[jira] [Updated] (KNOX-2948) Make encryptquerystring provision optional

Tue, 15 Aug 2023 02:26:04 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sandor Molnar updated KNOX-2948:
--------------------------------
    Description: 
Since KNOX-1136, Knox saves the {{encryptQueryString}} alias in the given 
topology's credential store when processing the descriptor.

The problem with this approach is, that, in some cases, it may happen that 3rd 
party deployment tools (such as Cloudera Manager) persists that secret in a 
separate phase and
 * this makes the Knox call redundant
 * Knox will override the previously saved value silently

Proposal:
 - introduce a new descriptor-level property called 
{{provision-encrypt-query-string-credential}} (defaults to {{true}}) which 
controls this behavior
 - if the descriptor is configured with {{provisionEncryptQueryStringCredential 
= false}}, no credential store operation should be done to save that alias.

  was:
Since KNOX-1136, Knox saves the {{encryptQueryString}} alias in the given 
topology's credential store when processing the descriptor.

The problem with this approach is, that, in some cases, it may happen that 3rd 
party deployment tools (such as Cloudera Manager) persists that secret in a 
separate phase and
 * this makes the Knox call redundant
 * Knox will override the previously saved value silently

Proposal:
 - introduce a new descriptor-level property called 
{{provision-encrypt-query-string-credential}} (defaults to {{true}}) which 
controls this behavior
 - if the descriptor is configured with 
{{provisionQueryParamEncryptionCredential = false}}, no credential store 
operation should be done to save that alias.


> Make encryptquerystring provision optional
> ------------------------------------------
>
>                 Key: KNOX-2948
>                 URL: https://issues.apache.org/jira/browse/KNOX-2948
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.14.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 2.0.0, 
> 1.6.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.1.0
>
>
> Since KNOX-1136, Knox saves the {{encryptQueryString}} alias in the given 
> topology's credential store when processing the descriptor.
> The problem with this approach is, that, in some cases, it may happen that 
> 3rd party deployment tools (such as Cloudera Manager) persists that secret in 
> a separate phase and
>  * this makes the Knox call redundant
>  * Knox will override the previously saved value silently
> Proposal:
>  - introduce a new descriptor-level property called 
> {{provision-encrypt-query-string-credential}} (defaults to {{true}}) which 
> controls this behavior
>  - if the descriptor is configured with 
> {{provisionEncryptQueryStringCredential = false}}, no credential store 
> operation should be done to save that alias.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to