[jira] [Work logged] (KNOX-2713) Improve user limit handling when fetching Knox Tokens

Fri, 04 Mar 2022 06:43:07 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-2713?focusedWorklogId=736694&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-736694
 ]

ASF GitHub Bot logged work on KNOX-2713:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 04/Mar/22 14:42
            Start Date: 04/Mar/22 14:42
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request #543:
URL: https://github.com/apache/knox/pull/543


   ## What changes were proposed in this pull request?
   
   Changing Knox's default behavior when a user exceeds the configured token 
limit: if `REMOVE_OLDEST` is configured, Knox will remove the oldest token 
instead of returning an error.
   
   ## How was this patch tested?
   
   Updated existing JUnit tests as well as added new ones:
   ```
   $ mvn clean -Dshellcheck=true verify -Prelease,package -am -pl 
gateway-service-knoxtoken
   [INFO] 
------------------------------------------------------------------------
   [INFO] BUILD SUCCESS
   [INFO] 
------------------------------------------------------------------------
   [INFO] Total time:  05:56 min
   [INFO] Finished at: 2022-03-04T15:23:36+01:00
   [INFO] 
------------------------------------------------------------------------
   ```
   Manual testing:
   - set `gateway.knox.token.limit.per.user = 1` in `gateway-site.xml`
   - set `knox.token.user.limit.exceeded.action = REMOVE_OLDEST` in the 
`homepage` topology for the `KNOXTOKEN` service
   - restarted Knox and created a token with comment `token 1` on the Token 
Generation page<img width="1780" alt="Screenshot 2022-03-04 at 15 16 14" 
src="https://user-images.githubusercontent.com/34065904/156782896-3a4122fb-7f78-4ee5-b4f4-08412a7cd21c.png";>
   - created another token with comment `token 2` successfully (and the 
previously created one got revoked):<img width="1782" alt="Screenshot 
2022-03-04 at 15 16 30" 
src="https://user-images.githubusercontent.com/34065904/156783086-867177d5-cd3c-4f12-811c-680f9331bb80.png";>
   
   ```
   2022-03-04 15:30:48,390 3ee2f801-ed84-4cee-bf9d-8da686266eed ERROR 
service.knoxtoken (TokenResource.java:getAuthenticationToken(669)) - Unable to 
get token for user admin: token limit exceeded
   2022-03-04 15:30:48,391 3ee2f801-ed84-4cee-bf9d-8da686266eed INFO  
service.knoxtoken (TokenResource.java:getAuthenticationToken(675)) - Revoking 
admin's oldest token 066b2c...2bb6f5 ...
   2022-03-04 15:30:48,407 3ee2f801-ed84-4cee-bf9d-8da686266eed INFO  
service.knoxtoken (TokenResource.java:revoke(512)) - Knox Token service 
(homepage) revoked token 066b2c...2bb6f5 (066b2cc3...946c6e2bb6f5) 
(renewer=admin)
   2022-03-04 15:30:48,413 3ee2f801-ed84-4cee-bf9d-8da686266eed INFO  
service.knoxtoken (TokenResource.java:getAuthenticationToken(704)) - Knox Token 
service (homepage) issued token eyJqa3...k1ikvg (893cbbef...a754c8a4f5bb)
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 736694)
    Remaining Estimate: 0h
            Time Spent: 10m

> Improve user limit handling when fetching Knox Tokens
> -----------------------------------------------------
>
>                 Key: KNOX-2713
>                 URL: https://issues.apache.org/jira/browse/KNOX-2713
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The current user limit behavior, which returns an error in case the user is 
> trying to generate more tokens than he/she is allowed to, should be refined.
> The plan is to introduce a new service-level parameter called 
> {{{}knox.token.limit.exceeded.action{}}}. This new configuration may have the 
> following values:
>  * {{REMOVE_OLDEST}} - if that’s configured, the oldest token of the user, 
> who the token is being generated for, will be removed
>  * {{RETURN_ERROR}} - if that’s configured, Knox will return an error 
> response with 403 error code (as it does today)
> Defaults to {{{}RETURN_ERROR{}}}.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to