[
https://issues.apache.org/jira/browse/KNOX-2679?focusedWorklogId=663999&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-663999
]
ASF GitHub Bot logged work on KNOX-2679:
----------------------------------------
Author: ASF GitHub Bot
Created on: 12/Oct/21 11:00
Start Date: 12/Oct/21 11:00
Worklog Time Spent: 10m
Work Description: moresandeep opened a new pull request #509:
URL: https://github.com/apache/knox/pull/509
## What changes were proposed in this pull request?
This PR tries to address the issue where Knox SSO goes in a redirect loop
when the authenticated user is part of too many groups. This happens because
Pac4J tries to save all the user entitlements in a profile object that Knox
saves as a cookie (for HA deployments). The unfortunate side effect of which is
that we are now bound by the cookie size.
This PR introduces the following parameter that can be controlled from
knoxsso.xml topology
| Property Name | Default Value | Description |
| ---------------- | ------------- | ------------|
| `pac4j.session.store.exclude.groups` | `true` | Exclude group
entitlements from pac4j profile cookie |
| `pac4j.session.store.exclude.roles` | `true` | Exclude roles
entitlements from pac4j profile cookie |
| `pac4j.session.store.exclude.permissions` | `true` | Exclude roles
permissions from pac4j profile cookie |
Example config from knoxsso.xml
```
<param>
<name>pac4j.session.store.exclude.groups</name>
<value>false</value>
</param>
<param>
<name>pac4j.session.store.exclude.roles</name>
<value>true</value>
</param>
<param>
<name>pac4j.session.store.exclude.permissions</name>
<value>false</value>
</param>
```
## How was this patch tested?
This patch was tested on local Apache Knox instance with Okta
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 663999)
Remaining Estimate: 0h
Time Spent: 10m
> Trim Pac4j entitlements to avoid cookie too large issue.
> --------------------------------------------------------
>
> Key: KNOX-2679
> URL: https://issues.apache.org/jira/browse/KNOX-2679
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently with KnoxSSO if the user is part of too many groups SAML assertions
> that we get back from IdP is huge. This cause hadoop-jwt cookie to not set
> throwing the SSO in a loop.
> Knox does not need groups, groups in knox are figured out based on the
> hadoop-user-group lookup. We should be able to filter out groups from the
> SAML assertion.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
