[jira] [Work logged] (KNOX-2948) Make encryptquerystring provision optional

Fri, 08 Sep 2023 04:54:04 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2948?focusedWorklogId=879455&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-879455
 ]

ASF GitHub Bot logged work on KNOX-2948:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Sep/23 11:53
            Start Date: 08/Sep/23 11:53
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #793:
URL: https://github.com/apache/knox/pull/793

   ## What changes were proposed in this pull request?
   
   My previous commit added support for a new boolean variable called 
`provisionEncryptQueryStringCredential` in a descriptor file. This commit makes 
it possible to set that new field using a Hadoop XML resource.
   
   ## How was this patch tested?
   
   Unit testing.
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 879455)
    Time Spent: 0.5h  (was: 20m)

> Make encryptquerystring provision optional
> ------------------------------------------
>
>                 Key: KNOX-2948
>                 URL: https://issues.apache.org/jira/browse/KNOX-2948
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.14.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 2.0.0, 
> 1.6.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Since KNOX-1136, Knox saves the {{encryptQueryString}} alias in the given 
> topology's credential store when processing the descriptor.
> The problem with this approach is, that, in some cases, it may happen that 
> 3rd party deployment tools (such as Cloudera Manager) persists that secret in 
> a separate phase and
>  * this makes the Knox call redundant
>  * Knox will override the previously saved value silently
> Proposal:
>  - introduce a new descriptor-level property called 
> {{provision-encrypt-query-string-credential}} (defaults to {{true}}) which 
> controls this behavior
>  - if the descriptor is configured with 
> {{provisionEncryptQueryStringCredential = false}}, no credential store 
> operation should be done to save that alias.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to