content-Length: 30
{ "Unable to acquire token." }
{code}
And this is what I see in the logs
{code}
2021-04-07 15:27:42,405 INFO knox.gateway (KnoxLdapRealm.java:getUserDn(688))
- Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using
dnTemplate for principal: admin
2021-04-07 15:29:25,667 INFO service.knoxtoken
(TokenResource.java:getAuthenticationToken(453)) - toString
2021-04-07 15:29:28,125 INFO service.knoxtoken
(TokenResource.java:getAuthenticationToken(454)) - toString
2021-04-07 15:29:29,671 ERROR service.knoxtoken
(TokenResource.java:getAuthenticationToken(454)) - Unable to issue token.
2021-04-07 15:29:29,863 INFO service.knoxtoken
(TokenResource.java:getAuthenticationToken(456)) - toString
{code}
There were few issues I noticed that needs some attention:
1. Should we even allow creating secrets less than 256 bits? how do we validate
it?
2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
