moresandeep commented on code in PR #639:
URL: https://github.com/apache/knox/pull/639#discussion_r985798568
##########
gateway-release/home/conf/gateway-site.xml:
##########
@@ -88,6 +88,35 @@ limitations under the License.
<value>60</value>
<description>The interval (in seconds) for polling Ambari for cluster
configuration changes.</description>
</property>
+ <!-- @since 2.0.0 WebShell configs -->
+ <!-- must have websocket enabled to use webshell -->
+ <property>
+ <name>gateway.webshell.feature.enabled</name>
+ <value>false</value>
+ <description>Enable/Disable webshell feature.</description>
+ </property>
+ <property>
+ <name>webshell.max.concurrent.sessions</name>
+ <value>3</value>
+ <description>maximum number of concurrent webshell
sessions</description>
Review Comment:
These are total :( what number would you recommend? does 20 sound good?
##########
gateway-release/home/conf/gateway-site.xml:
##########
@@ -88,6 +88,35 @@ limitations under the License.
<value>60</value>
<description>The interval (in seconds) for polling Ambari for cluster
configuration changes.</description>
</property>
+ <!-- @since 2.0.0 WebShell configs -->
+ <!-- must have websocket enabled to use webshell -->
+ <property>
+ <name>gateway.webshell.feature.enabled</name>
+ <value>false</value>
+ <description>Enable/Disable webshell feature.</description>
+ </property>
+ <property>
+ <name>webshell.max.concurrent.sessions</name>
+ <value>3</value>
+ <description>maximum number of concurrent webshell
sessions</description>
+ </property>
+ <property>
+ <name>gateway.webshell.audit.logging.enabled</name>
+ <value>false</value>
Review Comment:
Right, audit feature is not fully ready yet, it is still in POC phase. We
need to think about how to prevent logging secrets, which like you pointed out
is lacking as of now. Add a description is a good idea. I am inclined to
keeping Audit in the property name for two reasons
1. Logs to audit log file
2. For compatibility reasons, if someone actively turns on this feature
knowing implications then next time we change property name the feature would
stop working after upgrade.
##########
gateway-release/home/conf/gateway-site.xml:
##########
@@ -88,6 +88,35 @@ limitations under the License.
<value>60</value>
<description>The interval (in seconds) for polling Ambari for cluster
configuration changes.</description>
</property>
+ <!-- @since 2.0.0 WebShell configs -->
+ <!-- must have websocket enabled to use webshell -->
+ <property>
+ <name>gateway.webshell.feature.enabled</name>
+ <value>false</value>
+ <description>Enable/Disable webshell feature.</description>
+ </property>
+ <property>
+ <name>webshell.max.concurrent.sessions</name>
+ <value>3</value>
+ <description>maximum number of concurrent webshell
sessions</description>
+ </property>
+ <property>
+ <name>gateway.webshell.audit.logging.enabled</name>
+ <value>false</value>
+ <description>Enable/Disable webshell audit logging.</description>
+ </property>
+ <property>
+ <name>gateway.webshell.read.buffer.size</name>
+ <value>1024</value>
+ <description>Web Shell buffer size for reading</description>
+ </property>
+
+ <!-- @since 2.0.0 websocket JWT validation configs -->
+ <property>
+ <name>gateway.websocket.JWT.validation.feature.enabled</name>
+ <value>false</value>
+ <description>Enable/Disable websocket JWT validation
feature.</description>
Review Comment:
This should be on by default, thanks for pointing this out. This property is
used to disable JWT token validation at the websocket layer. This is needed for
cases where we want the session the terminate when JWT expires. Turning it off
does not mean WS is less secure, WS connections are only established after
successful authz and are always SSL.
##########
gateway-release/home/conf/gateway-site.xml:
##########
@@ -88,6 +88,35 @@ limitations under the License.
<value>60</value>
<description>The interval (in seconds) for polling Ambari for cluster
configuration changes.</description>
</property>
+ <!-- @since 2.0.0 WebShell configs -->
+ <!-- must have websocket enabled to use webshell -->
+ <property>
+ <name>gateway.webshell.feature.enabled</name>
+ <value>false</value>
+ <description>Enable/Disable webshell feature.</description>
+ </property>
+ <property>
+ <name>webshell.max.concurrent.sessions</name>
+ <value>3</value>
+ <description>maximum number of concurrent webshell
sessions</description>
+ </property>
+ <property>
+ <name>gateway.webshell.audit.logging.enabled</name>
+ <value>false</value>
+ <description>Enable/Disable webshell audit logging.</description>
+ </property>
+ <property>
+ <name>gateway.webshell.read.buffer.size</name>
+ <value>1024</value>
+ <description>Web Shell buffer size for reading</description>
+ </property>
+
+ <!-- @since 2.0.0 websocket JWT validation configs -->
+ <property>
+ <name>gateway.websocket.JWT.validation.feature.enabled</name>
+ <value>false</value>
+ <description>Enable/Disable websocket JWT validation
feature.</description>
Review Comment:
This should be on by default, thanks for pointing this out. This property is
used to disable JWT token validation at the websocket layer. This is needed for
cases where we want the session the terminate when JWT expires. Turning it off
does not mean WS is less secure, WS connections are only established after
successful authz and are always secure.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
