[jira] [Work logged] (KNOX-2679) Trim Pac4j entitlements to avoid cookie too large issue.

Sat, 13 Nov 2021 04:16:29 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-2679?focusedWorklogId=681094&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-681094
 ]

ASF GitHub Bot logged work on KNOX-2679:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 13/Nov/21 12:15
            Start Date: 13/Nov/21 12:15
    Worklog Time Spent: 10m 
      Work Description: moresandeep opened a new pull request #517:
URL: https://github.com/apache/knox/pull/517


   ## What changes were proposed in this pull request?
   There are cases where IdP sends back custom attributes that might be too 
big. For instance groups name attribute could be 
`https://knox.apache.org/SAML/Attributes/groups` which might contain large 
number of groups that might prevent setting cookies properly. This patch adds 
the ability to remove custom attributes from pac4j profile cookie.
   
   `pac4j.session.store.exclude.custom.attributes` is the configuration setting 
and it takes a comma separated list of values. Default is blank string.
   
   ## How was this patch tested?
   This patch was tested on a local cluster.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 681094)
    Time Spent: 1h 50m  (was: 1h 40m)

> Trim Pac4j entitlements to avoid cookie too large issue.
> --------------------------------------------------------
>
>                 Key: KNOX-2679
>                 URL: https://issues.apache.org/jira/browse/KNOX-2679
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 1.6.0
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> Currently with KnoxSSO if the user is part of too many groups SAML assertions 
> that we get back from IdP is huge. This cause hadoop-jwt cookie to not set 
> throwing the SSO in a loop.
> Knox does not need groups, groups in knox are figured out based on the 
> hadoop-user-group lookup. We should be able to filter out groups from the 
> SAML assertion.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to